The investigation into how the attackers managed to compromise SolarWinds’ internal network and poison the company’s software updates are still underway, but we may one step close to understanding what appears to be a very meticulously planned and highly-sophisticated supply chain attack.
A new report published by ReversingLabs today and shared in advance with The Hacker News has revealed that the operators behind the espionage campaign likely managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the malicious backdoor through its software release process.
“The source code of the affected library was directly modified to include malicious backdoor code, which was compiled, signed, and delivered through the existing software patch release management system,” ReversingLabs’ Tomislav Pericin said.
Cybersecurity firm FireEye earlier this week detailed how multiple SolarWinds Orion software updates, released between March and June 2020, were injected with backdoor code (“SolarWinds.Orion.Core.BusinessLayer.dll” or SUNBURST) to conduct surveillance and execute arbitrary commands on target systems.
FireEye has not so far publicly attributed the attack to any specific nation-state actor, but multiple media reports have pinned the intrusion campaign on APT29 (aka Cozy Bear), a hacker group associated with Russia’s foreign intelligence service.
Although the first version containing the tainted Orion software was traced to 2019.4.5200.9083, ReversingLabs has found that an earlier version 2019.4.5200.8890, released in October 2019, also included seemingly harmless modifications that acted as the stepping stone for delivering the real attack payload down the line.
|Empty .NET class prior to backdoor code addition [ver. 2019.4.5200.8890]|
The idea, according to Pericin, was to compromise the build system, quietly inject their own code in the source code of the software, wait for the company to compile, sign packages and at last, verify if their modifications show up in the newly released updates as expected.
Once confirmed, the adversary then took steps to blend the SUNBURST malware with the rest of the codebase by mimicking existing functions (GetOrCreateUserID) but adding their own implementations so as to remain stealthy and invoking them by modifying a separate class called “InventoryManager” to create a new thread that runs the backdoor.
What’s more, malicious strings were obscured using a combination of compression and Base64 encoding in hopes that doing so would thwart YARA rules from spotting anomalies in the code as well as a slip through undetected during a software developer review.
“The attackers went through a lot of trouble to ensure that their code looks like it belongs within the code base,” Pericin said. “That was certainly done to hide the code from the audit by the software developers.”
This implies that not only did the attackers have a high degree of familiarity with the software, but also the fact that its existing software release management system itself was compromised — as the class in question was modified at the source code level to build a new software update containing the backdoored library, then signed, and ultimately released to the customers.
This also raises more questions than it answers in that a change of this magnitude could only have been possible if either the version control system was compromised or the tainted software was placed directly on the build machine.
While it’s not immediately clear how the attackers got access to the code base, security researcher Vinoth Kumar’s disclosure about SolarWinds’ update server being accessible with the password “solarwinds123” assumes new significance given the overlap in timelines.
Kumar, in a tweet on December 14, said he notified the company of a publicly accessible GitHub repository that was leaking the company’s download website’s FTP credentials in plaintext, adding a hacker could use the credentials to upload a malicious executable and add it to a SolarWinds update.
“That Github repo was open to the public since June 17 2018,” Kumar said, before the misconfiguration was addressed on November 22, 2019.
“SUNBURST illustrates the next generation of compromises that thrive on access, sophistication and patience,” Pericin concluded. “For companies that operate valuable businesses or produce software critical to their customers, inspecting software and monitoring updates for signs of tampering, malicious or unwanted additions must be part of the risk management process.”
“Hiding in plain sight behind a globally known software brand or a trusted business-critical process, gives this method access that a phishing campaign could only dream to achieve,” he added.