SYMBOLCOMMON_NAMEaka. SYNONYMS

BRONZE SPIRAL  (Back to overview)


In December 2020, the IT management software provider SolarWinds announced that an unidentified threat actor had exploited a vulnerability in their Orion Platform software to deploy a web shell dubbed SUPERNOVA. CTU researchers track the operators of the SUPERNOVA web shell as BRONZE SPIRAL and assess with low confidence that the group is of Chinese origin. SUPERNOVA was likely deployed through exploitation of CVE-2020-10148, and CTU researchers observed post-exploitation reconnaissance commands roughly 30 minutes before the web shell was deployed. This may have been indicative of the threat actor conducting scan-and-exploit activity and then triaging for victims of particular interest, before deploying SUPERNOVA and attempting to dump credentials and move laterally. BRONZE SPIRAL has been associated with previous intrusions involving the targeting of ManageEngine servers, maintenance of long-term access to periodically harvest credentials and exfiltrate data, and espionage or theft of intellectual property. The threat group makes extensive use of native system tools and 'living off the land' techniques.


Associated Families

There are currently no families associated with this actor.


References
2021-04-29CISACISA
CISA Identifies SUPERNOVA Malware During Incident Response
SUPERNOVA BRONZE SPIRAL
2021-03-08SecureworksCounter Threat Unit ResearchTeam
SUPERNOVA Web Shell Deployment Linked to SPIRAL Threat Group
SUPERNOVA BRONZE SPIRAL
2021-01-27US-CERTUS-CERT
Malware Analysis Report (AR21-027A): MAR-10319053-1.v1 - Supernova
SUPERNOVA BRONZE SPIRAL
2020-12-23Sentinel LABSJames Haughom, Jim Walter, Marco Figueroa
SolarWinds | Understanding & Detecting the SUPERNOVA Webshell Trojan
SUPERNOVA BRONZE SPIRAL
2020-12-17Palo Alto Networks Unit 42Matthew Tennis
SUPERNOVA SolarWinds .NET Webshell Analysis
SUPERNOVA BRONZE SPIRAL
2020-12-14GuidePoint SecurityGuidePoint Security
SUPERNOVA SolarWinds .NET Webshell Analysis
SUPERNOVA BRONZE SPIRAL

Credits: MISP Project