A new study of malware that marked the beginning of the mega-safe for the IT provider SolarWinds shows the perpetrators who spent months in the company’s software development labs refining their attack before inserting malicious code into updates that SolarWinds then sent to thousands of customers. More worryingly, the study suggests that the insidious methods used by intruders to undermine the company’s software development pipeline could be redirected against many other major software vendors.
In a blog post posted on January 11, SolarWinds said the attackers first compromised their development environment on September 4, 2019. Soon after, the attackers began testing code designed to secretly reverse injection into Orion, a set of tools used by many Fortune 500 companies and a large part of the federal government to manage their internal networks.
According to SolarWinds and technical analysis by CrowdStrike, the intruders were trying to find out if their “Sunspot“Malware – designed specifically for use in undermining the SolarWinds software development process – can successfully insert its malware.”A solar flareAt the back of Orion products, without triggering alarms or alerting Orion developers.
In October 2019, SolarWinds sent an update to its Orion customers, which contains the modified test code. Until February 2020, intruders used Sunspot to inject Sunburst backdoor into Orion’s source code, which was then digitally signed by the company and distributed to customers through the SolarWinds software update process.
Crowdstrike said Sunspot was written to detect when it was installed on developer SolarWinds and wait for developers to access specific Orion source code files. This allowed intruders to “replace the source code files during the build process, before compiling,” Crowdstrike writes.
The attackers also included precautions to prevent the back line of code lines from appearing in Orion software building logs and checks to ensure that such tampering would not lead to construction errors.
“The design of SUNSPOT suggests [the malware] The developers have worked hard to ensure that the code has been properly inserted and left undetected, and have prioritized operational security to avoid revealing their presence in the SolarWinds developer development environment, ”writes CrowdStrike.
A third strain of malware – called “A tear drop”From FireEye, the company that first unveiled the SolarWinds attack in December, was installed through congested Orion updates on networks that SolarWinds attackers wanted to rob more deeply.
So far, the Teardrop malware has been found in several government networks, including the Commerce, Energy and Treasury Departments, the Department of Justice, and the U.S. Courts Administration.
SolarWinds pointed out that while the Sunspot code is specifically designed to compromise the integrity of the software development process, the same process is likely to be common in the software industry.
“Our concern is that right now similar processes may exist in software development environments in other companies around the world,” said SolarWinds. Chief Executive Officer Sudhakar Ramakrishna. “The gravity and complexity of this attack has taught us that a more effective fight against such attacks in the future will require an industry-wide approach as well as public-private partnerships that use the skills, insight, knowledge and resources of all voters.”
Tags: CrowdStrike, FireEye, Orion, SolarWinds violation, Sudhakar Ramakrishna, Sunburst malware, Sunspot malware, Teardrop malware
This entry was posted on Tuesday, January 12th, 2021 at 3:50 pm and is filed under Other. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Ping is currently not allowed.