Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

2/25/2021
05:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Microsoft Releases Free Tool for Hunting SolarWinds Malware

Meanwhile, researchers at SecurityScorecard say the "fileless" malware loader in the attack - Teardrop - actually dates back to 2017.

Organizations investigating whether they are victims of — or are still infected by — the so-called SolarWinds attack campaign now have access to a free toolkit Microsoft used to root out the malware in its own code.

Microsoft is offering the CodeQL queries it employed to analyze its source code in the wake of the SolarWinds breach discovery. CodeQL is a tool in GitHub's Advanced Security toolset; the queries Microsoft used with CodeQL root out code that contains similarities in patterns and functions to the SolarWinds binary. These queries can be used on any software for signs of the SolarWinds attack campaign.

And in a separate SolarWinds development, security researchers at SecurityScorecard say they have discovered that one piece of malware used in the SolarWinds attacks — the memory-only dropper dubbed Teardrop that profiled the victim's network and systems environments — dates back to 2017 and appears to be associated with a single Russian cyber-espionage group.

Related Content:

SolarWinds Attack Underscores 'New Dimension' in Cyber-Espionage Tactics

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

This suggests Teardrop was likely used in other APT operations before SolarWinds by this nation-state hacking team, says Ryan Sherstobitoff, vice president of cyberthreat research and intelligence at SecurityScorecard, noting the earlier time frame associated with the malware.

Teardrop, which was named by FireEye in its analysis of the malware, was used to run Cobalt Strike BEACON, a command-and-control (C2) tool in the open source Cobalt Strike toolkit the attackers employed — most likely as a way to camouflage their activity.

FireEye first went public in December about the attack it had suffered at the hands of a malicious software update to its SolarWinds Orion software, and that its red-team tools had been stolen in the attack. FireEye initially described Teardrop — a dynamic link library (DLL) file payload delivered via the Sunburst Trojan (the first-stage malware in the attack) — as a piece of malware that didn't match any it had seen before.

"TEARDROP does not have code overlap with any previously seen malware," FireEye wrote in its detailed report in December on the SolarWinds malware.

But Sherstobitoff says the C2 telemetry his team found shows that Teardrop was not necessarily built solely for the SolarWinds attacks, which were triggered in 2020 but test-run in October 2019. "It pushes a lot of timelines much earlier than what people suspected," he says.

His team also confirms that the attacker behind SolarWinds is a single APT group out of Russia, targeting US organizations. Like other security vendors, SecurityScorecard won't name names, but experts surmise it's the handiwork of the Russian SVR and its hacking team known as Cozy Bear.

Some 95% of victim organizations are in the US, the researchers found, and they reiterate that it's most likely a cyber-espionage campaign as most experts believe. Even so, Sherstobitoff says because Teardrop opens a backdoor into the victim organization, the fear is that it could be used to drop other more destructive payloads. Teardrop itself was used mainly to "fingerprint" and profile the victim's systems and networks.

"The challenge is, are there third- or fourth-stage implants we don't know about? They may be highly custom," he says.

CodeQL
Meantime, Microsoft's release of its CodeQL queries today could help root out attack code that could be deeply embedded in a victim's network.

"Anything that's able to look for behaviors or host-level artifacts will help [find] out if there are compromises from Teardrop or Sunburst because the command-and-control at this point is most likely offline," notes Sherstobitoff.

Microsoft said the open source release is an effort to share its findings on the malware attack, which it calls Solorigate.

"With the increasing sophistication of attacks like Solorigate, it's more important than ever for the security community to work together in transparency to share learnings where possible. Since these attacks were detected, we've worked closely behind the scenes with the security community and have published dozens of technical updates and tools to empower defenders," a Microsoft spokesperson said. "The open sourcing of CodeQL queries is another example of how sharing techniques that Microsoft has found useful can give defenders the edge they need to help protect against sophisticated attacks."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24376
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory w...
CVE-2021-24377
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on t...
CVE-2021-24378
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute w...
CVE-2021-24379
PUBLISHED: 2021-06-21
The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some...
CVE-2021-24383
PUBLISHED: 2021-06-21
The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue