Connect with us

Hi, what are you looking for?


Application Security

APT Abuses Pulse Secure, SolarWinds Appliances at the Same Organization

The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) has raised an alarm for a new cyberattack in which both a Pulse Secure VPN appliance and the SolarWinds Orion platform were abused for malicious purposes.

The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) has raised an alarm for a new cyberattack in which both a Pulse Secure VPN appliance and the SolarWinds Orion platform were abused for malicious purposes.

Both the Pulse Secure virtual private network (VPN) appliances and the SolarWinds platform are known targets for threat actors: the former for initial access to an environment, and the latter for performing supply chain attacks.

The newly described attack, CISA warns, should not be attributed to the Russian Foreign Intelligence Service (SVR), which the United States and other countries hold accountable for the compromise of government and private organizations through the SolarWinds Orion platform.

As part of the incident, the threat actors that orchestrated the attack deployed onto the SolarWinds platform a piece of malware called Supernova, which is not related to the SolarWinds compromise.

[ SEE: Pulse Secure Zero-Day Flaw Actively Exploited in Attacks ]

Advertisement. Scroll to continue reading.

Initially identified in December 2020, the malware is deployed post compromise and allows the threat actor to perform reconnaissance and move laterally onto the environment, as well as to perform other activities.

From at least March 2020 through February 2021, CISA says, the APT leveraged several user accounts (none with multi-factor authentication (MFA) enabled) to connect to the victim environment via Pulse Secure VPN.

The attackers then moved laterally to the SolarWinds Orion appliance and deployed the Supernova webshell to “dynamically inject C# source code into a web portal provided via the SolarWinds software suite.”

CISA also notes that the attackers leveraged their access to dump credentials and that they likely exploited the CVE-2020-10148 authentication bypass vulnerability to execute API commands on the SolarWinds appliance.

“CISA had not observed the threat actor using privileged accounts prior to the credential dumps, and the account being used to connect to the SolarWinds appliance (via VPN) did not have sufficient privilege to access it,” the Agency says.

The APT connected to the environment on several occasions, attempted to use dumped SolarWinds credentials, as well as to further harvest and exfiltrate credentials.

Related: Microsoft: SolarWinds Hackers Attempted to Access Systems Until Jan 2021

Related: Russian Vendor Positive Technologies Dropped From MAPP Member List

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...