Security Experts:

Connect with us

Hi, what are you looking for?



New Zero-Day, Malware Indicate Second Group May Have Targeted SolarWinds

A piece of malware named by researchers Supernova and a zero-day vulnerability exploited to deliver this malware indicate that SolarWinds may have been targeted by a second, unrelated threat actor.

A piece of malware named by researchers Supernova and a zero-day vulnerability exploited to deliver this malware indicate that SolarWinds may have been targeted by a second, unrelated threat actor.

When FireEye disclosed details of the attack on SolarWinds in early December, in addition to the Sunburst backdoor, it mentioned a piece of malware named Supernova. However, further analysis has led researchers to believe that Supernova is not related to Sunburst.

Supernova has been described by Palo Alto Networks as a sophisticated, in-memory .NET web shell that can allow attackers to conduct reconnaissance and lateral movement, among other activities.

Supernova was initially believed to be linked to the SolarWinds supply chain attack, which involved trojanized updates for the company’s Orion monitoring platform and the delivery of the Sunburst backdoor. However, now, Microsoft, Palo Alto Networks, FireEye and others believe it may be unrelated to the supply chain attack and the work of a different threat actor.

“In an interesting turn of events, the investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor,” Microsoft said in a recent blog post mentioning Supernova.

Continuous Updates: Everything You Need to Know About the SolarWinds Attack

It has also come to light that Supernova, which is designed for use on SolarWinds’ Orion platform, exploited a previously unknown vulnerability for deployment. This zero-day flaw, tracked as CVE-2020-10148 and described by CERT/CC as an authentication bypass issue that can allow a remote attacker to execute API commands, has now been patched by SolarWInds.

“SUPERNOVA is not malicious code embedded within the builds of our Orion Platform as a supply chain attack. It is malware that is separately placed on a server that requires unauthorized access to a customer’s network and is designed to appear to be part of a SolarWinds product,” SolarWinds said in an updated advisory.

It’s believed that a Russian state-sponsored threat group is behind the SolarWinds supply chain attack — although, U.S. President Donald Trump has suggested that it may have been a Chinese group. No information has been released regarding who may be behind the Supernova malware and exploitation of CVE-2020-10148.

Texas-based SolarWinds said the supply chain attack may have impacted up to 18,000 customers of its Orion product, but an analysis of the domain generation algorithm (DGA) used by the Sunburst malware indicated that the attackers may have actually been interested in only a few hundred victims.

In addition to several U.S. government agencies that have reportedly been hit, some major private sector companies, including Microsoft, Cisco and VMware, have admitted finding malware on their systems, but said impact was limited.

One of the most recent companies to confirm being targeted was CrowdStrike, which said the attackers attempted to hack its emails via Microsoft services, but the attempt apparently failed. However, CrowdStrike has released a free tool, named CrowdStrike Reporting Tool for Azure (CRT), which is designed to help organizations review permissions in their Azure AD environments when looking for configuration weaknesses. CrowdStrike released the tool after realizing during its investigation into the impact of the SolarWinds attack on its own systems that such reviews are not easy to conduct.

CISA also announced recently that it has released an open source tool designed to help security teams identify possibly compromised accounts and applications in their Azure and Microsoft 365 environments.

Related: Group Behind SolarWinds Hack Bypassed MFA to Access Emails at US Think Tank

Related: SolarWinds Likely Hacked at Least One Year Before Breach Discovery

Related: SolarWinds Claims Execs Unaware of Breach When They Sold Stock

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.