Researcher Explained SolarWinds Codebase was Pre-Hacked

Information security specialists still investigate a cyberattack on SolarWinds' internal network, as a results of which a malicious update was implemented for its Orion software so as to infect networks of state and commercial organizations using it.

According to experts at ReversingLabs, the hackers likely managed to compromise the software build and code signing infrastructure of the SolarWinds Orion platform back in October 2019 so as to inject a malicious backdoor through the software release process.

"The source code of the affected library has been directly modified to incorporate malicious backdoor code that has been compiled, signed, and delivered through the prevailing software patch management system," the experts explained.

Although the primary version containing the corrupted Orion software was traced back to 2019.4.5200.9083, ReversingLabs found that the sooner version 2019.4.5200.8890, dated October 2019, also included seemingly harmless modifications that served as a stage in delivering the particular payload.

The idea was to compromise the build system, quietly inject custom code into the software source code, await the corporate to compile and sign the packages, and eventually check if their modifications show up within the recently released update needless to say .

After confirmation, the attackers took steps to feature the SUNBURST malware to the remainder of the codebase, mimicking existing functions (GetOrCreateUserID), but adding their own implementations to stay invisible and invoking, modifying a separate class called InventoryManager to make a replacement thread that launches the backdoor.

Moreover, the malicious strings were hidden by a mixture of compression and base64 encoding within the hopes that this is able to prevent YARA rules from detecting anomalies within the code, also as slipping unnoticed during a software developer check.