Security News > 2021 > January > SolarWinds malware was sneaked out of the firm's Orion build environment 6 months before anyone realised it was there – report

The malware that was utilised to hack SolarWinds checked to see whether software used to compile the firm's Orion product was running before deploying its payload, according to Crowdstrike.

In a blog post late last night, the infosec firm said the Orion-targeting malware, which it codenamed Sunspot, had "Several safeguards" to ensure its deployment of compromised code into new Orion builds didn't trigger SolarWinds' suspicions.

In a detailed technical analysis, Crowdstrike said: "The design of SUNSPOT suggests StellarParticle developers invested a lot of effort to ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers."

Crowdstrike said when Sunspot detected "The Orion solution file path in a running MsBuild.exe process, it replaces a source code file in the solution directory, with a malicious variant to inject SUNBURST while Orion is being built." It added: "The malicious source code for SUNBURST, along with target file paths, are stored in AES128-CBC encrypted blobs and are protected using the same key and initialization vector."

The US CISA infosec agency ordered American government agencies to disconnect SolarWinds appliances from their networks, while Orion is known to be in widespread use by the British government.

Based on SolarWinds' own timeline, the two investors sold up before SolarWinds itself was aware of the hack: two days after the sale, the company announced it was taking on a new CEO; three days later, the hack was discovered; five days later the world was told.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/01/12/solarwinds_tech_analysis_crowdstrike/