Microsoft and other security researchers has discovered additional malware that also affects the SolarWinds Orion platform, the company posted in a security blog late Friday.
The news came just days after security researchers disclosed a massive hacking campaign utilizing the same IT management software from SolarWinds that so far has impacted several high-profile U.S. government agencies, tech companies and other organizations. Nearly 18,000 SolarWinds customers are thought to have been using the compromised software.
Now, there’s believed to be something else to worry about, as Microsoft’s security team says there is another set of malware that was introduced into the SolarWinds Orion platform.
However, the malware is likely unrelated to the backdoor that was the subject of last week’s security disclosures and media reports. Further, it’s likely used by a different threat actor.
The malware is a small persistence backdoor via a DLL file named pp_Web_logoimagehandler.ashx.b6031896.dl, and it is programmed to allow remote code execution through SolarWinds web application server when installed in the folder “inetpub\SolarWinds\bin\”, according to Microsoft.
In a detailed analysis of this malware, Palo Alto Networks is calling this vulnerability SUPERNOVA.
Unlike Solorigate – which Microsoft and other security experts are calling the first identified compromise of SolarWinds’ product – this malicious DLL has no digital signature, suggesting it is unrelated to that supply chain compromise.
“Nonetheless, the infected DLL contains just one method (named DynamicRun), that can receive a C# script from a web request, compile it on the fly, and execute it,” according to Microsoft.
Related: The Dark Side of Deep Learning – When Malware Attacks
This gives an attacker the ability to send and execute arbitrary C# program on a victim’s device.
More details on how SolarWinds’ Orion platform was used in the attacks are emerging by the hour, as is the list of victims that were further breached. The cyber actors are believed to be backed by a nation-state – purportedly Russia – and were likely only seeking to penetrate the networks of high-value targets like the defense industry, top levels of the U.S. government and other tech companies that could provide additional attack access.
We’ll continue to keep you updated so you know how to keep your organizations secure from these threats.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply