March 22, 2024
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]
Rewterz Threat Alert – Exploitation of Pulse Connect Secure Zero-Day – Active IOCs
April 23, 2021
Rewterz Threat Advisory – CVE-2021-26291 – Apache Maven security bypass
April 26, 2021
Rewterz Threat Alert – Exploitation of Pulse Connect Secure Zero-Day – Active IOCs
April 23, 2021
Rewterz Threat Advisory – CVE-2021-26291 – Apache Maven security bypass
April 26, 2021
Severity
High
Analysis Summary
SUPERNOVA malware is a relatively new malware that is linked with SolarWinds Orion and Pulse Secure Virtual Private Networks (VPNs). In the beginning, the SolarWinds Orion tech was being targeted to install the malware separately onto servers that needed unauthorized access to the system network.
As the previous alert explained: “The SUPERNOVA malware consisted of two components. The first was malicious, unsigned [.NET] webshell… specifically written to be used on the SolarWinds Orion Platform. The second is the utilization of a vulnerability in the Orion Platform to enable deployment of the malicious code. This vulnerability in the Orion Platform has been resolved in the latest updates.”
US IP addresses were used by threat actors to masquerade as teleworking employees. Pulse Secure VPN appliances were the initial door for the malware to enter, and it was laterally moved to the SolarWinds Orion Server. The threat actors exploited CVE-2020-10148, an authentication bypass flaw in the SolarWinds Orion API that enabled them to execute API commands. The API was exploited and used to run commands.
Impact
Remote Access
Affected Vendors
- Pulse Connect
- SolarWinds
Indicators of Compromise
IP
- 207[.]89[.]9[.]153
- 24[.]140[.]28[.]90
- 24[.]117[.]18[.]111
Remediation
Refer to ICS advisory for the complete list of mitigations and recommendations.