Microsoft Releases Free Tool For Hunting SolarWinds Malware

Uploaded on 2021-03-01 in TECHNOLOGY--Resilience, TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Organisations investigating whether they are victims of, or are still infected by, the SolarWinds attack campaign now have access to a free toolkit Microsoft used to seek out the malware in its own codeMicrosoft is offering free access to the software that it developed to analyse its source code in the wake of the SolarWinds breach discovery.  

Microsoft is open-sourcing the CodeQL queries that it used to investigate the impact of Sunburst or Solorigate malware planted in the SolarWinds Orion software updates. Other organisations can use the queries to perform a similar analysis. 

Microsoft has released the queries as part of its response to the attack on SolarWinds Orion network monitoring software, which was used to selectively compromise nine US federal agencies, and over 100 companies many of which were from the tech sector. CodeQL is a tool in GitHub's Advanced Security toolkit; the queries Microsoft used with CodeQL root out code that contains similarities in patterns and functions to the SolarWinds binary. These queries can be used on any software for signs of the SolarWinds attack campaign.

Microsoft said the SolarWinds incident has reminded organizations to reflect not just on their readiness to respond to sophisticated attacks, but also the resilience of its own code bases. 

Microsoft explains its use of CodeQL queries to analyze its source code at scale and rule out the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with the incident, which it calls Solorigate.  “A key aspect of the Solorigate attack is the supply chain compromise that allowed the attacker to modify binaries in SolarWinds’ Orion product.... These modified binaries were distributed via previously legitimate update channels and allowed the attacker to remotely perform malicious activities, such as credential theft, privilege escalation, and lateral movement, to steal sensitive information."

“Note that the queries we cover in this blog simply serve to home in on source code that shares similarities with the source in the Solorigate implant, either in the syntactic elements or in functionality... Both can occur coincidentally in benign code, so all findings will need review to determine if they are actionable. Additionally, there’s no guarantee that the malicious actor is constrained to the same functionality or coding style in other operations, so these queries may not detect other implants that deviate significantly from the tactics seen in the Solorigate implant.” Microsoft said. 

In a separate SolarWinds development, security researchers at SecurityScorecard say they have discovered that one piece of malware used in the SolarWinds attacks, the memory-only dropper dubbed Teardrop that profiled the victim's network and systems environments, dates from 2017. This malware  appears to be associated with the Turla Russian cyber-espionage group, which suggests that Teardrop was likely used in other APT operations before SolarWinds by this nation-state hacking team, says Ryan Sherstobitoff, VP Threat Research & Intelligence at SecurityScorecard. 

Teardrop was first identified by FireEye in its analysis of the malware, which was used to run Cobalt Strike BEACON, a command-and-control (C2) tool in the open source Cobalt Strike toolkit the attackers employed, most likely as a way to camouflage their activity.

FireEye first disclosed the attack it had suffered at the hands of a malicious software update to its SolarWinds Orion software, and that its red-team tools had been stolen in the attack. FireEye initially described Teardrop, a dynamic link library (DLL) as a piece of malware that didn't match any it had seen before. "Teardrop does not have code overlap with any previously seen malware," they say.

The analysis carried out by SecurityScorecard using C2 telemetry shows that Teardrop was not necessarily built solely for the SolarWinds attacks, which were triggered in 2020 but first deployed in a  test in October 2019. SecurityScorecard research also confirms that the attacker behind SolarWinds is a single APT group out of Russia, targeting US organizations. Like other security vendors.

SecurityScorecard have not made attribution but it is most likely work undertaken by the work of the Russian SVR intelligence agency and its notorious hacking team known as Cozy Bear.

Teardrop works by opening a backdoor into the victim organization, which raises the possibility it could be used to drop other more destructive payloads. Teardrop itself was used mainly to "fingerprint" and profile the victim's systems and networks.
"The challenge is, are there third- or fourth-stage implants we don't know about..." Sherstobitoff says.

The open sourcing of CodeQL queries is a great example of how sharing techniques that Microsoft has found useful can give other researchers a defensive to help protect against sophisticated attacks. 

Microsoft:        FireEye:     DarkReading:     SC Magazine:        ZDNet:         Image: Unsplash

You Might Also Read: 

A Successful Solar Winds Investigation:

« New Solutions For Zero-Day Attacks
Russian Hackers Make A Sustained Attack On France »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

TrustedSec

TrustedSec

TrustedSec is an information security consulting services, providing tailored solutions and services for small, mid, and large businesses.

mmCERT

mmCERT

mmCERT is the national Computer Emergency Response Team for Myanmar.

Eustema

Eustema

Eustema designs and manages ICT solutions for medium and large organizations.

CYBERSEC Forum

CYBERSEC Forum

CYBERSEC Forum is an annual European Public Policy Conference dedicated to strategic aspects of cybersecurity.

CIO Dive

CIO Dive

CIO Dive provides news and analysis for IT executives in areas including IT strategy, cloud computing, cyber security, big data, AI, software, infrastructure, dev ops and more.

Cryptosense

Cryptosense

Cryptosense provides the first application security software dedicated to the detection and remediation of crypto vulnerabilities.

Metro Systems

Metro Systems

Metro Systems offer fully integrated IT solutions & services covering Digital Transformation, Digital Infrastructure, Cyber Security and Training.

infySEC

infySEC

InfySEC is an information security services organization offering Security Technology services, Security Consulting, Security Training, Research & Development.

US Army Cyber Command (ARCYBER)

US Army Cyber Command (ARCYBER)

US Army’s Cyber Command (ARCYBER) is engaged in the real-world cyberspace fight today, against near-peer adversaries, ISIS, and other global cyber threats.

TWC IT Solutions

TWC IT Solutions

Since 2011, TWC IT Solutions has offered managed IT Support, Cybersecurity, Disaster Recovery, Contact Centre and Business Connectivity services to clients across 24 countries globally.

Appsian Security

Appsian Security

Appsian provides powerful solutions that help organizations take control of their business critical data and financial transactions.

Redpoint Security

Redpoint Security

Redpoint Security is an application security consulting firm that is focused on all aspects of code security.

Mage Data

Mage Data

Mage (formerly Mentis Software) is a leading solutions provider for data security and data privacy software for global enterprises.

HCS

HCS

HCS is an IT Company and Telecoms provider with an experienced team who are dedicated to ensuring our clients business systems are protected.

Bleach Cyber

Bleach Cyber

Bleach Cyber helps small businesses with an affordable and user-friendly solution for managing cloud security.

Mesh Security

Mesh Security

Mesh Security transforms security data, tools, and infra for enterprise-wide visibility and control.