Microsoft Releases Free Tool For Hunting SolarWinds Malware

Uploaded on 2021-03-01 in TECHNOLOGY--Resilience, TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Organisations investigating whether they are victims of, or are still infected by, the SolarWinds attack campaign now have access to a free toolkit Microsoft used to seek out the malware in its own codeMicrosoft is offering free access to the software that it developed to analyse its source code in the wake of the SolarWinds breach discovery.  

Microsoft is open-sourcing the CodeQL queries that it used to investigate the impact of Sunburst or Solorigate malware planted in the SolarWinds Orion software updates. Other organisations can use the queries to perform a similar analysis. 

Microsoft has released the queries as part of its response to the attack on SolarWinds Orion network monitoring software, which was used to selectively compromise nine US federal agencies, and over 100 companies many of which were from the tech sector. CodeQL is a tool in GitHub's Advanced Security toolkit; the queries Microsoft used with CodeQL root out code that contains similarities in patterns and functions to the SolarWinds binary. These queries can be used on any software for signs of the SolarWinds attack campaign.

Microsoft said the SolarWinds incident has reminded organizations to reflect not just on their readiness to respond to sophisticated attacks, but also the resilience of its own code bases. 

Microsoft explains its use of CodeQL queries to analyze its source code at scale and rule out the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with the incident, which it calls Solorigate.  “A key aspect of the Solorigate attack is the supply chain compromise that allowed the attacker to modify binaries in SolarWinds’ Orion product.... These modified binaries were distributed via previously legitimate update channels and allowed the attacker to remotely perform malicious activities, such as credential theft, privilege escalation, and lateral movement, to steal sensitive information."

“Note that the queries we cover in this blog simply serve to home in on source code that shares similarities with the source in the Solorigate implant, either in the syntactic elements or in functionality... Both can occur coincidentally in benign code, so all findings will need review to determine if they are actionable. Additionally, there’s no guarantee that the malicious actor is constrained to the same functionality or coding style in other operations, so these queries may not detect other implants that deviate significantly from the tactics seen in the Solorigate implant.” Microsoft said. 

In a separate SolarWinds development, security researchers at SecurityScorecard say they have discovered that one piece of malware used in the SolarWinds attacks, the memory-only dropper dubbed Teardrop that profiled the victim's network and systems environments, dates from 2017. This malware  appears to be associated with the Turla Russian cyber-espionage group, which suggests that Teardrop was likely used in other APT operations before SolarWinds by this nation-state hacking team, says Ryan Sherstobitoff, VP Threat Research & Intelligence at SecurityScorecard. 

Teardrop was first identified by FireEye in its analysis of the malware, which was used to run Cobalt Strike BEACON, a command-and-control (C2) tool in the open source Cobalt Strike toolkit the attackers employed, most likely as a way to camouflage their activity.

FireEye first disclosed the attack it had suffered at the hands of a malicious software update to its SolarWinds Orion software, and that its red-team tools had been stolen in the attack. FireEye initially described Teardrop, a dynamic link library (DLL) as a piece of malware that didn't match any it had seen before. "Teardrop does not have code overlap with any previously seen malware," they say.

The analysis carried out by SecurityScorecard using C2 telemetry shows that Teardrop was not necessarily built solely for the SolarWinds attacks, which were triggered in 2020 but first deployed in a  test in October 2019. SecurityScorecard research also confirms that the attacker behind SolarWinds is a single APT group out of Russia, targeting US organizations. Like other security vendors.

SecurityScorecard have not made attribution but it is most likely work undertaken by the work of the Russian SVR intelligence agency and its notorious hacking team known as Cozy Bear.

Teardrop works by opening a backdoor into the victim organization, which raises the possibility it could be used to drop other more destructive payloads. Teardrop itself was used mainly to "fingerprint" and profile the victim's systems and networks.
"The challenge is, are there third- or fourth-stage implants we don't know about..." Sherstobitoff says.

The open sourcing of CodeQL queries is a great example of how sharing techniques that Microsoft has found useful can give other researchers a defensive to help protect against sophisticated attacks. 

Microsoft:        FireEye:     DarkReading:     SC Magazine:        ZDNet:         Image: Unsplash

You Might Also Read: 

A Successful Solar Winds Investigation:

« New Solutions For Zero-Day Attacks
Russian Hackers Make A Sustained Attack On France »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

NCX Group

NCX Group

NCX Group is committed to helping customers identify and mitigate the risks inherent in today’s interconnected environments and business processes.

Council on Foreign Relations (CFR)

Council on Foreign Relations (CFR)

CFR is dedicated to better understanding the world and the foreign policy choices facing the USA and other countries. Cyber security is covered within the CFR topic areas.

Cryptomathic

Cryptomathic

Cryptomathic is an expert on commercial crypto - we develop, deliver and support the most secure and efficient off-the-shelf and customised solutions.

CommuniTake

CommuniTake

CommuniTake builds security, enablement, and management solutions to provide people and organizations with better, and more secure mobile device use.

Elastic

Elastic

Elastic is the world's leading software provider for making structured and unstructured data usable in real time for search, logging, security, and analytics use cases.

Information System Security Directorate (ISSD) - Afghanistan

Information System Security Directorate (ISSD) - Afghanistan

Information System Security Directorate (ISSD) is the Directorate of MCIT responsible for the security of critical information infrastructures in Afghanistan.

SK IT Cyber Security

SK IT Cyber Security

SK IT provide services and solutions for cybersecurity and advanced information system engineering.

Institute of Informatics and Telematics (IIT)

Institute of Informatics and Telematics (IIT)

IIT carries out activities of research, assessment, technology transfer and training in the field of Information and Communication Technologies and of Computational Sciences.

FirstWave Cloud Technology

FirstWave Cloud Technology

FirstWave Cloud Technology is a global cyber security company which has been delivering Cybersecurity-as-a-service solutions to the market since 2004.

Kiberna

Kiberna

Kiberna are a small but niche company specialising in data driven security to manage your cyber risks.

Trenton Systems

Trenton Systems

Trenton Systems are committed to providing high-performance computing solutions to customers running mission-critical applications in harsh settings worldwide and across various industries.

Oivan

Oivan

Oivan harnesses the strengths of the web, mobile, cloud, cybersecurity, and blockchain technologies to help our clients to launch transformative digital services.

Cygna Labs

Cygna Labs

Cygna Labs is a software developer and one of the top three global DDI (DNS, DHCP, and IP address management) vendors.

Focus on Security

Focus on Security

Focus on Security are Cyber Security recruitment specialists. We’re dedicated to connecting you with the top Cyber Security talent across the globe. We focus on partnerships and results.

Sunnic

Sunnic

Sunnic is a leading provider of comprehensive digital data security technology.

Cyber Castle

Cyber Castle

Linux Demands Sophisticated, Purpose-Built Security. Cyber Castle is the solution. A safe, deployable platform down to the edge device for monitoring Linux security anywhere across the globe.