Skip to main content
Splunk Lantern

Systems vulnerable to Supernova malware

You might need to uncover systems vulnerable to Supernova malware when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Your company uses SolarWinds Orion business software, which is vulnerable to the Supernova in-memory web shell attack. You know that because it runs in memory, detection and forensic analysis post-breach are difficult. You want to identify vulnerable systems as soon as possible.

Option 1

To optimize the search shown below, you should specify an index and a time range. In addition, content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). This search requires the Vulnerabilities data model. For information on installing and using the CIM, see the Common Information Model documentation.

  1. Ensure that your deployment is ingesting endpoint logs from your various systems and populating the Vulnerabilities data model.
  2. Ensure that you have a recent vulnerability scan with the SolarWinds Orion API vulnerability alert added.
  3. Run the following search:
    | tstats count FROM datamodel=Vulnerabilities.Vulnerabilities WHERE 
    Vulnerabilities.cert=VU#843464 OR Vulnerabilities.cert=843464 OR 
    Vulnerabilities.cve=CVE-2020-10148 groupby Vulnerabilities.dest 
    Vulnerabilities.dvc Vulnerabilities.signature 
    Vulnerabilities.vendor_product _time span=1s

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| tstats count FROM datamodel=Vulnerabilities.Vulnerabilities WHERE 
Vulnerabilities.cert=VU#843464 OR Vulnerabilities.cert=843464 OR 
Vulnerabilities.cve=CVE-2020-10148 groupby Vulnerabilities.dest 
Vulnerabilities.dvc Vulnerabilities.signature 
Vulnerabilities.vendor_product _time span=1s
Query the Vulnerabilities data model for strings that correspond to the US Computer Emergency Readiness  (CERT) identifier or from the Common Vulnerabilities Exposures index (CVE) that have been identified with the attack of interest, in this case the SolarWinds attack. 

Option 2

To optimize the search shown below, you should specify an index and a time range.  

  1. Ensure that you have a recent vulnerability scan with the SolarWinds Orion API vulnerability alert added.
  2. Run the following search:
    sourcetype=<vulnerability scanner> (VU#843464 OR 843464 OR CVE-2020-10148)
    | stats count BY dest host signature vendor _time

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
sourcetype=<vulnerability scanner> Search only data from your vulnerability scanner.
(VU#843464 OR 843464 OR CVE-2020-10148) Filter on  strings that correspond to the US Computer Emergency Readiness  (CERT) identifier or from the Common Vulnerabilities Exposures index (CVE) that have been identified with the attack of interest, in this case the SolarWinds attack. 
| stats count BY dest host signature vendor _time Count the events that match, grouped by the fields shown. 

Result

You can refine this search further based on IP address or other attributes. The searches provide a table showing the destination, device, signature, the vulnerability vendor that produced the entry as a result of a scan, the time and the count. The destination is the host where the vulnerability was found and should be the focus of your vulnerability response action plan. A response typically includes collecting evidence for forensics and then removing the malware and making sure the vulnerability is remediated.