Chinese hackers also revealed that they were also malware on the product in the shadow of a large-scale hack by a Russian government-backed hacker who abused the SolarWinds product.
In December 2020, a hacking group believed to have received support from the Russian government used the software ' Orion Software
SUPERNOVA Web Shell Deployment Linked to SPIRAL Threat Group Blog | Secureworks
https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group
Attacks on SolarWinds Servers Also Linked To Chinese Threat Actor | The Record by Recorded Future
Hackers hiding Supernova malware in SolarWinds Orion linked to China
https://www.bleepingcomputer.com/news/security/hackers-hiding-supernova-malware-in-solarwinds-orion-linked-to-china/
The attack by the hacking group, which was reported in December 2020 and was believed to have been supported by the Russian government, was to tamper with the Orion Software update file and add malware to add a backdoor. Many U.S. government agencies and private sectors have installed the update in question, and Microsoft President Brad Smith said, 'It's considered one of the most serious cyberattacks I've seen in the last decade.' I am.
What is the attack on SolarWinds' Orion Platform, which Microsoft president says is 'one of the most serious cyberattacks in the last decade?' --GIGAZINE
Meanwhile, Microsoft suggested that there could be a 'second attacker' who also used Orion Software a few days after the large-scale attack on US government agencies was reported. The second attacker reportedly delivered a web shell called 'SUPERNOVA' via Orion Software.
Hacking SolarWinds product exploits, there was a 'second attacker'-Microsoft suggests-CNET Japan
https://japan.cnet.com/article/35164204/
Initially, security researchers believed that attacks using SUPERNOVA were also part of an attack by a hacking group supported by the Russian government. However, Microsoft's security team said in a December report that SUPERNOVA was not part of a series of supply chain attacks, but another attack by an independent hacking group.
The attacker using SUPERNOVA is said to have exploited a vulnerability in Orion Software's API authentication bypass instead of the Orion Software update infrastructure used by a hacking group related to the Russian government. SUPERNOVA acted as a backdoor for the Orion Software platform, allowing an attacker to gain access to the internal network and steal data.
Later, a report reported by cybersecurity firm Secureworks on March 8, 2021 stated that attacks using SUPERNOVA were linked to attackers being tracked under the codename 'Spiral.' It was found that Spiral was attacking ManageEngine , the management software provided by Zoho , in August 2020, and it seems that similarities have been confirmed between SUPERNOVA's method and ManageEngine's method.
According to Secureworks, past attacks by Spiral confirmed the existence of a Chinese IP address on the infrastructure. As this IP address is likely to be unintentional, Secureworks researchers point out that 'characteristics of the activity suggest that the group is based in China.' Secureworks doesn't say whether Spiral is backed by the Chinese government or just a commercial cybercriminal organization.
In recent years, cyber attacks by hacker groups supported by the Chinese government have been increasing, and more than 30,000 organizations have already been hacked in attacks using vulnerabilities in Microsoft's e-mail products and Exchange Server. It has been pointed out.
It is also pointed out that the government has issued an emergency directive due to a cyber attack by China, and more than 30,000 organizations have already been hacked --GIGAZINE
Related Posts:
