Microsoft has released open-source CodeQL queries to detect the malicious implants that were the cause of the SolarWinds attack.
The SolarWinds attack caught the IT world by surprise in December of 2020. A group of hackers managed to infiltrate the networks of a company called SolarWinds and trojanize its most widely used software. The attack was significant as it led to over 250 different companies being impacted after hackers gained access to targeted networks.
Initial investigation into the attack leads to the conclusion that it was done through injecting malware called Sunburst into the Orion Software (SolarWinds software) source code. However, the further investigation provided a different cause for the attack; a malware called SuperNova.
Recently, Microsoft has released an open-source CodeQL query to detect the malicious implants that were the cause of the SolarWinds attack. Microsoft has released these codes, written in C#, on Github.
CodeQL is a strong semantic code analysis engine that works primarily on two stages. In the first stage, it compiles the source code into binaries and simultaneously builds a database that designs the model of the code being compiled. (For interpreted languages, the source code is parsed and an abstract syntax tree model is built).
In the second stage, once the database is created, it can be queried repeatedly similar to other databases.
CodeQL databases are aggregated, which pave the way to then search semantically across a variety of codebases to search for code cases that may extend between a multitude of assemblies libraries or modules depending on the particular code present in the build.
In a blog post, Microsoft described said that,
“We built this capability to analyze thousands of repositories for newly described variants of vulnerabilities within hours of the variant being described, but it also allowed us to do a first-pass investigation for Solorigate implant patterns similarly, quickly.”
This approach is useful because it enables static analysis for not only secure life development cycle but also reactive code inspection across the enterprise.
The researchers keep their eye out for syntax that stands out as well as semantic patterns while searching for the Solorigate indicators.
The combination of these two techniques allowed the queries to detect cases where the hackers used similar syntax and changed the techniques or changed syntax but with similar techniques.