Information security specialists continue to investigate a cyberattack on SolarWinds’ internal network, as a result of which a malicious update was implemented for its Orion software in order to infect networks of government and commercial organizations using it.
According to experts at ReversingLabs, the hackers likely managed to compromise the software build and code signing infrastructure of the SolarWinds Orion platform back in October 2019 in order to inject a malicious backdoor through the software release process.
“The source code of the affected library was directly modified to include malicious backdoor code that was compiled, signed, and delivered through the existing software patch management system,” the experts explained.
Although the first version containing the corrupted Orion software was traced back to 2019.4.5200.9083, ReversingLabs found that the earlier version 2019.4.5200.8890, from October 2019, also included seemingly harmless modifications that served as a stage in delivering the actual payload.
The idea was to compromise the build system, sneakily inject custom code into the software source code, wait for the company to compile and sign the packages, and finally check if their modifications show up in the recently released update as expected.
After confirmation, the attackers took steps to add the SUNBURST malware to the rest of the codebase, mimicking existing functions (GetOrCreateUserID), but adding their own implementations to remain invisible and invoking, modifying a separate class called InventoryManager to create a new thread that launches the backdoor.
Moreover, the malicious strings were hidden by a combination of compression and base64 encoding in the hope that this would prevent YARA rules from detecting anomalies in the code, as well as slipping unnoticed during the software developer check.