SolarWinds malware was sneaked out of the firm's Orion build environment 6 months before anyone realised it was there – report The malware that was utilised to hack SolarWinds checked to see whether software used to compile the firm's Orion product was running before deploying its payload, according to Crowdstrike. In a blog post late last night, the infosec firm said the Orion-targeting malware, which it codenamed Sunspot, had "several safeguards" to …
Agreed. Very impressive.
'To prevent detection, Sunburst’s creators “included a hash verification check” to ensure the injected malicious code “is compatible with a known source file”. Once the build process was complete, Sunburst waited for MsBuild.exe to exit “before restoring the original source code and deleting the temporary InventoryManager.bk file” containing its malicious code, now compiled into the Orion product.'
But it's a high risk game to play as this would seem to be an attack by an nation, presumably Russia, on the US and its allies.
to ensure the injected malicious code “is compatible with a known source file."
The minimum that could have occurred is one of two possible scenarios:
1) SolarWinds were using a weak hash function, one that the hackers could exploit;
2) The hash function was strong but the hackers had someone inside who edited the format (by unnoticeable removal/addition of whitespace) of a source file in such a way that its function and visuals remained unaltered but the hash sum changed to a value that fitted the hackers' needs.
Either that or something much worse.
No, I don't mean that at all..
The article states that the hackers used a hash to check that what they were injected their payload into was compatible with that payload. It does not detail what SolarWinds did or did not do to "guarantee the integrity of their code".
Since they had inserted themselves into the build process, hashes for the deployed code (integrity check) would have come from the already modified code. As a result, if a clean build was done it would actually trigger the alert as being suspect. You'd need to bump your release and issue a whole new set of hashes.
All the insiders needed to know what that something big & bad was brewing. Investigations take time, and it is that transition from when a "company" "suspects" there is a problem and it "knows" (ie: discovers) that real money is to be made, in that there are individual investigators who accumulate information that then spreads to the rest of the company.
But this is just a coincidence.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
