SolarWinds: What the Gov't Found - ThreatWire
Added 2021-03-02 18:52:36 +0000 UTCBy Shannon Morse, ThreatWire
Last week, cybersecurity professionals met with the federal government to discuss the SolarWinds attack and how they could prevent it from happening again. The Senate Select Committee on Intelligence had a hearing in which many questions came up and remain unanswered. For example: the full analysis of how attackers got into SolarWinds, who was behind it and why, and what other organizations may be victims of this attack that have yet to be realized?
Panelists at this hearing all agreed that a national data breach notification law should be passed, which has been floated through government agencies for years but had never made it into law. Other topics included discussion over ramifications for the attackers, and creating international rules for cyberspace.
The CEO of SolarWinds was a part of these hearings, and also discussed how SolarWinds will need to overhaul their system builds to ensure no malware could be inserted, and what they’d wish for from the government - such as one place where breaches could be reported by private companies, and that information could be relayed to all of the government agencies.
In other SolarWinds news, both NASA and the FAA were reportedly compromised alongside all the other government agencies that we’ve already heard about. Microsoft also disclosed that SolarWinds attackers got access to source code repos for some of the components related to Azure, Intune, and Exchange products.
Microsoft also came forward last week, open sourcing the CodeQL queries they’re using to analyze their systems for the malware planted within SolarWinds Orion updates. That means any other organizations can use the same queries to analyze their own networks for the Sunburst or Solarigate malware. CodeQL queries are used to analyze source code for compromises or patterns associated with the malware, which is likely how they determined the access to Azure, Exchange and Intune. It’s a “semantic code analysis engine” that developers can use to check for specific behaviors and functionality within the code. CodeQL queries are automated, and they can sometimes be triggered by false positives, so reviewing any flags is still crucial in finding links to the SolarWinds hack. But open sourcing this tool can help speed up the process for other companies.
Links:
Watch this on youtube: https://youtu.be/qvZX5AuBxxo
Support ThreatWire! https://www.patreon.com/threatwire
https://www.cyberscoop.com/solarwinds-fireeye-microsoft-crowdstrike-senate-ssci/
https://www.washingtonpost.com/national-security/biden-russia-sanctions-solarwinds-hacks/2021/02/23/b77039d6-71fa-11eb-85fa-e0ccb3660358_story.html
https://www.cyberscoop.com/solarwinds-sudhakar-ramakrishna-ceo-hack/
https://www.bleepingcomputer.com/news/security/nasa-and-the-faa-were-also-breached-by-the-solarwinds-hackers/
https://www.bleepingcomputer.com/news/microsoft/microsoft-solarwinds-hackers-downloaded-some-azure-exchange-source-code/
https://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/
https://www.cyberscoop.com/microsoft-solarwinds-breach-compromise-open-source-codeql/
https://www.bleepingcomputer.com/news/security/microsoft-shares-codeql-queries-to-scan-code-for-solarwinds-like-implants/
