IT monitoring and management solutions provider SolarWinds became a popular target for sophisticated cyber-attacks recently. Some SolarWinds Orion software updates include backdoors allowing attackers to execute arbitrary codes and conduct surveillance. ReversingLabs announced that they have unveiled details showing that Orion software build and code signing infrastructure was compromised. According to the announcement, the library was modified to include a backdoor code.
Directly modified to include a malicious backdoor code
The first version of the backdoor code was a SolarWinds-Core-v2019.4.5220-Hotfix5.msp package update within the file named SolarWinds.Orion.Core.BusinessLayer.dll. The 3-step action was to compromise the build system, inject their own code, and verify that their signed packages are going to appear on the client-side as expected.
Attackers also choose the name of the class, OrionImprovementBusinessLayer, deliberately. It blends with the rest of the code and also aims to fool the developers or anyone auditing. The class can be found in other Orion software libraries too. Tomislav Peričin, Chief Software Architect & Co-Founder, ReversingLabs, said,
“SUNBURST illustrates the next generation of compromises that thrive on access, sophistication, and patience. For companies that operate valuable businesses or produce software critical to their customers, inspecting software and monitoring updates for signs of tampering, malicious or unwanted additions must be part of the risk management process.
This type of tampering exploits software distributions that are trusted by the traditional security software stack, which is unique in comparison to known malicious implants. The distributions could not be easily inspected, if at all, by any perimeter control. Hiding in plain sight behind a globally known software brand or a trusted business-critical process, gives this method access that a phishing campaign could only dream to achieve.
Most cybersecurity frameworks such as NIST CSF document the need for continuous risk management and inspection of data and software. This, in turn, includes the need that all third party and open-source software, whether built internally or externally, be continually inspected for tampering, malicious content, or any unwanted characteristics that clash with an organization’s acceptable policies.”