The Cybersecurity and Infrastructure Security Agency (CISA) has identified a malware dubbed Supernova used by advanced persistent threat actors to compromise an organization’s enterprise network through a Pulse Secure virtual private network device.
CISA said Thursday hackers use Supernova to conduct reconnaissance and domain mapping and steal credentials and sensitive data.
According to the agency, threat actors connect to the network through the VPN appliance and go to the entity’s SolarWinds Orion server through a lateral movement to install the malware, which is described as a “malicious webshell backdoor.”
CISA noted that the threat actor responsible for Supernova is different from the hacker linked to the SolarWinds supply chain compromise. “Organizations that find SUPERNOVA on their SolarWinds installations should treat this incident as a separate attack,” the advisory reads.
CISA recommends that organizations implement multifactor authentication, deploy endpoint defense tools, secure remote desktop protocol, and other remote access tools and maintain up-to-date antivirus engines and signatures, among other measures, to improve the cybersecurity posture of their systems.