CISA issues warning on exploited VPN flaw

A Chinese hacking campaign is using known flaws in a virtual private network application to breach entity networks and implant the SUPERNOVA malware.

A Chinese hacking campaign is using known flaws in a virtual private network application to breach entity networks and implant the malware security researchers dubbed SUPERNOVA, the Cybersecurity and Infrastructure Security Agency said April 22.

While similar to the recent attack attributed to Russian foreign intelligence, "CISA assesses this is a separate actor than the APT actor responsible for the SolarWinds supply chain compromise described in" previous alerts, according to the report. "Organizations that find SUPERNOVA on their SolarWinds installations should treat this incident as a separate attack."

The threat group, according to CISA, probably used an authentication bypass vulnerability in Orion to implant the SUPERNOVA malware, which is a backdoor that allows an attacker access to targeted systems.

Separately, on April 20, Pulse Secure's virtual private networking software became the subject of CISA's third emergency directive this fiscal year following cybersecurity firm FireEye's discovery that a hacking group linked to the Chinese government is using vulnerabilities in the VPN to target defense industrial base contractors and entities in Europe.

The directive instructs agencies to repeatedly run a tool on all devices using Pulse Connect Secure products that checks for issues associated with exploits allegedly being used. If the tool does not detect an issue, agencies should continue to run it daily until a patch is developed or apply a workaround mitigation. CISA also said it is coordinating its response with the Federal Risk and Authentication Management Program, which provides standardized security assessments for cloud products and services.

CISA's April 22 advisory states the threat actor used both SUPERNOVA and vulnerabilities in Pulse Secure products to target various organizations between March 2020 and February 2021. The report is based on CISA's work with organizations as incident responders.

"This threat actor targeted multiple entities in the same period; some information in this analysis report is informed by other related incident response engagements and CISA's public and private sector partners," according to the agency's report. "This APT actor has used opportunistic tradecraft, and much is still unknown about" its tactics, techniques and procedures.

CISA said the threat actor was able to breach a VPN device through several user accounts that lacked multi-factor authentication, but the agency has not determined how the campaign obtained the initial credentials. The actor was then able to move laterally to the entity's SolarWinds Orion device where they installed SUPERNOVA.

The advisory does not provide any information on who the victimized entities may be or an attribution to the actor responsible for the attacks, except to emphasize that it is separate from the one discovered late last year and attributed to Russian foreign intelligence agents.

This article was first posted to FCW, a sibling site to Defense Systems.