You can now find Cyber Kendra on Google News | Telegram

Researcher Explained SolarWinds Codebase was Pre-Hacked

How SolarWinds Got Hacked

Information security specialists still investigate a cyberattack on SolarWinds' internal network, as a results of which a malicious update was implemented for its Orion software so as to infect networks of state and commercial organizations using it.

According to experts at ReversingLabs, the hackers likely managed to compromise the software build and code signing infrastructure of the SolarWinds Orion platform back in October 2019 so as to inject a malicious backdoor through the software release process.

"The source code of the affected library has been directly modified to incorporate malicious backdoor code that has been compiled, signed, and delivered through the prevailing software patch management system," the experts explained.

Although the primary version containing the corrupted Orion software was traced back to 2019.4.5200.9083, ReversingLabs found that the sooner version 2019.4.5200.8890, dated October 2019, also included seemingly harmless modifications that served as a stage in delivering the particular payload.

The idea was to compromise the build system, quietly inject custom code into the software source code, await the corporate to compile and sign the packages, and eventually check if their modifications show up within the recently released update needless to say .

After confirmation, the attackers took steps to feature the SUNBURST malware to the remainder of the codebase, mimicking existing functions (GetOrCreateUserID), but adding their own implementations to stay invisible and invoking, modifying a separate class called InventoryManager to make a replacement thread that launches the backdoor.

Moreover, the malicious strings were hidden by a mixture of compression and base64 encoding within the hopes that this is able to prevent YARA rules from detecting anomalies within the code, also as slipping unnoticed during a software developer check.

Post a Comment

Cookie Consent
We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.
It seems there is something wrong with your internet connection. Please connect to the internet and start browsing again.
AdBlock Detected!
We have detected that you are using adblocking plugin in your browser.
The revenue we earn by the advertisements is used to manage this website, we request you to whitelist our website in your adblocking plugin.
Site is Blocked
Sorry! This site is not available in your country.