A sophisticated hacking syndicate took advantage of Pulse Secure and a second SolarWinds Orion vulnerability for nearly a year to steal credentials, federal officials said.
The Advanced Persistent Threat (APT) group first connected to the unidentified victim’s network through a Pulse Secure virtual private network (VPN) appliance starting in March 2020 by masquerading as teleworking employees, the Cybersecurity and Infrastructure Security Agency said. From there, the hackers moved laterally to the victim’s SolarWinds Orion server, installed Supernova malware, and stole credentials.
CISA said this attack was not carried out by the Russian foreign intelligence service, who infamously injected Sunburst malware into a SolarWinds Orion update downloaded by nearly 18,000 customers between March 2020 and June 2020. Instead, Supernova is placed directly on a system that hosts SolarWinds Orion, and is designed to appear as part of the SolarWinds product, according to CISA.
“Organizations that find Supernova on their SolarWinds installations should threat this incident as a separate attack [from Sunburst],” CISA wrote in a four-page analysis report released Thursday. The APT group connected to the victim’s Pulse Secure VPN appliance from March 2020 through February 2021, and targeted multiple organizations during the same period, according to CISA.
The hackers authenticated to the Pulse Secure VPN appliance through several user accounts, none of which had multi-factor authentication enabled, according to CISA, which handled the incident response engagement. The agency said it doesn’t know how the adversary first obtained these employee credentials. Neither Pulse Secure nor SolarWinds immediately responded to CRN requests for comment.
China-linked hackers repeatedly took advantage of several known flaws and one newly discovered vulnerability in Pulse Secure VPN to break into government agencies, defense companies and financial institutions in the U.S. and Europe, FireEye reported Tuesday. Suspected Chinese hackers also exploited Supernova to compromise computers at the National Finance Center, Reuters reported in February.
In the attack revealed Thursday, CISA said the hackers used two methods to dump credentials from the SolarWinds appliance. First, CISA said the adversary gathered cached credentials used by the SolarWinds appliance server and network monitoring since the private key certificate was marked as exportable.
From there, CISA said the APT group disguised themselves as the victim’s logging infrastructure on the SolarWinds Orion server. This allowed the adversary to obtain additional credentials, dump the credentials into a file, and exfiltrate that file, according to CISA. Finally, CISA said the hackers cleared the Windows event logs for the date in question.
The APT group likely exploited an authentication bypass vulnerability in SolarWinds Orion Application Programming Interface (API) that allows a remote attacker to execute API commands, CISA said. The hackers likely leveraged this vulnerability to bypass the authentication to the SolarWinds appliance, and then used the Orion API to run commands with the same privileges as the SolarWinds appliance.
Several weeks later, CISA said the hackers connected again through the Pulse Secure VPN appliance and attempted to use credentials gained from the SolarWinds appliance. The APT group connected to one machine via Server Message Block, and then attempted to login to an additional workstation, according to CISA.
On another occasions, CISA said the hackers connected to the victim’s environment via the Pulse Secure VPN and used Windows Management Instrumentation (WMI) to remotely launch a tasklist. The APT group archived credentials before exfiltration, and CISA said it observed disguised commands on both a server as well as a workstation.
Upon discovering the incident, the victim performed incident response in accordance with its plan, and CISA said its engagement with the organization is ongoing. In response, CISA urges all organizations to: deploy multi-factor authentication for privileged accounts; use separate admin accounts on separate admin workstations; and check for common executables executing with the hash of another process.