Microsoft is open-sourcing the CodeQL queries that it used to investigate the impact of Sunburst or Solarigate malware planted in the SolarWinds Orion software updates. Other organizations can use the queries to perform a similar analysis.
Microsoft released the queries as part of its response to the attack on SolarWinds Orion network monitoring software, which was used to selectively compromise nine US federal agencies and 100 private sector firms, many of which were from the tech sector.
Suspected Russian government-backed hackers compromised SolarWinds' build system in early 2020 to pull off the supply chain attack discovered by Microsoft and FireEye — a feat that Microsoft estimated took at least 1,000 engineers.
SEE: Windows 10 Start menu hacks (TechRepublic Premium)
"A key aspect of the Solorigate attack is the supply chain compromise that allowed the attacker to modify binaries in SolarWinds' Orion product," the Microsoft security team said in a blogpost.
"These modified binaries were distributed via previously legitimate update channels and allowed the attacker to remotely perform malicious activities, such as credential theft, privilege escalation, and lateral movement, to steal sensitive information. The incident has reminded organizations to reflect not just on their readiness to respond to sophisticated attacks, but also the resilience of their own codebases."
Microsoft used CodeQL queries to analyze its source code and confirm there were no indicators of compromise (IoCs) and coding patterns associated with Solorigate aka Sunburst malware in its source code.
Microsoft earlier this month admitted the SolarWinds hackers downloaded some Azure, Exchange, and Intune source code in what appeared to be a limited attack. It and FireEye were compromised by the tainted Orion update.
Static and dynamic code analysis are part of the defense line-up that organizations can use to detect a software-based attack.
Microsoft warns that findings from the queries will need to be reviewed because indicators "can occur coincidentally in benign code."
It added: "Additionally, there is no guarantee that the malicious actor is constrained to the same functionality or coding style in other operations, so these queries may not detect other implants that deviate significantly from the tactics seen in the Solorigate implant."
The company also shared some of its security philosophy.
"Microsoft has long had integrity controls in place to verify that the final compiled binaries distributed to our servers and to our customers have not been maliciously modified at any point in the development and release cycle. For example, we verify that the source file hashes generated by the compiler match the original source files. Still, at Microsoft, we live by the "assume breach" philosophy, which tells us that regardless of how diligent and expansive our security practices are, potential adversaries can be equally as clever and resourced."
SolarWinds build processes were nor the only weak point the attackers exploited. At a US Senate hearing this week, CrowdStrike CEO George Kurtz critiqued Microsoft for "systemic weaknesses in the Windows authentication architecture", referring to Active Directory and Azure Active Directory, Reuters reported. These allowed the attackers to move laterally once compromising a network. CrowdStrike was targeted during the attack but said in December that is "suffered no impact".
Mike Hanley, the newly appointed chief security officer (CSO) of Microsoft-owned GitHub, said CodeQL provides, "key guardrails that help developers avoid incidents and shipping vulnerabilities".