[ad_1]
New research into malware that paved the way for mega-reach at an IT vendor SolarWinds shows that the authors spent months in the company’s software development labs perfecting their attack before inserting malicious code into updates that SolarWinds then sent to thousands of customers. More worryingly, research suggests that the insidious methods used by intruders to subvert the company’s software development pipeline could be reused against many other major software vendors.
In a January 11 blog post, SolarWinds said that attackers first compromised its development environment on September 4, 2019. Soon after, attackers began testing code designed to surreptitiously inject backdoors. in Orion, a suite of tools used by many Fortune 500 companies and much of the federal government to manage their internal networks.
Image: SolarWinds.
Based on SolarWinds and a technical analysis by CrowdStrike, the intruders were trying to determine if their “Sunspot“Malware – designed specifically to undermine SolarWinds’ software development process – could successfully insert their malware”Sunburst»Backdoor into Orion products without setting off alarms or alerting Orion developers.
In October 2019, SolarWinds sent an update to its Orion customers containing the modified test code. In February 2020, intruders used Sunspot to inject the Sunburst backdoor into Orion’s source code, which was then digitally signed by the company and propagated to customers through SolarWinds’ software update process.
Crowdstrike said Sunspot was written to be able to detect when it has been installed on a SolarWinds development system and wait for developers to access specific Orion source code files. This allowed intruders to “replace source code files during the build process, before compilation,” Crowdstrike wrote.
The attackers also included backups to prevent backdoor lines of code from appearing in Orion software build logs, and checks to ensure that such tampering would not cause build errors.
“The design of SUNSPOT suggests [the malware] the developers invested a lot of effort to ensure that the code was correctly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to the SolarWinds developers, ”said writes CrowdStrike.
A third strain of malware – dubbed “Tear” by FireEye, the company that first exposed the SolarWinds attack in December, was installed via Orion backdoor updates on networks that SolarWinds attackers wanted to plunder deeper.
So far, the Teardrop malware has been found on several government networks, including the Departments of Commerce, Energy and the Treasury, the Department of Justice, and the U.S. Courts Administrative Office.
SolarWinds pointed out that while Sunspot code was specifically designed to compromise the integrity of its software development process, this same process is probably common in the software industry.
“Our concern is that at this time, similar processes may exist in software development environments in other companies around the world,” SolarWinds said. CEO Sudhakar Ramakrishna. “The severity and complexity of this attack have taught us that to fight more effectively against similar attacks in the future will require an industry-wide approach as well as public-private partnerships that leverage the skills , knowledge, knowledge and resources of all constituents. ”
Tags: CrowdStrike, FireEye, Orion, SolarWinds violation, Sudhakar Ramakrishna, Sunburst malware, Sunspot malware, Teardrop malware
[ad_2]
Source link