Analysing SolarWinds Cyberattack

Monday, 1 February 2021

Microsoft has recently released a detailed technical report on analysing the SolarWinds attack.

SolarWinds

Microsoft has recently released a detailed technical report on analysing the SolarWinds attack and how the attacker has compromised the DLL file that started a sophisticated cyberattack, and how Microsoft Defender can help to protect the users. For the detailed analysis, see Microsoft report at:

Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers

From this report, the compromised file is a properly digitally signed one, which indicates that the attackers must have had access to the SolarWinds’ software development or distribution pipeline. Microsoft believes that this must have happened sometime late 2019. Insertion of malicious code into the SolarWinds.Orion.Core.BusinessLayer.dll likely occurred at an early stage, before the final stages of the software build. This would have resulted in the DLL containing the malicious code being digitally signed, which means that the code will be able to carry out privileged actions and not detected by security software in the system.

They found the inserted malicious code to be lightweight, which only ran the malware-added method in a parallel thread thereby ensuring that the DLL’s normal operations were not altered or interrupted. Furthermore, the malicious code went through a list of checks to make sure that the code is running in an actual enterprise network and not on an analyst’s machine. It then contacted a command-and-control server using a subdomain generated partly from information gathered from the affected device, which means a unique subdomain for each affected domain. This is another way the attackers used to evade detection.

Because the attacker is already inside the enterprise’s network system, to detect such attacks, it is necessary to analyse different aspects of network operations to identify potential anomalies, in addition to having strong preventative security measures.

In this context, I would like to highlight a couple of pieces of our work that we did a few years back which could be relevant in the development of software counteracting such attacks.

B. Min and V. Varadharajan, "Rethinking Software Component Security: Software Component Level Integrity and Cross Verification", The Computer Journal, August 10, 2016. https://ieeexplore.ieee.org/abstract/document/8130172

B. Min, V. Varadharajan, “Secure Dynamic Software Loading and Execution using Cross Component Verification”, Proc of the 45th IEEE/IFIP Annual International Conference on Dependable Systems and Networks, DSN 2015, https://ieeexplore.ieee.org/document/7266843

Professor Vijay Varadharajan

Global Innovation Chair Professor in Cyber Security
The University of Newcastle

21 December 2020

Contact

Related news

The University of Newcastle acknowledges the traditional custodians of the lands within our footprint areas: Awabakal, Darkinjung, Biripai, Worimi, Wonnarua, and Eora Nations. We also pay respect to the wisdom of our Elders past and present.