News

Chinese hackers also took part in attacks on SolarWinds clients

At the end of last year, Microsoft researchers suggested that Chinese hackers were also involved in attacks on SolarWinds clients, and Secureworks recently confirmed this assumption.

In December last year, many cybersecurity companies were investigating a large-scale attack on the supply chain that affected SolarWinds and its customers. Even then, experts’ reports mentioned not only the SUNBURST payload (aka Solorigate), which downloaded the Teardrop backdoor Trojan, but also the fact that attackers sometimes injected a web shell called Supernova into infected .NET networks.

Let me remind you that we wrote that security experts linked Sunburst backdoor with the Kazuar malware.

At first, researchers believed the hackers were using Supernova to download, compile, and execute a malicious Powershell script (dubbed CosmicGale).

However, Microsoft analysts soon reported that Supernova was part of another attack, and it was not at all related to the sensational hack of the supply chain. It turned out that the Supernova web shell was injected into poorly protected SolarWinds Orion installations, vulnerable to the CVE-2019-8917 issue.

A report from Microsoft states that unlike the Sunburst DLL, the Supernova DLL was not signed with a legitimate SolarWinds certificate. Because of this, the experts concluded that this malware had nothing to do with the original attack on the supply chain and generally belonged to a different hack group.

Now Microsoft’s findings have been confirmed by Secureworks. This week the company released a report, according to which Supernova is linked to last year’s attacks on Zoho ManageEngine’s servers (this 0-day bug was simply posted on Twitter).

Secureworks is tracking the attackers who hacked Zoho ManageEngine, codenamed Spiral, and believes the hack group is based in China. So, during the August incident, hackers accidentally revealed one of their IP addresses, which turned out to be associated with the Celestial Empire.

As the researchers now write, the behavior of the Supernova malware is similar to the activity of the group in August last year, directed against the products of Zoho. It looks like Spiral could be responsible for both of these attacks, meaning Microsoft’s analysts were right.

“Similarities between SUPERNOVA-related activity in November and activity that CTU researchers analysed in August suggest that the SPIRAL threat group was responsible for both intrusions. Characteristics of these intrusions indicate a possible connection to China”, – Secureworks researchers write.

Let me also remind you that we wrote that the US government has warned agencies about cybersecurity risks for years.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Recent Posts

Remove News-bpudepi.today pop-up ads (Virus Removal Guide)

News-bpudepi.today is a domain that tries to trick you into subscribing to its browser notifications…

21 hours ago

Remove Doguhtam.xyz pop-up ads (Virus Removal Guide)

Doguhtam.xyz is a site that tries to trick you into subscribing to its browser notifications…

22 hours ago

Remove News-xlixoti pop-up ads (Virus Removal Guide)

News-xlixoti.com is a site that tries to force you into subscribing to its browser notifications…

22 hours ago

Remove Ducesousightion pop-up ads (Virus Removal Guide)

Ducesousightion.com is a domain that tries to trick you into clik to its browser notifications…

22 hours ago

Remove News-xlabica.live pop-up ads (Virus Removal Guide)

News-xlabica.live is a domain that tries to trick you into clik to its browser notifications…

22 hours ago

Remove Mergechain.co.in pop-up ads (Virus Removal Guide)

Mergechain.co.in is a site that tries to trick you into subscribing to its browser notifications…

22 hours ago