EXECUTIVE SUMMARY:

A second cyber threat may have been interwoven within the initial SolarWinds Sunburst attack. This threat leverages SolarWinds’ software to deliver a piece of malware known as Supernova. The malware can remotely distribute C# code that is aggregated and then sent to victims’ machines.

Supernova malware: Acknowledged by SolarWinds?

SolarWinds has acknowledged the Supernova malware. The Supernova malware is sophisticated in its parameters and in its flexibility and execution.

Says the company, “The SUPERNOVA malware consisted of two components. The first was a malicious, unsigned webshell .dll “app_web_logoimagehandler.ashx.b6031896.dll” specifically written to be used on the SolarWinds Orion Platform. The second is the utilization of a vulnerability in the Orion Platform to enable deployment of the malicious code. The vulnerability in the Orion Platform has been resolved in the latest updates.”

How has SolarWinds responded?

SolarWinds has published two “hotfix updates” that include security upgrades, preventing Supernova exploits within certain versions of its products. SolarWinds advises for customers to switch to its latest software versions in order to maximize safeguards in relation to the Sunburst vulnerability and the Supernova malware.

In addition, SolarWinds is offering customers free consulting services to mitigate any issues caused by the Supernova malware. “The company wants to make sure that customers working to secure their environments have the help and assistance they need from knowledgeable resources,” said a SolarWinds spokesperson.

The hackers involved in the SolarWinds breach displayed a high degree of technical know-how. Cyber security experts and federal agencies are still working to untangle the full implications of the SolarWinds global intrusion campaign.

For more on the Supernova malware, visit Bleeping Computer. For background information pertaining to the SolarWinds story, see Cyber Talk’s past coverage.