Microsoft Releases Free Tool For Hunting SolarWinds Malware

Uploaded on 2021-03-01 in TECHNOLOGY--Resilience, TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Organisations investigating whether they are victims of, or are still infected by, the SolarWinds attack campaign now have access to a free toolkit Microsoft used to seek out the malware in its own codeMicrosoft is offering free access to the software that it developed to analyse its source code in the wake of the SolarWinds breach discovery.  

Microsoft is open-sourcing the CodeQL queries that it used to investigate the impact of Sunburst or Solorigate malware planted in the SolarWinds Orion software updates. Other organisations can use the queries to perform a similar analysis. 

Microsoft has released the queries as part of its response to the attack on SolarWinds Orion network monitoring software, which was used to selectively compromise nine US federal agencies, and over 100 companies many of which were from the tech sector. CodeQL is a tool in GitHub's Advanced Security toolkit; the queries Microsoft used with CodeQL root out code that contains similarities in patterns and functions to the SolarWinds binary. These queries can be used on any software for signs of the SolarWinds attack campaign.

Microsoft said the SolarWinds incident has reminded organizations to reflect not just on their readiness to respond to sophisticated attacks, but also the resilience of its own code bases. 

Microsoft explains its use of CodeQL queries to analyze its source code at scale and rule out the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with the incident, which it calls Solorigate.  “A key aspect of the Solorigate attack is the supply chain compromise that allowed the attacker to modify binaries in SolarWinds’ Orion product.... These modified binaries were distributed via previously legitimate update channels and allowed the attacker to remotely perform malicious activities, such as credential theft, privilege escalation, and lateral movement, to steal sensitive information."

“Note that the queries we cover in this blog simply serve to home in on source code that shares similarities with the source in the Solorigate implant, either in the syntactic elements or in functionality... Both can occur coincidentally in benign code, so all findings will need review to determine if they are actionable. Additionally, there’s no guarantee that the malicious actor is constrained to the same functionality or coding style in other operations, so these queries may not detect other implants that deviate significantly from the tactics seen in the Solorigate implant.” Microsoft said. 

In a separate SolarWinds development, security researchers at SecurityScorecard say they have discovered that one piece of malware used in the SolarWinds attacks, the memory-only dropper dubbed Teardrop that profiled the victim's network and systems environments, dates from 2017. This malware  appears to be associated with the Turla Russian cyber-espionage group, which suggests that Teardrop was likely used in other APT operations before SolarWinds by this nation-state hacking team, says Ryan Sherstobitoff, VP Threat Research & Intelligence at SecurityScorecard. 

Teardrop was first identified by FireEye in its analysis of the malware, which was used to run Cobalt Strike BEACON, a command-and-control (C2) tool in the open source Cobalt Strike toolkit the attackers employed, most likely as a way to camouflage their activity.

FireEye first disclosed the attack it had suffered at the hands of a malicious software update to its SolarWinds Orion software, and that its red-team tools had been stolen in the attack. FireEye initially described Teardrop, a dynamic link library (DLL) as a piece of malware that didn't match any it had seen before. "Teardrop does not have code overlap with any previously seen malware," they say.

The analysis carried out by SecurityScorecard using C2 telemetry shows that Teardrop was not necessarily built solely for the SolarWinds attacks, which were triggered in 2020 but first deployed in a  test in October 2019. SecurityScorecard research also confirms that the attacker behind SolarWinds is a single APT group out of Russia, targeting US organizations. Like other security vendors.

SecurityScorecard have not made attribution but it is most likely work undertaken by the work of the Russian SVR intelligence agency and its notorious hacking team known as Cozy Bear.

Teardrop works by opening a backdoor into the victim organization, which raises the possibility it could be used to drop other more destructive payloads. Teardrop itself was used mainly to "fingerprint" and profile the victim's systems and networks.
"The challenge is, are there third- or fourth-stage implants we don't know about..." Sherstobitoff says.

The open sourcing of CodeQL queries is a great example of how sharing techniques that Microsoft has found useful can give other researchers a defensive to help protect against sophisticated attacks. 

Microsoft:        FireEye:     DarkReading:     SC Magazine:        ZDNet:         Image: Unsplash

You Might Also Read: 

A Successful Solar Winds Investigation:

« New Solutions For Zero-Day Attacks
Russian Hackers Make A Sustained Attack On France »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Paessler

Paessler

Paessler is a leading worldwide provider of network monitoring software.

CERT.hr

CERT.hr

CERT.hr is the national authority competent for prevention and protection from computer threats to public information systems in the Republic of Croatia.

WireX Systems

WireX Systems

WireX is an innovative network intelligence and forensics company that is changing the way businesses resolve cyber-attacks.

Canadian Security Intelligence Service (CSIS)

Canadian Security Intelligence Service (CSIS)

CSIS collects and analyzes threat-related information concerning the security of Canada in areas including terrorism, espionage, WMD, cybersecurity and critical infrastructure protection.

H3C Group

H3C Group

H3C provides a full range of Computer, Storage, Networking and Security solutions.

SparkLabs Cyber + Blockchain

SparkLabs Cyber + Blockchain

SparkLabs Cyber + Blockchain accelerator is located in Washington D.C. which is one of the world's top cybersecurity ecosystems.

VIQU Recruitment

VIQU Recruitment

VIQU Recruitment was formed with the primary focus of providing 'Smarter People Solutions' to the UK’s professional IT & Cyber Security markets.

Crypsis

Crypsis

Crypsis was built based on a shared vision of creating a more secure digital world by providing the highest quality incident response, risk management, and digital forensic services.

Antares NetlogiX

Antares NetlogiX

Antares Netlogix are a leading Austrian service provider for IT security, critical infrastructures and managed security services.

Association of anti Virus Asia Researchers (AVAR)

Association of anti Virus Asia Researchers (AVAR)

AVAR's mission is to prevent the spread of and damage caused by malicious software, and to develop cooperative relationships among anti-malware experts in Asia.

Sec-Ops

Sec-Ops

Sec-Ops is a forward thinking cyber security company, formed by a group of security enthusiasts with years of experience and backgrounds in the technology and the government industries.

Trusted Security Solutions (TSS)

Trusted Security Solutions (TSS)

TSS are specialist in IT Security and providing Cybersecurity Solutions & Services combined with storage and backup.

Nanitor

Nanitor

Nanitor is a powerful cybersecurity management platform focusing on hardening security fundamentals across your global IT infrastructure.

Zenity

Zenity

Zenity is the first and only security governance platform for low-code/no-code applications.

Green Enterprise Solutions

Green Enterprise Solutions

Green Enterprise Solutions are a Namibian company providing Information and Communication Technology (ICT) services to corporate Namibia.

Diversified Technical Services Inc. (DTSI)

Diversified Technical Services Inc. (DTSI)

DTSI provides a wide range of technology solutions for Federal Agencies, the Department of Defense, and commerical organizations with capabilities including Cyber Security and DevSecOps.