SYMBOL | COMMON_NAME | aka. SYNONYMS |
In December 2020, the IT management software provider SolarWinds announced that an unidentified threat actor had exploited a vulnerability in their Orion Platform software to deploy a web shell dubbed SUPERNOVA. CTU researchers track the operators of the SUPERNOVA web shell as BRONZE SPIRAL and assess with low confidence that the group is of Chinese origin. SUPERNOVA was likely deployed through exploitation of CVE-2020-10148, and CTU researchers observed post-exploitation reconnaissance commands roughly 30 minutes before the web shell was deployed. This may have been indicative of the threat actor conducting scan-and-exploit activity and then triaging for victims of particular interest, before deploying SUPERNOVA and attempting to dump credentials and move laterally. BRONZE SPIRAL has been associated with previous intrusions involving the targeting of ManageEngine servers, maintenance of long-term access to periodically harvest credentials and exfiltrate data, and espionage or theft of intellectual property. The threat group makes extensive use of native system tools and 'living off the land' techniques.
There are currently no families associated with this actor.
2021-04-29
⋅
CISA
⋅
CISA Identifies SUPERNOVA Malware During Incident Response SUPERNOVA BRONZE SPIRAL |
2021-03-08
⋅
Secureworks
⋅
SUPERNOVA Web Shell Deployment Linked to SPIRAL Threat Group SUPERNOVA BRONZE SPIRAL |
2021-01-27
⋅
US-CERT
⋅
Malware Analysis Report (AR21-027A): MAR-10319053-1.v1 - Supernova SUPERNOVA BRONZE SPIRAL |
2020-12-23
⋅
Sentinel LABS
⋅
SolarWinds | Understanding & Detecting the SUPERNOVA Webshell Trojan SUPERNOVA BRONZE SPIRAL |
2020-12-17
⋅
Palo Alto Networks Unit 42
⋅
SUPERNOVA SolarWinds .NET Webshell Analysis SUPERNOVA BRONZE SPIRAL |
2020-12-14
⋅
GuidePoint Security
⋅
SUPERNOVA SolarWinds .NET Webshell Analysis SUPERNOVA BRONZE SPIRAL |