Microsoft releases open-source CodeQL queries to assess Solorigate compromise

Pierluigi Paganini February 26, 2021

Microsoft announced the release of open-source CodeQL queries that it experts used during its investigation into the SolarWinds supply-chain attack

Microsoft has announced the availability of open-source CodeQL queries that the IT giant used during its investigation into the SolarWinds attack.

In early 2021, the US agencies FBI, CISA, ODNI, and the NSA released a joint statement that blames Russia for the SolarWinds supply chain attack.

The four agencies were part of the task force Cyber Unified Coordination Group (UCG) that was tasked for coordinating the investigation and remediation of the SolarWinds hack that had a significant impact on federal government networks.

The UCG said the attack was orchestrated by an Advanced Persistent Threat (APT) actor, likely Russian in origin.

According to the security experts, Russia-linked threat actors hacked into the SolarWinds in 2019 used the Sundrop malware to insert the Sunburst backdoor into the supply chain of the SolarWinds Orion monitoring product.

Microsoft, which was hit by the attack, published continuous updates on its investigation, and now released the source code of CodeQL queries, which were used by its experts to identify indicators of compromise (IoCs) associated with Solorigate.

“In this blog, we’ll share our journey in reviewing our codebases, highlighting one specific technique: the use of CodeQL queries to analyze our source code at scale and rule out the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with Solorigate.” reads the blog post published by Microsoft. “We are open sourcing the CodeQL queries that we used in this investigation so that other organizations may perform a similar analysis. Note that the queries we cover in this blog simply serve to home in on source code that shares similarities with the source in the Solorigate implant, either in the syntactic elements (names, literals, etc.) or in functionality.”

Microsoft pointed out that these queries should be considered as just a part of the arsenal of tools to use in the investigation.

There is no guarantee that the attackers could use exactly the same functionality or coding style in other attacks, this means that the queries may fail in detecting the presence of implants in their infrastructure.

Microsoft highlighted that in order to reduce false-positive results reviews would still be required.

CodeQL is a powerful semantic code analysis engine that works in two distinct stages. In the first stage, as part of the compilation of source code into binaries, CodeQL builds a database is used to capture the model of the compiling code. In case experts are analyzing interpreted languages, CodeQL parses the source and builds its own abstract syntax tree model. in the second stage, the database is repeatedly queried. The CodeQL language enables the easy selection of complex code conditions from the database.

Microsoft is open-sourcing several of the C# queries that could be used to assess for code-level IoCs, it also provided detailed information on each query and IoCs analyzed.

“The queries we shared in this blog and described in target patterns specifically associated with the Solorigate code-level IoCs, but CodeQL also provides many other options to query for backdoor functionality and detection-evasion techniques.” concludes Microsoft.

“These queries were relatively quick to author, and we were able to hunt for patterns much more accurately across our CodeQL databases and with far less effort to manually review the findings, compared to using text searches of source code. CodeQL is a powerful developer tool, and our hope is that this post inspires organizations to explore how it can be used to improve reactive security response and act as a compromise detection tool.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment