According to a new notice from the US-CERT Coordination Center, hackers exploited a zero-day vulnerability to deploy the SUPERNOVA backdoor on the SolarWinds Orion platform. Vulnerability CVE-2020-10148 affects SolarWinds Orion API and allows attackers to execute unauthorized API commands and thereby compromise SolarWinds installations.
“The API authentication process can be circumvented by including special parameters in the Request.PathInfo portion of the API request URI, which would allow an attacker to execute unauthorized API commands. In particular, if an attacker adds the PathInfo parameter ‘WebResource.adx’, ‘ScriptResource.adx’, ‘i18n.ashx’, or ‘Skipi18n’ to the SolarWinds Orion server request, SolarWinds can set the SkipAuthorization flag so that API requests can be processed without requiring authentication. “, – the notification says.
SolarWinds also updated its security notice to inform that attackers injected the SUPERNOVA backdoor into the Orion platform through an unknown vulnerability. However, the company did not provide details about the vulnerability.
As SecurityLab previously reported , in addition to the notorious SUNBURST backdoor, another SUPERNOVA backdoor was discovered in the Orion platform, implemented by another cybercriminal group. The malware is a .NET web wrapper implemented by modifying the app_web_logoimagehandler.ashx.b6031896.dll module in the Orion application.