Contents
Definition Sunburst | supernova
What are sunburst and supernova?
providers on the topic
Sunburst is the name of malware that was injected via manipulated source code of the Orion network management software from SolarWinds. The SolarWinds supply chain attack became public knowledge in late 2020. According to SolarWinds, the manipulated software was installed around 18,000 times. In the course of investigating the cyber attack, another backdoor was found in the software. It received the designation Supernova.
Sunburst is the name of a backdoor malware discovered by a cyberattack on the FireEye company in late 2020. Sunburst was introduced through a supply chain attack on SolarWinds’ Orion network management software. Attackers managed to manipulate the source code of the Orion software. According to SolarWinds, the manipulated software was installed around 18,000 times. Orion is very popular and widely used in the US, but is also used by numerous companies and organizations worldwide. SolarWinds customers include major US telecommunications companies, government agencies, the US military and well-known companies such as Cisco, McDonald’s, Microsoft, New York Times, Visa and many more.
During the investigations into the cyber attack, another backdoor called Supernova was found in the Orion software. Security researchers assume that Sunburst and Supernova were placed in the Orion source code by different groups. The supply chain attack is one of the most sophisticated and professional cyber attacks in history. It was initiated by technically very competent, possibly state-organized cyber attackers. Orion software versions 2019.4 HF5 to 2020.2.19.0 were affected by the cyber attack. The malware was able to settle undetected in many companies for a long time. Attackers acted undisturbed for several months. What information the attackers were able to obtain and the exact extent of the cyber attack is still not fully comprehensible to this day. Customers who installed the manipulated software must assume that they have been attacked and that unauthorized persons have penetrated their IT environments. Critical infrastructures were also explored.
Sunburst details
Sunburst was injected into the Orion source code with the digitally signed component “SolarWinds.Orion.Core.BusinessLayer.dll”. It is a backdoor that communicates with other servers via HTTP. The backdoor camouflages itself using sophisticated mechanisms. It is able to identify antivirus tools and can, for example, transfer files or disable system services.
Details on Supernova
Supernova is another backdoor malware. It hides in the “App_Web_logoimagehandler.ashx.b6031896.dll” component. Unlike Sunburst, it is not digitally signed. Security researchers suspect that Supernova was placed in the Orion source code by another group. Creation date of Supernova, like Sunburst, is March 2020. Supernova acts as a webshell. The malware behaves in a sophisticated way and is difficult to identify. It runs in memory and can be activated by attackers for their purposes using commands from an external server to execute malicious code.
(ID:48528207)
Information Security Asia is the go-to website for the latest cybersecurity and tech news in various sectors. Our expert writers provide insights and analysis that you can trust, so you can stay ahead of the curve and protect your business. Whether you are a small business, an enterprise or even a government agency, we have the latest updates and advice for all aspects of cybersecurity.
