Microsoft is helping organizations that are investigating whether they are victims of the Solorigate attack by offering them a free tool, the CodeQL queries that the company used to scan its source code for after the attack. the queries Microsoft used with CodeQL identify any code that is similar in pattern and function to the SolarWinds malware. So, these queries can be used on any software to do the same.
Meanwhile, security researchers from SecurityScorecard say that they have found a piece of malware used in the attack that dates back to almost four years ago. The malware, dubbed Teardrop, profiles a victim’s system and network, and this dates back all the way to 2017.
Ryan Sherstobitoff, vice president of cyberthreat research and intelligence at SecurityScorecard derived from this fact that Teardrop was likely used in other APT operations before SolarWinds by this nation-state hacking team.
Notably, when FireEye went public about suffering the data breach in December 2020, the company described Teardrop as a piece of malware that they have not seen before.
During the Feb 23rd senate hearing on SolarWinds Orion software hack, George Kurtz, president, and CEO of CrowdStrike pointed towards an ‘architectural limitation’ in Active Directory federation Service that was taken advantage of during the attack.
“Significantly, one of the most sophisticated aspects of the StellarParticle campaign was how skillfully the threat actor took advantage of architectural limitations in Microsoft’s Active Directory Federation Service credentialing and authentication process. The Golden SAML attack leveraged by StellarParticle actors allowed them to jump from customers’ on-premise environments and into their cloud and cloud-applications, effectively bypassing multi-factor authentication,” said Kurtz. He also went on to say that the presence of this flaw means that more breaches will come as it enables attackers to masquerade as anyone in the network.
The Senate hearing took place in the presence of executives that included Kevin Mandia, FireEye’s CEO; Sudhakar Ramakrishna, SolarWinds’ CEO; Brad Smith, Microsoft’s president; and George Kurtz, CrowdStrike’s president, and CEO. Notably, there was no representative present from Amazon Web services even though the company was invited.
As cyber-researchers look into the Solarigate supply chain attack and measure it’s true impact, the company blamed one of its intern for a critical password lapse that went unnoticed for several years.
The password is said to have been “solarwinds123” and is believed to have been publicly accessible via a GitHub repository since June 17, 2018, before the issue was rectified on November 22, 2019.
As of this writing, at least nine government agencies and over hundred private companies have been breached in what’s being described as the most complicated and well-orchestrated attack.
Solarwinds CEO, Ramakrishna testified that the leaked password was believed to be from one of their interns who used it on his servers back in 2017. He added that the issue was reported t the security team and it was immediately removed. Former CEO Kevin Thompson seconded Ramakrishna’s statement during the testimony saying that the mistake that the intern made violated their password policies.