https://krebsonsecurity.com/2021/01/solarwinds-what-hit-us-could-hit-others/ Advertisement RSS Feed Subscribe to RSS Twitter Follow me on Twitter Facebook Join me on Facebook [12] Krebs on Security In-depth security news and investigation Brian Krebs About the Author Advertising/Speaking --------------------------------------------------------------------- 12 Jan 21 SolarWinds: What Hit Us Could Hit Others New research into the malware that set the stage for the megabreach at IT vendor SolarWinds shows the perpetrators spent months inside the company's software development labs honing their attack before inserting malicious code into updates that SolarWinds then shipped to thousands of customers. More worrisome, the research suggests the insidious methods used by the intruders to subvert the company's software development pipeline could be repurposed against many other major software providers. In a blog post published Jan. 11, SolarWinds said the attackers first compromised its development environment on Sept. 4, 2019. Soon after, the attackers began testing code designed to surreptitiously inject backdoors into Orion, a suite of tools used by many Fortune 500 firms and a broad swath of the federal government to manage their internal networks. [sw-timeline] Image: SolarWinds. According to SolarWinds and a technical analysis from CrowdStrike, the intruders were trying to work out whether their "Sunspot" malware -- designed specifically for use in undermining SolarWinds' software development process -- could successfully insert their malicious " Sunburst" backdoor into Orion products without tripping any alarms or alerting Orion developers. In October 2019, SolarWinds pushed an update to their Orion customers that contained the modified test code. By February 2020, the intruders had used Sunspot to inject the Sunburst backdoor into the Orion source code, which was then digitally signed by the company and propagated to customers via SolarWinds' software update process. Crowdstrike said Sunspot was written to be able to detect when it was installed on a SolarWinds developer system, and to lie in wait until specific Orion source code files were accessed by developers. This allowed the intruders to "replace source code files during the build process, before compilation," Crowdstrike wrote. The attackers also included safeguards to prevent the backdoor code lines from appearing in Orion software build logs, and checks to ensure that such tampering wouldn't cause build errors. "The design of SUNSPOT suggests [the malware] developers invested a lot of effort to ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers," CrowdStrike wrote. A third malware strain -- dubbed "Teardrop" by FireEye, the company that first disclosed the SolarWinds attack in December -- was installed via the backdoored Orion updates on networks that the SolarWinds attackers wanted to plunder more deeply. So far, the Teardrop malware has been found on several government networks, including the Commerce, Energy and Treasury departments, the Department of Justice and the Administrative Office of the U.S. Courts. SolarWinds emphasized that while the Sunspot code was specifically designed to compromise the integrity of its software development process, that same process is likely common across the software industry. "Our concern is that right now similar processes may exist in software development environments at other companies throughout the world," said SolarWinds CEO Sudhakar Ramakrishna. "The severity and complexity of this attack has taught us that more effectively combatting similar attacks in the future will require an industry-wide approach as well as public-private partnerships that leverage the skills, insight, knowledge, and resources of all constituents." [88] Tags: CrowdStrike, FireEye, Orion, SolarWinds breach, Sudhakar Ramakrishna, Sunburst malware, Sunspot malware, Teardrop malware This entry was posted on Tuesday, January 12th, 2021 at 3:50 pm and is filed under Other. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed. 2 comments 1. [8370] Wes January 12, 2021 at 5:08 pm After reading the technical analysis the question remains how did their own log monitoring tools miss the new processes created, new files, elevated privileges, scheduled tasks, etc. Or were they not running monitoring on their dev server? Reply 2. [ed35] The Sunshine State January 12, 2021 at 5:20 pm Today is Patch Tuesday ! Reply Leave a comment Click here to cancel reply. Name (required)[ ] Email (required)[ ] Website[ ] Comment [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [Submit Comment] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] Advertisement [83] * [ ] [search_mag] [89] * Mailing List Subscribe here * Recent Posts + SolarWinds: What Hit Us Could Hit Others + Ubiquiti: Change Your Password, Enable 2FA + Sealed U.S. Court Records Exposed in SolarWinds Breach + All Aboard the Pequod! + Hamas May Be Threat to 8chan, QAnon Online * * All About Skimmers All About Skimmers Click image for my skimmer series. * Donate to Krebs On Security * Spam Nation Spam Nation A New York Times Bestseller! * * The Value of a Hacked PC valuehackedpc Badguy uses for your PC * Tools for a Safer PC Tools for a Safer PC Tools for a Safer PC * The Pharma Wars The Pharma Wars Spammers Duke it Out * Badguy Uses for Your Email Badguy Uses for Your Email Your email account may be worth far more than you imagine. * eBanking Best Practices eBanking Best Practices eBanking Best Practices for Businesses * Most Popular Posts + Sextortion Scam Uses Recipient's Hacked Passwords (1076) + Online Cheating Site AshleyMadison Hacked (798) + Sources: Target Investigating Data Breach (620) + Trump Fires Security Chief Christopher Krebs (534) + Cards Stolen in Target Breach Flood Underground Markets (445) + Reports: Liberty Reserve Founder Arrested, Site Shuttered (416) + Was the Ashley Madison Database Leaked? (376) + True Goodbye: 'Using TrueCrypt Is Not Secure' (363) + Who Hacked Ashley Madison? (361) + Following the Money, ePassporte Edition (353) * Category: Web Fraud 2.0 Criminnovations Innovations from the Underground * [shreddedID-copy-285x189] ID Protection Services Examined * Is Antivirus Dead? Is Antivirus Dead? The reasons for its decline * The Growing Tax Fraud Menace The Growing Tax Fraud Menace File 'em Before the Bad Guys Can * Inside a Carding Shop Inside a Carding Shop A crash course in carding. * Beware Social Security Fraud Beware Social Security Fraud Sign up, or Be Signed Up! * How Was Your Card Stolen? How Was Your Card Stolen? Finding out is not so easy. * Krebs's 3 Rules... Krebs's 3 Rules... ...For Online Safety. --------------------------------------------------------------------- (c) 2021 Krebs on Security. Powered by WordPress. Privacy Policy