Share this article

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

Well-known VPN used to steal credentials on SolarWinds servers

2 min. read

Published onApril 27, 2021

published onApril 27, 2021

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

Key notes

A recentCybersecurityand Infrastructure Security Agency (CISA) report shows how hackers connected to the SolarWinds Orion server via a popularvirtual private network, installedmalwareknown as Supernova, and collected the victims’ credentials.

The VPN depolyed is Pulse Secure. The cyberattack qualified as an advanced persistentthreatstarted back in Mach 2020 and lasted until February 2021.

Cybercriminals used yet another new method

According to CISA, the attackers used a new hacking approach: the Supernova (a .NET webshell) was placed directly on the SolarWinds server making it look as if part of the system.

The threat actor connected via the U.S.-based residential IP addresses […] which allowed them to masquerade as teleworking employees. (Note: these IP addresses belong to routers that are all similar models; based on this activity, CISA suspects that these routers were likely exploited by the threat actor.)

The hackers also took advantage of the fact that the victims didn’t use a two-factor authentication method on theirVPNs.

Once authenticated, the attackers used a virtual machine to move laterally to the victim’s SolarWinds Orion software and install Supernova via a PowerShell command, the reportexplains.

The SUPERNOVA webshell allows a remote operator to dynamically inject C# source code into a web portal provided via the SolarWinds software suite. The injected code is compiled and directly executed in memory.

WhileVPNsprovide an extra layer of security, they don’t act the same as antivirus software or as a firewall.

That is why CISA recommends that all organizations use not only multiple factor authentication methods, but also several cyber-protection tools within the same network, all of them up to date.

Similarly, the company’s workstations and servers should be updated and equipped with only the necessary software. Regular users should not have admin privileges, especially when it comes to installing third-party apps.

You can read more about CISA’s full recommendations and the entirethreatscenario in the above-mentioned report.

Sinziana Mihalache

Sînziana loves getting people to better understand products, processes, and experiences beyond a simple user guide, either in writing or making use of images. She joined the team after a long-term collaboration with one of the world’s top cybersecurity companies - Bitdefender. Outside work, Sînziana enjoys climbing mountains, backpacking around the world, and writing about almost anything on her blog.

User forum

0 messages

Sort by:LatestOldestMost Votes

Comment*

Name*

Email*

Commenting as.Not you?

Save information for future comments

Comment

Sinziana Mihalache

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low#

Copilot in Outlook will generate personalized themes for you to customize the app#

Microsoft will raise the price of its 365 Suite to include AI capabilities#

Death Stranding Director’s Cut is now Xbox X|S at a huge discount#

Outlook will let users create custom account icons so they can tell their accounts apart easier#

Well-known VPN used to steal credentials on SolarWinds servers#

Cybercriminals used yet another new method#