Researchers Monday suspected the Chinese espionage group Spiral of two intrusions in 2020 to a SolarWinds Orion server that were linked to each other but not to the infamous SolarWinds attack attributed to Russia.
In a blog, the Secureworks Counter Threat Unit (CTU) reported that Spiral exploited an internet-facing SolarWinds server to deploy the Supernova web shell. The researchers said the threat actor exploited a SolarWinds Orion API authentication bypass vulnerability (CVE-2020-10148) to execute a reconnaissance script and then write the Supernova web shell to disk. The vulnerability could let a remote attacker bypass authentication and execute API commands, which may result in a compromise of the SolarWinds instance.
Secureworks discovered the attacks in November 2020 while working on an incident response for one of its customers. It was during the IR engagement that it also found the first attack, which was on the same network earlier in 2020. The second attack happened in late 2020.
Analysis from the Secureworks CTU team indicates that both of these attacks by Spiral are unrelated to the Sunburst supply-chain attack that injected Trojans into SolarWinds Orion business software updates.
Based on the ongoing trends and the recent SolarWinds hack, seeing an internet-facing SolarWinds server deploy the Supernova web shell was not surprising, said Michael Isbitski, technical evangelist at Salt Security.
“We’ll likely continue to see campaigns and parallel attacks similar to this one, that victimize unpatched APIs to bypass authentication,” Isbitski said. “This kind of attack falls into the OWASP API Security Top 10 risks, where unpatched or misconfigured API authentication lets attackers compromise authentication tokens or exploit implementation flaws to gain access to and compromise a system.”
Isbitski said these findings should serve as a stark reminder about the critical importance of patching. He said organizations can no longer delay patching critical, known vulnerabilities because of concerns over outages, the impact on production users or the loss of oversight of a system.
“Unpatched systems are leaving important elements of the IT stack vulnerable, especially APIs, which attackers are increasingly targeting these days since they route traffic directly to valuable data and services,” Isbitski said. “This kind of activity looks to be an emerging signature of the group behind this attack, so organizations need to be increasingly vigilant about such vulnerabilities.”