Web shells are usually small scripts that act as a backdoor or a first point of entry for an attacker. The attacker(s) authenticated to the VPN appliance through several user accounts that did not have multi-factor authentication (MFA) enabled and were able to masquerade as legitimate teleworking employees.įrom there they moved laterally to its SolarWinds Orion server to establish a backdoor that would allow them to persist, so they could connect even if their initial point of entry was closed. CISA reports that it “does not know how the threat actor initially obtained these credentials” but, by coincidence, just two days ago we detailed multiple Pulse Secure vulnerabilities that are being actively exploited in the wild, and which could leverage such an attack. According to its investigation, the threat actor connected to the entity’s network via a Pulse Secure Virtual Private Network (VPN) appliance. Pulse Secure VPNĬISA found that the attacker(s) had access to the enterprise’s network for nearly a year, between March 2020 and February 2021. The threat actors are believed to be different from the ones behind the infamous supply chain attack. So, SUPERNOVA is placed by a lateral movement inside a network and not considered as a part of the SolarWinds supply chain attack. The SUPERNOVA web shell is placed by an attacker directly on a system that hosts SolarWinds Orion and is designed to appear as part of the SolarWinds Orion monitoring product. In its analysis, the organization warns that this threat actor behind the compromise “targeted multiple entities in the same period”. These observations were made during an incident response to an Advanced Persistent Threat (APT) actor’s year-long compromise of an enterprise network. The Cybersecurity and Infrastructure Security Agency (CISA) has reported finding the SUPERNOVA web shell collecting credentials on a SolarWinds Orion server.