Well-known VPN used to steal credentials on SolarWinds servers

by Sinziana Mihalache
Sinziana Mihalache
Sinziana Mihalache
Sînziana loves getting people to better understand products, processes, and experiences beyond a simple user guide, either in writing or making use of images. She joined the team... read more
Affiliate Disclosure
  • A SolarWinds attack using VPN to inject malware is detailed in a recent CISA report.
  • The attackers took advantage of several vulnerabilities and injected a webshell to obtain credentials.
  • The hackers planning the SolarWinds Orion attack disguised as teleworkers.
  • CISA offers several recommendations for organizations to prevent such security breaches in the future.
VPN used for cyberattack on solarwinds devices

A recent Cybersecurity and Infrastructure Security Agency (CISA) report shows how hackers connected to the SolarWinds Orion server via a popular virtual private network, installed malware known as Supernova, and collected the victims’ credentials.

The VPN depolyed is Pulse Secure. The cyberattack qualified as an advanced persistent threat started back in Mach 2020 and lasted until February 2021.

Cybercriminals used yet another new method

new cyberattack method with vpn

According to CISA, the attackers used a new hacking approach: the Supernova (a .NET webshell) was placed directly on the SolarWinds server making it look as if part of the system.

The threat actor connected via the U.S.-based residential IP addresses […] which allowed them to masquerade as teleworking employees. (Note: these IP addresses belong to routers that are all similar models; based on this activity, CISA suspects that these routers were likely exploited by the threat actor.)

The hackers also took advantage of the fact that the victims didn’t use a two-factor authentication method on their VPNs.

Once authenticated, the attackers used a virtual machine to move laterally to the victim’s SolarWinds Orion software and install Supernova via a PowerShell command, the report explains.

The SUPERNOVA webshell allows a remote operator to dynamically inject C# source code into a web portal provided via the SolarWinds software suite. The injected code is compiled and directly executed in memory.

While VPNs provide an extra layer of security, they don’t act the same as antivirus software or as a firewall.

That is why CISA recommends that all organizations use not only multiple factor authentication methods, but also several cyber-protection tools within the same network, all of them up to date.

Similarly, the company’s workstations and servers should be updated and equipped with only the necessary software. Regular users should not have admin privileges, especially when it comes to installing third-party apps.

You can read more about CISA’s full recommendations and the entire threat scenario in the above-mentioned report.