CISA (The Cybersecurity and Infrastructure Security Agency) issued another Pulse Secure alert today regarding SUPERNOVA, an advanced persistent threat (APT) actor’s long-term compromise of an entity’s enterprise network. The threat actor connected to the entity’s network via a Pulse Secure virtual private network (VPN) appliance, moved laterally to its SolarWinds Orion server, installed malware referred to by security researchers as SUPERNOVA (a .NET webshell), and collected credentials.

<p><span style=\"color: #000000; font-family: arial, sans-serif;\">The SUPERNOVA incident described in the CISA alert adds a significant amount to our knowledge about the activity accompanying this malware. The activity they describe is stealthy and shows great care for operational security. In particular they use compromised residential routers in the U.S. would make tracking activity more difficult.</span></p>