Skip to main content

Another top VPN is reportedly being used to spread SolarWinds hack

Privacy
(Image credit: Shutterstock / Valery Brozhinsky)

Threat actors used the Pulse Secure VPN appliance to install the Supernova webshell in a victim’s SolarWinds Orion server, and collect user credentials without permission, a new warning has said.

According to a recent advisory put out by the US Cybersecurity and Infrastructure Security Agency (CISA), this appears to be the first observed instance of a threat actor injecting the Supernova webshell directly into a victim’s SolarWinds installation.

The attack is significant as it deviates from the vector used in the earlier SolarWinds attack. Instead of tainting the supply chain, the attackers in the latest attack installed the webshell by directly logging into the victim’s SolarWinds server.

TechRadar needs you!

We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.

>> Click here to start the survey in a new window<<

“CISA assesses this is a separate actor than the APT actor responsible for the SolarWinds supply chain compromise. Organizations that find Supernova on their SolarWinds installations should treat this incident as a separate attack,” writes CISA in its latest advisory.

New attack vector

The SolarWinds attack that came to light in December 2020 injected malicious updates into the SolarWinds software. The US has pinned the attack on state-sponsored Russian threat actors and there have been several repercussions including sanctions on Russian companies and the expelling of Russian diplomats.

There have been several mitigations to protect SolarWinds servers from compromise. However the new CISA advisory suggests that threat actors have adopted a new tactic. 

In its analysis, CISA observes that the threat actor used the Pulse Secure VPN appliance to connect to the victim’s servers between at least March 2020 and February 2021.

Although CISA notes that attackers authenticated with the Pulse Secure VPN appliance using stolen credentials to masquerade as teleworking employees, cybersecurity firm Ivanti last week acknowledged a flaw in its Pulse Connect Secure VPN devices. The company said the flaw had been exploited by threat actors to move into the systems of “a very limited number of customers".

While CISA has only observed the new attack strategy against a single victim, it stands to reason that there might be several more. Alarmingly from CISA’s breakdown of the attack it appears to be immune to any of the mitigations for the SolarWinds supply-chain attack.

Via VentureBeat