A possible link to China has been noted by researchers examining the exploit of SolarWinds servers to deploy malware.
On Monday, Secureworks’ counter threat unit (CTU) said that during late 2020, a compromised Internet-facing SolarWinds server was used as a springboard to deploy Supernova, a .NET web shell.
Similar intrusions on the same network suggest that the Spiral threat group, suspected of a Chinese origin, is to blame for both cases.
According to the researchers, CVE-2020-10148 has been actively exploited by Spiral. This vulnerability is found in the SolarWinds Orion API and is described as an authentication bypass bug leading to the remote execution of API commands.