CISA Identifies SUPERNOVA Malware During Incident Response

This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.

The Cybersecurity and Infrastructure Security Agency (CISA) recently responded to an advanced persistent threat (APT) actor’s long-term compromise of an entity’s enterprise network, which began in at least March 2020. The threat actor connected to the entity’s network via a Pulse Secure virtual private network (VPN) appliance, moved laterally to its SolarWinds Orion server, installed malware referred to by security researchers as SUPERNOVA (a .NET webshell), and collected credentials.

SUPERNOVA is a malicious webshell backdoor that allows a remote operator to dynamically inject C# source code into a web portal to subsequently inject code. APT actors use SUPERNOVA to perform reconnaissance, conduct domain mapping, and steal sensitive information and credentials. (Note: for more information on SUPERNOVA, refer to Malware Analysis Report MAR-10319053-1.v1 – SUPERNOVA.) According to a SolarWinds advisory, SUPERNOVA is not embedded within the Orion platform as a supply chain attack; rather, an attacker places it directly on a system that hosts SolarWinds Orion, and it is designed to appear as part of the SolarWinds product.[1] CISA assesses this is a separate actor than the APT actor responsible for the SolarWinds supply chain compromise described in Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. Organizations that find SUPERNOVA on their SolarWinds installations should treat this incident as a separate attack.

This report provides tactics, techniques, and procedures (TTPs) CISA observed during an incident response engagement. (Note: this threat actor targeted multiple entities in the same period; some information in this Analysis Report is informed by other related incident response engagements and CISA’s public and private sector partners.) This APT actor has used opportunistic tradecraft, and much is still unknown about its TTPs.

For a downloadable copy of indicators of compromise (IOCs) associated with this malware, see AR21-112A.stix and Malware Analysis Report MAR-10319053-1.v1.stix.

From at least March 2020 through February 2021, the threat actor connected to the entity via the entity’s Pulse Secure VPN appliance (External Remote Services [T1133]). The threat actor connected via the U.S.-based residential IP addresses listed below, which allowed them to masquerade as teleworking employees. (Note: these IP addresses belong to routers that are all similar models; based on this activity, CISA suspects that these routers were likely exploited by the threat actor.)