Supernova malware clues link Chinese threat group Spiral to SolarWinds server hacks
On Monday, Secureworks’ counter-threat unit declared that they had uncovered links between the SolarWinds attack and a Chinese APT group referred to as the Spiral threat group. According to the researchers, in late 2020 a compromised internet-facing SolarWinds server was used to deploy the .NET web shell Supernova. Further studies show that similar intrusions on the same network point to the Chinese APT.
The vulnerability in question has been actively exploited by Spiral, according to Secureworks. The vulnerability lies in the SolarWinds Orion API and is categorized as an authentication bypass bug that allows remote attackers to execute API commands. The Supernova web shell is designed to maintain persistence on a compromised machine and to effectively leave little evidence after the attack is conducted. According to Secureworks, the information uncovered during the investigation may link the hacks to the Chinese APT group as well.