Free Sunburst Malware Detection Tool on CodeQL GitHub repository
Note: We are reader supported and may earn a small commission when you click on links in posts
Microsoft has released a free, open source tool to help system administrators find the Sunburst malware used in the SolarWinds attacks. The new tool utilizes CodeQL queries to analyze source code and rule out or confirm the presence of the code-level compromises.
- SolarWinds May Shape Cyber Policy: Saturday Sitrep
- Russia Denies Responsibility for SolarWinds Cyberattack
- SolarWinds Hack was a Year in the Making: Saturday Sitrep
- US Federal Agencies Compromised in Sophisticated Cyberattack
The tool can help root out attack code that might be deeply embedded in a victim’s network.
“Microsoft believes in leading with transparency and sharing intelligence with the community for the betterment of security practices and posture across the industry as a whole,” says the announcement from Microsoft.
In December, the US Department of Homeland Security (DHS)Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory about an ongoing malware attack. The compromise involved a widely used enterprise security software called SolarWinds Orion.
The exploit affected nine US federal agencies including the Department of Homeland Security, The US Department of Justice, and the National Institutes of Health. UK defense agencies, the United Kingdom National Health Service (NHS), and the European Parliament are also SolarWinds Orion users.
The malware, called Sunburst, was discovered on December 8th by security organization FireEye. Incidentally, FireEye was also a SolarWinds Orion user and was also compromised.
SolarWinds is an enterprise level security application used by government and private sector system administrators to secure their networks.
Sunburst malware installs a backdoor which grants access into infected IT networks. The access may be used to upload additional files to compromised devices.
After further investigation, it was found that Sunburst has been in circulation since 2019. Over 18,000 organizations were impacted by the attack. Russia denies responsibility for SolarWinds cyberattack.
There are two different approaches to rooting out SolarWinds malware says Microsoft.
One tactic scans for syntax used in the Solorigate code-level IoCs. The second way hunts “semantic patterns” for the techniques present in the code-level IoCs. The C# queries that root out the code-level IoCs, and they can currently be found in the CodeQL GitHub repository.