The investigation into how the attackers managed to compromise SolarWinds' internal network and poison the company's software updates is still underway, but we may be one step closer to understanding what appears to be a very meticulously planned and highly-sophisticated supply chain attack.
A new report published by ReversingLabs today and shared in advance with The Hacker News has revealed that the operators behind the espionage campaign likely managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the malicious backdoor through its software release process.
"The source code of the affected library was directly modified to include malicious backdoor code, which was compiled, signed, and delivered through the existing software patch release management system," ReversingLabs' Tomislav Pericin said.
Cybersecurity firm FireEye earlier this week detailed how multiple SolarWinds Orion software updates, released between March and June 2020, were injected with backdoor code ("SolarWinds.Orion.Core.BusinessLayer.dll" or SUNBURST) to conduct surveillance and execute arbitrary commands on target systems.
FireEye has not so far publicly attributed the attack to any specific nation-state actor, but multiple media reports have pinned the intrusion campaign on APT29 (aka Cozy Bear), a hacker group associated with Russia's foreign intelligence service.
Sneaky Injection of Malicious Code
Although the first version containing the tainted Orion software was traced to 2019.4.5200.9083, ReversingLabs has found that an earlier version 2019.4.5200.8890, released in October 2019, also included seemingly harmless modifications that acted as the stepping stone for delivering the real attack payload down the line.
|Empty .NET class prior to backdoor code addition [ver. 2019.4.5200.8890]|
The idea, according to Pericin, was to compromise the build system, quietly inject their own code in the source code of the software, wait for the company to compile, sign packages and at last, verify if their modifications show up in the newly released updates as expected.
Once confirmed, the adversary then took steps to blend the SUNBURST malware with the rest of the codebase by mimicking existing functions (GetOrCreateUserID) but adding their own implementations so as to remain stealthy and invoking them by modifying a separate class called "InventoryManager" to create a new thread that runs the backdoor.
What's more, malicious strings were obscured using a combination of compression and Base64 encoding in hopes that doing so would thwart YARA rules from spotting anomalies in the code as well as slip through undetected during a software developer review.
"The attackers went through a lot of trouble to ensure that their code looks like it belongs within the code base," Pericin said. "That was certainly done to hide the code from the audit by the software developers."
How did the Compromise Happen?
This implies that not only did the attackers have a high degree of familiarity with the software, but also the fact that its existing software release management system itself was compromised — as the class in question was modified at the source code level to build a new software update containing the backdoored library, then signed, and ultimately released to the customers.
This also raises more questions than it answers in that a change of this magnitude could only have been possible if either the version control system was compromised or the trojanized software was placed directly on the build machine.
While it's not immediately clear how the attackers got access to the code base, security researcher Vinoth Kumar's disclosure about SolarWinds' update server being accessible with the password "solarwinds123" assumes new significance given the overlap in timelines.
Kumar, in a tweet on December 14, said he notified the company of a publicly accessible GitHub repository that was leaking the FTP credentials of the company's download website in plaintext, adding a hacker could use the credentials to upload a malicious executable and add it to a SolarWinds update.
"That Github repo was open to the public since June 17 2018," Kumar said, before the misconfiguration was addressed on November 22, 2019.
"SUNBURST illustrates the next generation of compromises that thrive on access, sophistication and patience," Pericin concluded. "For companies that operate valuable businesses or produce software critical to their customers, inspecting software and monitoring updates for signs of tampering, malicious or unwanted additions must be part of the risk management process."
"Hiding in plain sight behind a globally known software brand or a trusted business-critical process, gives this method access that a phishing campaign could only dream to achieve," he added.
Over 4,000 Sub-domains Compromised by SUNBURST
SolarWinds said up to 18,000 of its customers may have been impacted by the supply chain attack while urging Orion platform users to update the software to version 2020.2.1 HF 2 as soon as possible to secure their environments.
According to security researcher R. Bansal (@0xrb), over 4,000 sub-domains belonging to prominent businesses and educational institutions were infected with the SUNBURST backdoor, including those of Intel, NVIDIA, Kent State University, and Iowa State University.
To make matters worse, malicious code added to an Orion software update may have gone unnoticed by antivirus software and other security tools on targeted systems owing to SolarWinds' own support advisory, which states its products may not work properly unless their file directories are exempted from antivirus scans and group policy object (GPO) restrictions.
"Prolific actors are constantly going after high-revenue customers like SolarWinds because they see an increased chance of making larger profits by selling access to ransomware partners and other buyers," cybersecurity firm Intel 471 said, responding to the possibility that criminals were selling access to the company's networks on underground forums.
"Whether it's by exploiting vulnerabilities, launching spam campaigns or leveraging credential abuse, access is typically advertised and auctioned to the highest bidder for a profit. Whether this was the motivation for the current SolarWinds incident remains to be seen."