Microsoft along with the security industry and its partners, continue to investigate the extent of the Solorigate attack. While investigations are underway, Microsoft wants to provide the defender community with intelligence to understand the scope, impact, remediation guidance, and product detections and protections they have built-in as a result. Microsoft has established a resource center that is constantly updated as more information becomes available at https://aka.ms/solorigate.
While the full extent of the compromise is still being investigated by the security industry as a whole, in a blog post, Microsoft has shared insights into the compromised SolarWinds Orion Platform DLL that led to this sophisticated attack. The addition of a few benign-looking lines of code into a single DLL file spelled a serious threat to organizations using the affected product, a widely used IT administration software used across verticals, including government and the security industry. The discreet malicious codes inserted into the DLL called a backdoor composed of almost 4,000 lines of code that allowed the threat actor behind the attack to operate unfettered in compromised networks.
The fact that the compromised file is digitally signed suggests the attackers were able to access the company’s software development or distribution pipeline. Evidence suggests that as early as October 2019, these attackers have been testing their ability to insert code by adding empty classes. Therefore, insertion of malicious code into the SolarWinds.Orion.Core.BusinessLayer.dll likely occurred at an early stage, before the final stages of the software build, which would include digitally signing the compiled code. As a result, the DLL containing the malicious code is also digitally signed, which enhances its ability to run privileged actions—
In many of their actions, the attackers took steps to maintain a low profile. For example, the inserted malicious code is lightweight and only has the task of running a malware-added method in a parallel thread such that the DLL’s normal operations are not altered or interrupted. This method is part of a class, which the attackers named OrionImprovementBusinessLayer to blend in with the rest of the code. The class contains all the backdoor capabilities, comprising 13 subclasses and 16 methods, with strings obfuscated to further hide malicious code.
Once loaded, the backdoor goes through an extensive list of checks to make sure it’s running in an actual enterprise network and not on an analyst’s machines. It then contacts a command-and-control (C2) server using a subdomain generated partly from information gathered from the affected device, which means a unique subdomain for each affected domain. This is another way the attackers try to evade detection.
With a lengthy list of functions and capabilities, this backdoor allows hands-on-keyboard attackers to perform a wide range of actions. As we’ve seen in past human-operated attacks, once operating inside a network, adversaries can perform reconnaissance on the network, elevate privileges, and move laterally. Attackers progressively move across the network until they can achieve their goal, whether that’s cyberespionage or financial gain.
Figure 1. Solorigate malware infection chain
The challenge in detecting these kinds of attacks means organizations should focus on solutions that can look at different facets of network operations to detect ongoing attacks already inside the network, in addition to strong preventative protection.
Microsoft has previously provided guidance and remediation steps to help ensure that customers are empowered to address this threat. In a blog post, they have shared their in-depth analysis of the backdoor’s behavior and functions, and show why it represents a high risk for business environments. Microsoft also shared details of the comprehensive endpoint protection provided by Microsoft Defender for Endpoint. In another blog, they discuss protections across the broader Microsoft 365 Defender, which integrates signals from endpoints with other domains –
For more information on the compromised DLL file that started a sophisticated cyberattack and how Microsoft Defender helps protect customers, please follow this link