API Vulnerabilities at the Center of SolarWinds SUPERNOVA Malware
Learn more about SUPERNOVA Malware and how CloudVector can protect against the APIs exploited by the malware
The digital world was rocked recently with a major supply chain attack in SolarWinds Orion platform exploiting a vulnerability called SunBurst  . It is estimated that close to 18,000 corporate and government agency customers are impacted  and most of these customers installed SolarWinds Orion platform either on-premises or in the cloud. The analysis of the SunBurst vulnerability and related artifacts led to the discovery of a much stealthier malware called SUPERNOVA. At this time it has been ascertained that SUPERNOVA is not linked to the supply chain attack and was most likely developed by a different threat actor group. SUPERNOVA malware unfortunately impacts almost all of the Orion platform versions (please visit  to check and compare the Orion platform versions that are affected by SunBurst and SUPERNOVA.)
SUPERNOVA is the first widely reported and stealthy malware leveraging API vulnerabilities at almost all phases of the cyber attack lifecycle – “Weaponization, Delivery, Exploitation, Command & Control, and Exfiltration & Disruption”. SUPERNOVA also highlights the need for enterprises to understand and secure their APIs against:
1. 3rd Party API Risks
2. Shadow APIs
3. API Data layer exploits and data exfiltration.
The need for digitization and agility has paved the way for enterprises to develop their own APIs along with using 3rd party software deployed within the enterprise that have their own exposedAPIs. These 3rd party APIs are much harder to deal with and expose greater risk as seen in the case of SUPERNOVA. Security organizations are opaque to these risks due to the lack of tools that work with internally developed as well as 3rd party APIs. Security tools that perform code scanning or development lifecycle tools won’t work on 3rd party software. It is impossible to sufficiently test the API surface exposed by a 3rd party software, especially for Shadow API parameters not known even to the supplier themselves. In addition, there is a lack of tools that cater towards legacy and traditional infrastructure & application architectures.
CloudVector is the industry’s first and only API security solution that can both detect and protect enterprises from SUPERNOVA malware in ALL the cyber attack life cycle phases, ”Weaponization, Delivery, Exploitation, Command & Control, and Exfiltration & Disruption”.
SUPERNOVA Malware Cyber Attack Life Cycle
Let us review how APIs have become the key threat vectors in SUPERNOVA’s attack life cycle as shown in figure 1 below.
Figure1: APIs as the key threat vectors in SUPERNOVA attack life cycle
Weaponization, Delivery, and Exploitation
The SolarWinds security advisory  along with the CERT vulnerability note  indicate that a vulnerable Orion platform can be exploited by sending an API Call to either of the following resources – WebResource.axd, ScriptResource.axd, i18n.ashx, or Skipi18n along with a PathInfo parameter. This will set the SkipAuthorization flag on the platform and lead to the bypass of authentication for these API calls and subsequently the execution of API commands leading to modification of an existing DLL “app_web_logoimagehandler.ashx.b6031896.dll” into SUPERNOVA malware.
The API vulnerability described above is categorized as “Shadow API” which indicates that an API has been published with hidden parameters that are generally not exposed and not intended to be used by any legitimate clients.
CloudVector’s machine learning engine continuously monitors API calls along with the API parameters and data to establish a baseline for each API. The API parameters monitored include query strings, body parameters, and URL parameters as seen in this case. Such a baseline for each of the above 4 API resources will not contain the “PathInfo” parameter as it is not used by a legitimate client. If and when a threat actor uses the “PathInfo” parameter, it is detected and protected in real time by the CloudVector solution.
Command & Control, Exfiltration, and Disruption
The DLL file “app_web_logoimagehandler.ashx.b6031896.dll” is specific to the Orion platform. It exposes an HTTP API that is used to obtain a specific GIF image by other components of the platform. Once this DLL file is modified into SUPERNOVA malware, a threat actor can send an API call to the “logoimagehandler.ashx“ resource with 4 specific parameters: codes, clazz, method and args. If an API call is made to the resource with none of these parameters (which is the normal/legitimate API call), the malware continues to serve GIF images. In case the 4 specific parameters are present in the API call, the malware invokes the C&C routine. Each of the parameters contains the C# code intended to be compiled and executed by the .NET C# compiler, the C# class to be called, the method within that class to be executed, and the arguments to that method. Once the compilation and execution are completed, the result is returned as the API Response.
SUPERNOVA allows the threat actors to send dynamic code any number of times via multiple API Calls. The C&C code remains undetected as it is compiled and executed in-memory. It does not call any subshell or process (cmd.exe, PowerShell.exe or /bin/bash) for execution. An in-depth technical analysis  of SUPERNOVA has been performed by cyber security researchers  and clearly demonstrates the stealthy nature of the malware and the sophistication by the threat actors in creating this malware.
The API vulnerability described here is also categorized as “Shadow API” which indicates that an API has been published/modified with hidden parameters. As described above, the 4 parameters are not part of the legitimate API and are never used by any legitimate clients.
CloudVector’s machine learning engine is continuously monitoring API calls along with the API Parameters and Data to establish a baseline for all APIs including “logoimagehandler.ashx” resource. As and when the Orion platform is accessed with the 4 new parameters for this resource, it is detected and protected in real time by the CloudVector solution. In addition, CloudVector’s API Data classification engine detects the C# code and labels the API accordingly.
What should you do next?
Most of the SolarWinds Orion Platform customers exposed the platform to the internet or deployed it in their internal networks. Externally exposed platforms are at a higher risk of exploitation by a threat actor directly via the APIs described above. Internally exposed platforms can be susceptible towards lateral movement attacks using the same APIs described above. In either case, it is important to ascertain if the platform is being exploited to implant malware or has been exploited with an active C&C channel.
Also, the widespread supply chain attack in SolarWinds along with SUPERNOVA highlight the need for corporate and government agency customers to closely monitor all the APIs exposed by 3rd party software and vendors.
How can CloudVector help?
Get CloudVector Enterprise Edition and deploy in minutes. In addition to machine learning-based anomaly detection described above, the latest update of the CloudVector Enterprise Edition provides specific detection of the SUPERNOVA malware for both the exploitation and C&C phases.
CloudVector Enterprise Edition also enables corporate and government agency customers to get deep visibility and risk insights into ALL APIs exposed in their environment including the APIs exposed by 3rd party vendors and software. Additionally, CloudVector can detect and protect from any zero-day API vulnerabilities within these APIs.
About Ravi Balupari
Ravi Balupari has over 20 years of Cyber Security experience. He is the co-founder and heads the product & security research at CloudVector. His expertise includes the areas of API security, network security, protocol reverse engineering, vulnerability & exploit research, and ML/AI. Prior to founding CloudVector, he was a founding team member of Netskope where he built multiple products. He also founded the Netskope Threat Research Labs focusing exclusively on cloud threats in addition to the traditional malware threats. Prior to Netskope, he worked at McAfee in the areas of IPS/IDS, vulnerability & exploit research, threat detection signature content as part of McAfee Labs.