Skip to main content

SUPERNOVA Trojan

SUPERNOVA is a sophisticated new trojan first observed in December 2020 targeting SolarWinds Orion installations. Once deployed, it acts as a webshell allowing attackers full control of affected Orion installations and the systems they are running on.

Threat ID:
CC-3711
Category:
Trojan
Threat Severity:
Medium
Threat Vector:
Insecure network
Published:
5 January 2021 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

SUPERNOVA is a sophisticated new trojan first observed in December 2020 targeting SolarWinds Orion installations. Once deployed, it acts as a webshell allowing attackers full control of affected Orion installations and the systems they are running on.

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

The following platforms are also known to be affected:

SolarWinds Orion Versions: all 2018 and earlier, 2019.2, 2019.4 (HF5 and earlier), 2020.2, 2020.2 HF1, 2020.2.1, 2020.2.1 HF1

Threat details

Introduction

SUPERNOVA is a newly observed trojan discovered in December 2020 that exploits a vulnerability in SolarWinds Orion. SUPERNOVA is not thought to be embedded as a supply-chain attack, although it was found around the same time as the SUNBURST SolarWinds supply-chain compromise. Written in .NET C#, it is intended to act as a webshell, although it shows a level of sophistication beyond most common webshell implants.

SUPERNOVA appears to have been created by a separate group to the SolarStorm advanced persistent threat, although it is highly likely the groups are working together.

Delivery

SUPERNOVA is deployed using a Powershell script to directly install a trojanised DLL plugin app_web_logoimagehandler.ashx.b6031896.dll into vulnerable Orion instances. This DLL contains a proprietary .NET library exposing an HTTP API, and is used by most Orion components. SUPERNOVA's creators have added four new parameters to allow control of this DLL, along with any Orion component that interfaces with it.

Unlike SUNBURST, SUPERNOVA appears to not use SolarWinds certificates.

Activities

When deployed, SUPERNOVA's malicious parameters are passed as components of a valid .NET program which is then compiled in-memory to avoid detection. It then signals to a command and control server and awaits further commands.

Commands can be passed to SUPERNOVA either over the Internet or from local compromised systems. C# code can be directly injected into a web portal within the SolarWinds software, which will then be compiled and directly executed by the affected system.

Threat updates

Date Update
3 Feb 2021 Further analysis by SolarWinds

This article has been updated with additional indicators of compromise that have been discovered and to clarify that SUPERNOVA is no longer thought to be a supply-chain attack.

Remediation advice

Affected organisations should ensure they have updated their vulnerable Orion installations to version 2020.2.4 or 2019.4.2. A temporary mitigation script for earlier versions is also available. Information on how to update or apply the temporary mitigation can be found in SolarWinds' security advisory.

Additionally, to prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

Any incoming traffic to logoimagehandler.ashx with a combination of the following parameters (in any order in the query string) is likely to indicate SUPERNOVA infection:

  • args
  • clazz
  • codes
  • method
Host indicators

Filenames

  • 1.ps1
  • app_web_logoimagehandler.ashx.b6031896.dll
  • AssemblyInfo__.ini

SHA256 hashes

  • 290951fcc76b497f13dcb756883be3377cd3a4692e51350c92cac157fc87e515
  • c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
  • 02c5a4770ee759593ec2d2ca54373b63dea5ff94da2e8b4c733f132c00fc7ea1

Definitive source of threat updates

Last edited: 3 February 2021 4:25 pm