Microsoft Releases Free Tool For Hunting SolarWinds Malware

Uploaded on 2021-03-01 in TECHNOLOGY--Resilience, TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Organisations investigating whether they are victims of, or are still infected by, the SolarWinds attack campaign now have access to a free toolkit Microsoft used to seek out the malware in its own codeMicrosoft is offering free access to the software that it developed to analyse its source code in the wake of the SolarWinds breach discovery.  

Microsoft is open-sourcing the CodeQL queries that it used to investigate the impact of Sunburst or Solorigate malware planted in the SolarWinds Orion software updates. Other organisations can use the queries to perform a similar analysis. 

Microsoft has released the queries as part of its response to the attack on SolarWinds Orion network monitoring software, which was used to selectively compromise nine US federal agencies, and over 100 companies many of which were from the tech sector. CodeQL is a tool in GitHub's Advanced Security toolkit; the queries Microsoft used with CodeQL root out code that contains similarities in patterns and functions to the SolarWinds binary. These queries can be used on any software for signs of the SolarWinds attack campaign.

Microsoft said the SolarWinds incident has reminded organizations to reflect not just on their readiness to respond to sophisticated attacks, but also the resilience of its own code bases. 

Microsoft explains its use of CodeQL queries to analyze its source code at scale and rule out the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with the incident, which it calls Solorigate.  “A key aspect of the Solorigate attack is the supply chain compromise that allowed the attacker to modify binaries in SolarWinds’ Orion product.... These modified binaries were distributed via previously legitimate update channels and allowed the attacker to remotely perform malicious activities, such as credential theft, privilege escalation, and lateral movement, to steal sensitive information."

“Note that the queries we cover in this blog simply serve to home in on source code that shares similarities with the source in the Solorigate implant, either in the syntactic elements or in functionality... Both can occur coincidentally in benign code, so all findings will need review to determine if they are actionable. Additionally, there’s no guarantee that the malicious actor is constrained to the same functionality or coding style in other operations, so these queries may not detect other implants that deviate significantly from the tactics seen in the Solorigate implant.” Microsoft said. 

In a separate SolarWinds development, security researchers at SecurityScorecard say they have discovered that one piece of malware used in the SolarWinds attacks, the memory-only dropper dubbed Teardrop that profiled the victim's network and systems environments, dates from 2017. This malware  appears to be associated with the Turla Russian cyber-espionage group, which suggests that Teardrop was likely used in other APT operations before SolarWinds by this nation-state hacking team, says Ryan Sherstobitoff, VP Threat Research & Intelligence at SecurityScorecard. 

Teardrop was first identified by FireEye in its analysis of the malware, which was used to run Cobalt Strike BEACON, a command-and-control (C2) tool in the open source Cobalt Strike toolkit the attackers employed, most likely as a way to camouflage their activity.

FireEye first disclosed the attack it had suffered at the hands of a malicious software update to its SolarWinds Orion software, and that its red-team tools had been stolen in the attack. FireEye initially described Teardrop, a dynamic link library (DLL) as a piece of malware that didn't match any it had seen before. "Teardrop does not have code overlap with any previously seen malware," they say.

The analysis carried out by SecurityScorecard using C2 telemetry shows that Teardrop was not necessarily built solely for the SolarWinds attacks, which were triggered in 2020 but first deployed in a  test in October 2019. SecurityScorecard research also confirms that the attacker behind SolarWinds is a single APT group out of Russia, targeting US organizations. Like other security vendors.

SecurityScorecard have not made attribution but it is most likely work undertaken by the work of the Russian SVR intelligence agency and its notorious hacking team known as Cozy Bear.

Teardrop works by opening a backdoor into the victim organization, which raises the possibility it could be used to drop other more destructive payloads. Teardrop itself was used mainly to "fingerprint" and profile the victim's systems and networks.
"The challenge is, are there third- or fourth-stage implants we don't know about..." Sherstobitoff says.

The open sourcing of CodeQL queries is a great example of how sharing techniques that Microsoft has found useful can give other researchers a defensive to help protect against sophisticated attacks. 

Microsoft:        FireEye:     DarkReading:     SC Magazine:        ZDNet:         Image: Unsplash

You Might Also Read: 

A Successful Solar Winds Investigation:

« New Solutions For Zero-Day Attacks
Russian Hackers Make A Sustained Attack On France »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Cyberis

Cyberis

Cyberis are pioneers in customer-focussed information security. Since 2011, we’ve been helping businesses protect their brands, customers and reputation.

Cyber Seguridad (Cyberseg)

Cyber Seguridad (Cyberseg)

Cyberseg provides specialized Cybersecurity services, including managed services (SOC / CERTs) and solutions for the protection of critical infrastructures.

Aergo

Aergo

Aergo offers an easier and more proven way to adopt blockchain and transform your business while building on your existing IT and cloud assets.

DreamIt Ventures

DreamIt Ventures

DreamIt Ventures is an early stage venture fund that accelerates startups building transformative tech products in the fields of Healthtech, Securetech, and Urbantech.

SOSA

SOSA

SOSA facilitates new growth opportunities by connecting the dots between industry verticals and innovation ecosystems around the world.

Brimondo

Brimondo

At Brimondo we help you to maximize and protect your brand value by being a proactive and strategic partner within brand protection with experts within intellectual property and digital assets.

SAFECode

SAFECode

SAFECode is a global industry forum where business leaders and technical experts come together to exchange insights on creating, improving, and promoting effective software security programs.

Dataships

Dataships

We help companies automate their privacy compliance while building healthy, transparent data relationships with their customers.

Searchlight Cyber

Searchlight Cyber

Searchlight Cyber is a leading darknet intelligence company. Working with law enforcement, industry, and end users to help protect society against the threats of the darknet.

HackNotice

HackNotice

HackNotice Teams is an all-in-one encompassing tool that monitors threats within your organization, different vendors, and third parties whose services you use.

ViewDS Identity Solutions

ViewDS Identity Solutions

ViewDS Identity Solutions develops innovative identity software including cloud identity management solutions, directory services, access and authorization management solutions.

ID R&D

ID R&D

ID R&D is an award-winning provider of AI-based facial liveness, document liveness, and voice biometrics.

Knownsec

Knownsec

Knownsec provides customers with cloud defense, cloud monitoring, and cloud mapping products and services with "AI + security big data" as the underlying capability.

Digital.ai

Digital.ai

Digital.ai empowers organizations to scale software development teams, continuously deliver software with greater quality and security.

SalvageData Recovery Services

SalvageData Recovery Services

Since 2003, SalvageData has been providing high-quality data recovery with the certifications needed to work with any storage media manufacturer.

Synqly

Synqly

Synqly are on a mission to enable quick, secure, and sustainable integrations between any cybersecurity and infrastructure technologies.