Researchers at CrowdStrike, one of the cybersecurity firms directly involved in the investigation of the recent SolarWinds supply-chain attack, which caused a great uproar among cybersecurity professionals last December, said they discovered a third malware strain that was deployed into the build environment to inject the backdoor into the SolarWinds Orion network monitoring platform.
Dubbed “Sunspot,” the malware is the latest addition to a growing list of previously disclosed malicious tools, which, at present, includes the Sunburst and Teardrop malicious software.
“This highly sophisticated and novel code was designed to inject the SUNBURST malicious code into the SolarWinds Orion Platform without arousing the suspicion of our software development and build teams,” SolarWinds' new CEO Sudhakar Ramakrishna said.
CrowdStrike is tracking this intrusion as StellarParticle and does not attribute the Sunspot implant, Sunburst backdoor or Teardrop post-exploitation tool to any known threat actor.
According to the cybersecurity firm, Sunspot monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the Sunburst backdoor code.
“The design of SUNSPOT suggests StellarParticle developers invested a lot of effort to ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers,” the researchers said.
According to CrowdStrike, Sunspot was deployed in September 2019, when initial compromise of the SolarWinds' internal network occurred.
Once installed, the malware ("taskhostsvc.exe") grants itself debugging privileges and attempts to hijack the Orion build workflow by monitoring running software processes on the server, and subsequently replace a source code file in the build directory with a malicious version to inject Sunburst while Orion is being built.
“The subsequent October 2019 version of the Orion Platform release appears to have contained modifications designed to test the perpetrators’ ability to ins ert code in to our builds … An updated version of the malicious code injection source that inserted the SUNBURST malicious code into Orion Platform releases starting on February 20, 2020,” SolarWinds’ Ramakrishna explained.
In a separate report released Monday Kaspersky said it has discovered some similarities between Sunburst, and another backdoor found several years ago dubbed Kazuar, which is believed to be a tool in the arsenal of the Turla threat group (aka Uroburos or Snake).
“While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Kazuar is a .NET backdoor first reported by Palo Alto in 2017. Palo Alto tentatively linked Kazuar to the Turla APT group, although no solid attribution link has been made public. Our own observations indeed confirm that Kazuar was used together with other Turla tools during multiple breaches in past years,” the researchers said. “A number of unusual, shared features between Sunburst and Kazuar include the victim UID generation algorithm, the sleeping algorithm and the extensive usage of the FNV-1a hash.”