New research on malware lays the foundation for large-scale intrusions by IT vendors Solar wind It shows that in the company’s software development lab, the perpetrators spent months honing the attack, and then inserted the malicious code into the update, which SolarWinds then sent to thousands of customers. Even more worrying is that research shows that the insidious methods used by intruders to subvert the company’s software development channels may be redesigned for many other major software providers.
In a blog post published on January 11, SolarWinds stated that the attacker first compromised its development environment on September 4, 2019. Soon after, the attackers began testing code designed to secretly inject backdoor programs into the backdoor. Orion, A set of tools widely used by many Fortune 500 companies and the federal government to manage their internal networks.
According to SolarWinds and technical analysis Crowd strike, The intruder is trying to find out their “sunspot“Malware specifically designed to disrupt the SolarWinds software development process-its malware can be successfully inserted”ChaoyangEnter the backdoor of Orion products without triggering any alarms or reminding Orion developers.
In October 2019, SolarWinds pushed an update containing modified test code to its Orion customers. By February 2020, the intruder had used Sunspot to inject the Sunburst backdoor into the Orion source code, which was then digitally signed by the company and spread to customers through the SolarWinds software update process.
Crowdstrike said that Sunspot was written to detect when it was installed on the SolarWinds developer system and can wait for developers to access specific Orion source code files. Crowdstrike wrote that this allows the intruder to “replace the source code file before compilation during the build process.”
The attacker also provided protective measures to prevent backdoor code lines from appearing in the Orion software’s build log, and checked to ensure that such tampering would not cause build errors.
“SUNSPOT’s design shows [the malware] Developers have invested a lot of effort to ensure that the code is inserted correctly and undetected, and prioritize operational security to avoid revealing its presence in the build environment to SolarWinds developers. “CrowdStrike wrote.
The third malware strain-called “teardrop“By Fire eye, The company first publicized the SolarWinds attack in December-it was installed via the backdoor Orion update on the network that SolarWinds attackers wanted to plunder more deeply.
So far, Teardrop malware has been found on multiple government networks, including the Department of Commerce, Energy and Treasury, the Department of Justice, and the Administrative Office of the United States Court of Justice.
SolarWinds emphasized that although Sunspot code is specifically designed to compromise the integrity of its software development process, the same process may be common throughout the software industry.
“Our concern is that similar processes may exist in the software development environments of other companies around the world,” SolarWinds said CEO Sudhakar Ramakrishna. “The severity and complexity of this attack tells us that in the future, to respond to similar attacks more effectively will require an industry-wide approach and a public-private partnership that utilizes the skills, insight, knowledge, and resources of all members.”
Tags: CrowdStrike, FireEye, Orion, SolarWinds vulnerability, Sudhakar Ramakrishna, Sunburst malware, Sunspot malware, Teardrop malware
This entry was posted on Tuesday, January 12, 2021, at 3:50 PM and is classified under “Other”. You can make any comments on this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Ping is currently not allowed.