CISA warns of credential theft via SolarWinds and PulseSecure VPN

Attackers targeted both the Pulse Secure VPN appliance and the SolarWinds Orion platform in an organization, the U.S. government said in an incident report last Thursday.

Enterprises have been rocked by reports of cyberattacks involving mission-critical platforms over the past year. In the past few months, security teams have been busy investigating a growing list of cyberattacks and vulnerabilities to figure out whether they were affected and to apply fixes or workarounds as needed. The supply chain attack and compromise of the SolarWinds Orion platform reported at the beginning of the year was just the beginning. Since then, there have been reports of attacks against Microsoft Exchange, the Sonicwall firewall, and the Accellion firewall, to name just a few. Defenders also have a long list of critical vulnerabilities to patch, which have been found in multiple widely used enterprise products, including Vmware and F5’s BIGIP appliance.

Chained vulnerabilities

The alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is an unsettling reminder that attackers often chain vulnerabilities in multiple products to make it easier to move around within the victim network, cause damage, and steal information.

Compromising the Pulse Secure virtual private network appliance gave attackers initial access to the environment. SolarWinds Orion platform has been used to perform supply chain attacks.

In the incident report, CISA said the attackers initially obtained credentials from the victim organization by dumping cached credentials from the SolarWinds appliance server. The attackers also disguised themselves as the victim organization’s logging infrastructure on the SolarWinds Orion server to harvest all the credentials into a file and exfiltrate that file out of the network. The attackers likely exploited an authentication bypass vulnerability in SolarWinds Orion Application Programming Interface (API) that allows a remote attacker to execute API commands, CISA said.

The attackers then used the credentials to connect to the victim organization’s network via the Pulse Secure VPN appliance. There were multiple attempts between March 2020 and February 2021, CISA said in its alert.

Supernova malware

The attackers used the Supernova malware in this cyberattack, which allowed them to perform different types of activities, including reconnaissance to learn what’s in the network and where information is stored, and to move laterally through the network. This is a different method than was used in the earlier SolarWinds cyberattack, which compromised over 18,000 organizations.

“Organizations that find Supernova on their SolarWinds installations should treat this incident as a separate attack [from Sunburst],” CISA wrote in a four-page analysis report released Thursday.

It appears the attackers took advantage of the fact that many organizations were scrambling in March 2020 to set up remote access for employees who were suddenly working from home because of the pandemic. It’s understandable that in the confusion of getting employees connected from completely different locations, the security team missed the fact that these particular remote connections were not from legitimate employees.

None of the user credentials used in the initial compromise had multi-factor authentication enabled, CISA said. The agency urged all organizations to deploy multi-factor authentication for privileged accounts, use separate administrator accounts on separate administrator workstations, and check for common executables executing with the hash of another process.

While CISA did not attribute the combined cyberattack to anyone in its alert, it did note that this cyberattack was not carried out by the Russian foreign intelligence service. The U.S. government had attributed the massive compromise of government and private organizations between March 2020 and June 2020 to the Russian Foreign Intelligence Service (SVR). Security company FireEye last week said Chinese state actors had exploited multiple vulnerabilities in Pulse Secure VPN to break into government agencies, defense companies, and financial institutions in the U.S. and Europe. Reuters said Supernova was used in an earlier cyberattack against the National Finance Center — a federal payroll agency inside the U.S. Department of Agriculture — reportedly carried out by Chinese state actors.