Microsoft

Microsoft has open-sourced CodeQL queries that developers can use to scan source code for malicious implants matching the SolarWinds supply-chain attack.

In December, it was disclosed that threat actors hacked SolarWinds to modify the legitimate SolarWinds Orion platform in a supply-chain attack. This attack allowed the threat actors to gain remote access to customers' systems who use the SolarWinds Orion network management platform.

Microsoft disclosed that their systems were compromised by this supply-chain attack and allowed the attackers to access limited amounts of source code for Azure, Exchange, and Intune.

To make sure the attackers did not modify their code, Microsoft created CodeQL queries that were used to scan their codebase for malicious implants matching the SolarWinds IOCs.

Today, Microsoft has released their SolarWinds CodeQL queries so that users can scan their source code for potential malicious implants.

"In this blog, we'll share our journey in reviewing our codebases, highlighting one specific technique: the use of CodeQL queries to analyze our source code at scale and rule out the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with Solorigate."

"We are open sourcing the CodeQL queries that we used in this investigation so that other organizations may perform a similar analysis," announced Microsoft in a new blog post.

Using these queries, developers can check their software for malicious modifications similar to those used in the SolarWinds supply-chain attack.

CodeQL queries scan for malicious SolarWinds implants

CodeQL is a semantic code analysis engine that allows developers to query their code for syntactic data or behavior similar to specific functionality.

Semantic code analysis does not check whether source code is syntactically correct but instead matches the "meaning" of the code.

Using CodeQL, developers can build a database of functionality and syntactic elements from their codebase and query it for a particular behavior.

Developers can then share CodeQL queries publicly to allow other devs to scan their code for similar functionality.

With Microsoft's release of SolarWinds CodeQL queries, developers can scan their source codebase for functionality or syntactic code elements that match those used by the malicious implants from the SolarWinds attack.

CodeQL query to find modified FNV-A1 hash function
CodeQL query to find modified FNV-A1 hash function

Microsoft's CodeQL queries check for a wide range of behavior used by the SolarWinds implants, including command and control communication, a modified FNV-1A hash function, use of Windows APIs found in backdoor functionality, and "time-bomb" functionality.

Microsoft warns that some of these CodeQL queries can find similar behavior in benign code, so it is essential to manually review any detections to ensure they are not false positives.

Related Articles:

Diagram better — Microsoft Visio Pro 2021 is $25 through April 2nd

Windows 10 KB5035941 update released with lock screen widgets

Train to be a Microsoft-certified tech expert with 11 courses for $69.97

Microsoft to shut down 50 cloud services for Russian businesses

Study for Windows PowerShell certification for just $20