Breach, Data Security, Vulnerability Management

Microsoft makes CodeQL queries public so security pros can better understand SolarWinds attack

Microsoft released a ‘lite’ slate of updates for Patch Tuesday (Microsoft)

Microsoft has won praise from security researchers by making its  CodeQL queries public so any organization could use the open source tools to analyze if they experienced any vulnerabilities from the SolarWinds hack or similar supply chain attacks.  

CodeQL queries code as if it were data, which lets developers write a query that finds all the variants of a vulnerability, and then share it with others.

In a blog post Thursday that details how it used the CodeQL technique, Microsoft referred to the SolarWinds attack as Solorigate. In this case, the attacker got into the remote management software servers of multiple companies and injected a backdoor into the SolarWinds Orion software update. The attacker modified the binaries in Orion and distributed them via previously legitimate update channels. This let the attacker remotely perform malicious activities, such as credential theft, privilege escalation, and lateral movement to steal sensitive information.

Microsoft said the SolarWinds incident has reminded organizations to reflect not just on their readiness to respond to sophisticated attacks, but also the resilience of its own codebases. In the blog, Microsoft explains its use of CodeQL queries to analyze its source code at scale and rule out the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with Solorigate. 

“Note that the queries we cover in this blog simply serve to home in on source code that shares similarities with the source in the Solorigate implant, either in the syntactic elements (names, literals) or in functionality,” the blog said. “Both can occur coincidentally in benign code, so all findings will need review to determine if they are actionable. Additionally, there’s no guarantee that the malicious actor is constrained to the same functionality or coding style in other operations, so these queries may not detect other implants that deviate significantly from the tactics seen in the Solorigate implant.”

Microsoft underscored that security researchers should only consider what they outlined in the blog as just a part in a mosaic of techniques to audit for compromise.

Security researchers were quite pleased to learn of Microsoft’s decision to share its CodeQL queries.

Andrew Barratt, managing principal of solutions and investigations at Coalfire, said while Microsoft quite often gets criticized by parts of the security community, the software maker has shared another useful set of tools and techniques that incident responders and blue teamers can leverage to further automate their efforts. Barratt added that analyzing the SolarWinds compromise, or even just ‘potential’ compromise activity has been a large part of his company’s Q1 activity for clients and anything they can leverage to support these efforts will further speed-up the analysis.

“Using CodeQL with some of the additional support provided by Microsoft could be the start of building a much more defensive posture when aiming to develop secure products,” Barratt said. “It can be integrated into the development pipeline, but also has the potential to be leveraged as part of the analysis of other third-party code that may have a ‘copycat’ attack. While that’s great in the short-term, the real value is the knowledge this will drive across the community just because of Microsoft’s broad reach. This will help trigger answers to the ‘where do we start’ question.”

Lamar Bailey, senior director of security research at Tripwire, welcomed Microsoft’s move, saying it was a positive for the entire cybersecurity industry.

“Through greater collaboration and partnerships, we will begin to see the battle swing in our favor and put an end to significant cyberattacks like the ones we have witnessed these past months,” Bailey said.   

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.