SUPERNOVA malware is a relatively new malware that is linked with SolarWinds Orion and Pulse Secure Virtual Private Networks (VPNs). In the beginning, the SolarWinds Orion tech was being targeted to install the malware separately onto servers that needed unauthorized access to the system network.
As the previous alert explained: “The SUPERNOVA malware consisted of two components. The first was malicious, unsigned [.NET] webshell… specifically written to be used on the SolarWinds Orion Platform. The second is the utilization of a vulnerability in the Orion Platform to enable deployment of the malicious code. This vulnerability in the Orion Platform has been resolved in the latest updates.”
US IP addresses were used by threat actors to masquerade as teleworking employees. Pulse Secure VPN appliances were the initial door for the malware to enter, and it was laterally moved to the SolarWinds Orion Server. The threat actors exploited CVE-2020-10148, an authentication bypass flaw in the SolarWinds Orion API that enabled them to execute API commands. The API was exploited and used to run commands.
Refer to ICS advisory for the complete list of mitigations and recommendations.