Previously, Microsoft has revealed that SolarWinds supply chain attacks have compromised their systems, enabling the attackers to gain access to the limited Azure, Exchange and Intune source code.
It was disclosed in December that SolarWinds was hacked into a supply chain attack by threats actors to modify the legitimate SolarWinds Orion platform. This attack allowed players to have remote access to systems of customers using the platform for the management of the SolarWinds Orion network.
Microsoft has released their QL Queries for SolarWinds for users to scan their source code for malicious implants to ensure none of their code has been modified by attackers.
Using these queries, developers can check their software for malicious modifications similar to those used in the SolarWinds supply-chain attack.
CodeQL is a semántic code analysis device that enables developers to search for syntactic data or behaviour.
Semantic code analysis does not detect the syntactic correctness of the source code, it matches the “meaning” of the code instead.
Using CodeQL, developers can develop a database from their codebase of functionality and syntactic elements and request a specific behaviour.
Developers can then share CodeQL queries publicly to allow other devs to scan their code for similar functionality.
“In this blog, we’ll share our journey in reviewing our codebases, highlighting one specific technique: the use of CodeQL queries to analyze our source code at scale and rule out the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with Solorigate.”
“We are open sourcing the CodeQL queries that we used in this investigation so that other organizations may perform a similar analysis,” announced Microsoft in a new blog post.