CISA warns on new threat group using VPN flaw

A new report by the government's cybersecurity agency warns about another threat actor using malware initially discovered during the response to the intrusion involving SolarWinds.

computer hack (MARCUSZ2527/

The Cybersecurity and Infrastructure Security Agency said on Thursday it believes a hacking campaign, separate from the one recently attributed to Russian foreign intelligence, is using known flaws in a virtual private network application to breach entity networks and implant the malware security researchers dubbed "SUPERNOVA."

"CISA assesses this is a separate actor than the APT actor responsible for the SolarWinds supply chain compromise described in" previous alerts, according to the report. "Organizations that find SUPERNOVA on their SolarWinds installations should treat this incident as a separate attack."

The threat group, according to the CISA report, probably used an authentication bypass vulnerability in Orion to implant the SUPERNOVA malware. SUPERNOVA itself is a backdoor that allows an attacker access to targeted systems.

Separately, Pulse Secure's virtual private networking software on Tuesday became the subject of CISA's third emergency directive this fiscal year following cybersecurity firm FireEye's discovery that a hacking group linked to the Chinese government is using vulnerabilities in the VPN to target defense industrial base contractors and entities in Europe.

CISA's advisory states the threat actor used both SUPERNOVA and vulnerabilities in Pulse Secure products to target various organizations between March 2020 and February 2021. The report is based on CISA's work with organizations as incident responders.

"This threat actor targeted multiple entities in the same period; some information in this analysis report is informed by other related incident response engagements and CISA's public and private sector partners," according to the agency's report. "This APT actor has used opportunistic tradecraft, and much is still unknown about" its tactics, techniques and procedures.

CISA said the threat actor was able to breach a VPN device through several user accounts that lacked multi-factor authentication, but the agency has not determined how the campaign obtained the initial credentials. The actor was then able to move laterally to the entity's SolarWinds Orion device where they installed SUPERNOVA.

The advisory does not provide any information on who the victimized entities may be or an attribution to the actor responsible for the attacks, except to emphasize that it is separate from the one discovered late last year and attributed to Russian foreign intelligence agents.

Since publicly attributing the espionage campaign to Russia, the White House also disestablished the interagency group originally tasked with coordinating the federal government's response to the campaign against SolarWinds.

"The PPD 41 system needs to demonstrate its ability to ramp up and down the level of effort," Mark Montgomery, a senior advisor to the congressional Cyberspace Solarium Commission, said, referring to the presidential directive that allowed the group to be formed.

"Clearly they are transitioning from response to recovery -- this is a demonstration of a deliberate, focused leadership effort by Anne Neuberger at NSC and CISA and the rest of the interagency team," he said of the White House's April 19 announcement.