Microsoft has recently finished its investigation into the ongoing Solarigate malware attack that targeted the SolarWinds app Orion. Following the completion of that investigation, the company has made the CodeQL queries it used open source and available to everyone.
If you’re unfamiliar with CodeQL, it is a code analysis engine that creates a database around the model that is compiling code. This database can be queried for analysis and inspection. Microsoft used CodeQL when investigating the Solarigate malware to allow scalable analysis of the code.
The results of the investigation shows that Microsoft customer data was not compromised by the attacks, although code file across Azure and other services were.
For the investigation, Microsoft built custom CodeQL databases across numerous Solarigate builds. They were compiled into an aggregate database to allow for queries across the system. This approach allowed Microsoft to start finding malicious activity at code-level within hours.
Microsoft points out customers who use their open CodeQL should know discovering the same patterns does not mean they have been compromised. Furthermore, the company says any bad actor who changes their code enough will remain undetected in the parameters of the CodeQL.
In its description, Microsoft explains how the syntactic and semantic approach of the CodeQL helps discover Solarigate attacks:
“By combining these two approaches, the queries are able to detect scenarios where the malicious actor changed techniques but used similar syntax, or changed syntax but employed similar techniques. Because it’s possible that the malicious actor could change both syntax and techniques, CodeQL was but one part of our larger investigative effort.”
SolarWinds related attacks have infected 18,000 organizations, including government agencies. In December, the Cybersecurity and Infrastructure Security Agency (CISA) debuted a PowerShell tool to help Microsoft 365 customers mitigate Solarigate. Microsoft had recently confirmed stolen Azure/Microsoft 365 credentials and access tokens were a part of the breach.
You can read more about the investigation and open source using Microsoft’s CodeQL queries is available here.
Tip of the day:
Hard drives are getting faster and more affordable every day, but unfortunately, their moving parts will always make them loud and mean their power draw isn’t insignificant. This can be a particular issue for those with laptops, leading many to wonder how to turn off a hard disk after it reaches an idle state.