A group of hackers managed to infiltrate the networks of a company called SolarWinds and trojanize its most widely used software. taken the world in to a surprise
Initial investigation into the attack leads to the conclusion that it was done through injecting malware called Sunburst into the Orion Software source code. However, the further investigation provided a different cause for the attack; a malware called SuperNova.
Microsoft has released an open-source CodeQL query to detect the malicious implants that were the cause of the SolarWinds attack. Microsoft has released these codes, written in C#, on Github.
CodeQL is a strong semantic code analysis engine that works primarily on two stages. First stage, it compiles the source code into binaries and simultaneously builds a database that designs the model of the code being compiled. Second stage, once the database is created, it can be queried repeatedly similar to other databases.
CodeQL databases are aggregated, which pave the way to then search semantically across a variety of codebases to search for code cases that may extend between a multitude of assemblies libraries or modules depending on the particular code present in the build.
This approach is useful because it enables static analysis for not only secure life development cycle but also reactive code inspection across the enterprise.
The researchers keep their eye out for syntax that stands out as well as semantic patterns while searching for the Solorigate indicators.
The combination of these two techniques allowed the queries to detect cases where the hackers used similar syntax and changed the techniques or changed syntax but with similar techniques.