Microsoft Releases Free Tool For Hunting SolarWinds Malware

Uploaded on 2021-03-01 in TECHNOLOGY--Resilience, TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Organisations investigating whether they are victims of, or are still infected by, the SolarWinds attack campaign now have access to a free toolkit Microsoft used to seek out the malware in its own codeMicrosoft is offering free access to the software that it developed to analyse its source code in the wake of the SolarWinds breach discovery.  

Microsoft is open-sourcing the CodeQL queries that it used to investigate the impact of Sunburst or Solorigate malware planted in the SolarWinds Orion software updates. Other organisations can use the queries to perform a similar analysis. 

Microsoft has released the queries as part of its response to the attack on SolarWinds Orion network monitoring software, which was used to selectively compromise nine US federal agencies, and over 100 companies many of which were from the tech sector. CodeQL is a tool in GitHub's Advanced Security toolkit; the queries Microsoft used with CodeQL root out code that contains similarities in patterns and functions to the SolarWinds binary. These queries can be used on any software for signs of the SolarWinds attack campaign.

Microsoft said the SolarWinds incident has reminded organizations to reflect not just on their readiness to respond to sophisticated attacks, but also the resilience of its own code bases. 

Microsoft explains its use of CodeQL queries to analyze its source code at scale and rule out the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with the incident, which it calls Solorigate.  “A key aspect of the Solorigate attack is the supply chain compromise that allowed the attacker to modify binaries in SolarWinds’ Orion product.... These modified binaries were distributed via previously legitimate update channels and allowed the attacker to remotely perform malicious activities, such as credential theft, privilege escalation, and lateral movement, to steal sensitive information."

“Note that the queries we cover in this blog simply serve to home in on source code that shares similarities with the source in the Solorigate implant, either in the syntactic elements or in functionality... Both can occur coincidentally in benign code, so all findings will need review to determine if they are actionable. Additionally, there’s no guarantee that the malicious actor is constrained to the same functionality or coding style in other operations, so these queries may not detect other implants that deviate significantly from the tactics seen in the Solorigate implant.” Microsoft said. 

In a separate SolarWinds development, security researchers at SecurityScorecard say they have discovered that one piece of malware used in the SolarWinds attacks, the memory-only dropper dubbed Teardrop that profiled the victim's network and systems environments, dates from 2017. This malware  appears to be associated with the Turla Russian cyber-espionage group, which suggests that Teardrop was likely used in other APT operations before SolarWinds by this nation-state hacking team, says Ryan Sherstobitoff, VP Threat Research & Intelligence at SecurityScorecard. 

Teardrop was first identified by FireEye in its analysis of the malware, which was used to run Cobalt Strike BEACON, a command-and-control (C2) tool in the open source Cobalt Strike toolkit the attackers employed, most likely as a way to camouflage their activity.

FireEye first disclosed the attack it had suffered at the hands of a malicious software update to its SolarWinds Orion software, and that its red-team tools had been stolen in the attack. FireEye initially described Teardrop, a dynamic link library (DLL) as a piece of malware that didn't match any it had seen before. "Teardrop does not have code overlap with any previously seen malware," they say.

The analysis carried out by SecurityScorecard using C2 telemetry shows that Teardrop was not necessarily built solely for the SolarWinds attacks, which were triggered in 2020 but first deployed in a  test in October 2019. SecurityScorecard research also confirms that the attacker behind SolarWinds is a single APT group out of Russia, targeting US organizations. Like other security vendors.

SecurityScorecard have not made attribution but it is most likely work undertaken by the work of the Russian SVR intelligence agency and its notorious hacking team known as Cozy Bear.

Teardrop works by opening a backdoor into the victim organization, which raises the possibility it could be used to drop other more destructive payloads. Teardrop itself was used mainly to "fingerprint" and profile the victim's systems and networks.
"The challenge is, are there third- or fourth-stage implants we don't know about..." Sherstobitoff says.

The open sourcing of CodeQL queries is a great example of how sharing techniques that Microsoft has found useful can give other researchers a defensive to help protect against sophisticated attacks. 

Microsoft:        FireEye:     DarkReading:     SC Magazine:        ZDNet:         Image: Unsplash

You Might Also Read: 

A Successful Solar Winds Investigation:

« New Solutions For Zero-Day Attacks
Russian Hackers Make A Sustained Attack On France »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

National Cyber Security Centre (CNCS) - Portugal

National Cyber Security Centre (CNCS) - Portugal

CNCS is the operational coordinator and Portuguese national authority in cybersecurity working with State entities, and digital service providers

Malware Patrol

Malware Patrol

Malware Patrol provides intelligent threat data that protects against cyber attacks.

CynergisTek

CynergisTek

CynergisTek is a top-ranked cybersecurity and information management consulting firm dedicated to serving the healthcare industry.

CyberArrow

CyberArrow

CyberArrow (formerly EBDAA) is a consultancy company providing high quality consultancy services in Risk & Compliance and Awareness & Education.

Evidence Talks (ETL)

Evidence Talks (ETL)

A leading forensic computing authority developing unique digital forensic technologies. Tools that detect potential terrorists & criminals & used by the military, enforcement & intelligence commmunity

InstaSafe Technologies

InstaSafe Technologies

InstaSafe®, a Software Defined Perimeter based (SDP) one-stop Secure Access Solution for On-Premise and Cloud Applications.

Surevine

Surevine

Surevine builds secure, scalable collaboration solutions for the most security conscious organisations, enabling collaboration on their most sensitive information.

CryptoMill Cybersecurity Solutions

CryptoMill Cybersecurity Solutions

CryptoMill Cybersecurity Solutions provides advanced, innovative data security solutions for enterprises, professionals and individuals.

Trusted Objects

Trusted Objects

Trusted Object's mission is to provide state of the art security solutions and services enabling a strong root of trust for the IoT ecosystem.

CHT Security

CHT Security

CHT Security is a Managed Security Service Provider (MSSP) specialized in cyber security technologies enabling enterprises to defense against cyber threats to networks, gateways and endpoints.

Stairwell

Stairwell

Stairwell is building a new approach to cybersecurity around a vision that all security teams should be able to determine what’s good, what’s bad, and why.

R-Tech

R-Tech

R-Tech GmbH manages the digital start-up initiative, whose goal is to build a sustainable start-up culture in the field of digitization throughout the Upper Palatinate district of Bavaria.

Europol - European Cybercrime Centre (EC3)

Europol - European Cybercrime Centre (EC3)

The European Cybercrime Centre (EC3) was set up by Europol to strengthen the law enforcement response to cybercrime in the EU.

Klaatu IT Security (KITS)

Klaatu IT Security (KITS)

Klaatu IT Security is a boutique provider of cyber security services, empowering our clients to prioritise and reduce their cyber risk.

Peris.ai

Peris.ai

Peris.ai is a cybersecurity as a service startup that protects businesses and organizations from online threats.

SEALSQ

SEALSQ

For the last 25 years, SEALSQ have been developing secure semiconductor chips, secure embedded firmware, and tested hardware provisioning services to serve the vision of a safer connected world.