[German]An analysis of the supply chain attack on the Orion product line of the US security vendor SolarWinds suggests that the attackers had access to the source code base. For months, they prepared the insertion of the Trojan, which acted as a backdoor, and injected it into the source code.
The successful hacker attack against US authorities and companies such as the security provider FireEye via SUNBURST backdoor has hit the USA to the core. This is because the hackers succeeded in infiltrating a Trojan into a signed update for SolarWinds Orion products. This means that potentially 18,000 customers are affected by this backdoor. Details can be found in the articles linked at the end of this article.
No details of the internal investigations at SolarWinds are available yet. The case mentioned in my article Sloppiness at SolarWinds responsible for compromised software?, where access data to the SolarWinds FTP server was publicly available in a configuration file on GitHub, is probably not the cause of the ultimately successful supply chain attack.
Rather, the hackers probably gained access to the SolarWinds source code system and were able to do what they wanted for months without being noticed. Tomislav Peričin, Chief Software Architect & Co-Founder at ReversingLabs published a more in-depth analysis of the incident in this blog post and shared the post in advance with The Hacker News.
Clever strategy of the intruders
The article is based on ReversingLabs’ research into the anatomy of this supply chain attack. This research uncovered conclusive details showing that the infrastructure for building and signing Orion software was compromised and how the attackers prepared the whole operation. The source code of the affected library was directly modified to contain malicious backdoor code that was compiled, signed and delivered through the existing software patch release management system.
What’s probably new is the attackers’ strategy to conceal the source code manipulation from SolarWinds developers and remain undetected for as long as possible’. The attackers inserted their ‘source code modifications’ into the affected code base while mimicking the coding style of the developers. To do this, they also use the naming standards of the software developers.
According to Tomislav Peričin, this was consistently demonstrated by a significant number of functions that the attackers added to the source code base in order to smuggle the required backdoor into the Orion software. Tracing the anatomy of the attack as an outsider is difficult, to be sure. But the attackers left traces. It is known that the Orion library SolarWinds.Orion.Core.BusinessLayer.dll was compromised and delivered via update.
The file with the malicious backdoor code was first delivered with the SolarWinds-Core-v2019.4.5220-Hotfix5.msp software package update for the Orion platform. This library was thoroughly analyzed in FireEye’s blog post. However, from the analysis of the metadata, Tomislav Peričin managed to draw further conclusions about the attackers’ modus operandi and sophistication, as well as the state of the Orion software build system.
While the first version that contained the malicious backdoor code was build 2019.4.5200.9083, there was an earlier version 2019.4.5200.8890 from October 2019 that had already been tampered with by the attackers. This version of the DLL was only slightly modified and contained only a .NET class that would later host the malicious code for the backdoor.
This first code modifications was clearly only a proof of concept, Peričin writes. The attackers’ action plan consisted of three steps: Compromise the build system, inject their own code, and verify that it was rolled out as signed packages on the client side. Once these goals were achieved and the attackers proved to themselves that the supply chain could be compromised, they began planning the actual attack payload..
The name of the class, OrionImprovementBusinessLayer, seems to have been chosen carefully. Not only did the class have to blend in with the rest of the source code. But rather, the class name was chosen to fool the software developers or anyone reviewing the binaries. This class and many of the methods it uses are found in other Orion software libraries and even match the code of those libraries thematically. This indicates not only an intent to remain inconspicuous, but also that the attackers were very familiar with the code base (which makes me wonder if there was an insider involved).
In the analysis, Peričin shows how the attackers gradually modified the functions of the class and the code base to implement the backdoor without the regular developers or code review people noticing. Above image shows one such inserted code block that uses the class in question. The code highlighted in red is the additional functionality that the attackers included. This small code block creates a new thread that executes the backdoor while the Orion software also performs its inventory checks in the background.
Peričin shows that the attackers not only managed to go undetected by the Orion software developers and sneak their modified source code through the SolarWinds build system. They were also very successful in staying under the radar of the system that monitors the builds for just such malware. Interested readers can find the details in this post.
The bottom line is that this was a sophisticated operation executed with great effort. There were experts at work. And since specific targets were ultimately attacked and only data was intercepted and e-mails read, it is clear that these were not simple cyber criminals looking to make a quick buck. Rather, state hackers are likely to be behind this attack – and it is not impossible that the finger-pointing in the direction of Fancy Bear and Moscow will identify precisely the authors.
FireEye hacked, Red Team tools stolen
US Treasury and US NTIA hacked
SolarWinds products with SunBurst backdoor, cause of FireEye and US government hacks?
Sloppiness at SolarWinds responsible for compromised software?
News in the fight against SUNBURST infection, domain seized
SUNBURST malware: Analytic Tool SolarFlare, a ‘Kill Switch’ and EINSTEIN’s fail
Cookies helps to fund this blog: Cookie settings