Microsoft has open sourced CodeQL queries used to scan for Solorigate malware activity that matches the SolarWinds supply-chain attack.
Developers can use CodeQL queries to scan source code to find problems in source code, including potential security vulnerabilities.
Back in December, Microsoft shared analysis on Solarigate malware, the compromised DLL file behind the SolarWinds software supply chain attacks. After analyzing the code, Microsoft discovered the SolarWinds threat actors inserted a ‘few benign-looking lines’ of malicious code into the DLL.
The major supply chain attack against the SolarWinds Orion Platform led to the alleged breach or infection of thousands of SolarWinds customers within the federal and private sectors.
On Thursday, Microsoft has now revealed details on how they used CodeQL queries to review their own codebases for “code-level indicators of compromise (IoCs) and coding patterns associated with Solorigate.”
“We are open sourcing the CodeQL queries that we used in this investigation so that other organizations may perform a similar analysis,” Microsoft wrote in a blog post.
Moreover, Microsoft used two distinct tactics when looking for code-level Solorigate IoCs:
- Looks for particular syntax that stood out in the Solorigate code-level IoCs.
- Looks for overall semantic patterns for the techniques present in the code-level IoCs (e.g, hashing process names, time delays before contacting the C2 servers, etc.).
Finally, Microsoft said they plan to open source several of the C# queries that assess for these code-level IoCs and can be found in the CodeQL GitHub repository.
Related Articles
- Solorigate malware behind the SolarWinds attack
- Microsoft and FireEye reveal new details on SolarWinds cyberattack
- FireEye publishes Microsoft 365 tools and hardening strategies to defend against SolarWinds attackers
- DHS issues new emergency guidance on SolarWinds Orion Code compromise
- SolarWinds releases updated advisory on SUPERNOVA malware (updated with CVE-2020-10148)
- Cybersecurity experts reveal growing list of SolarWinds 2nd stage attack victims