Using GitHub code scanning and CodeQL to detect traces of Solorigate and other backdoors

Image of Bas van Schaik

上个月,CodeQL安全社区的成员贡献多个码问题查询for C# codebases that can help organizations assess whether they are affected by the SolarWinds nation-state attack on various parts of critical network infrastructure around the world. This attack is also referred to as考虑(由微软),或森伯斯特(由Fireeye)。在此博客文章中,我们将解释Github高级安全客户如何使用这些CodeQL查询来确定其构建基础架构是否感染恶意软件。

发生了什么?

2020年12月初,一家安全咨询公司,Fireeye,发布了一个关于SolarWinds的国家攻击的详细信息,该公司为各种组织提供网络监控工具,包括美国政府。狗万移动端作为攻击的一部分,黑客成功地成功地接受了Solarwinds的Orion网络监控产品,该产品被运往大量客户。万博足球竞猜app攻击者随后获得了部署猎户座产品的网络的访问。万博足球竞猜app

在过去的几年里,微软一直在使用CodeQL来调查漏洞和数据泄露。CodeQL查询贡献是他们对此攻击响应的主要元素,以及过去的investigations

What is build hijacking?

恶意软件通过后卫传播构建系统in order to inject malicious code into product releases, and in turn compromise the users of a shipped release. In particular, it monitors for invocations ofmsbuild.exe.Microsoft构建引擎)流程。给自己debugging privileges, it injects additional malicious code into the build process. This means that while the codebases themselves do not contain any malicious commits or other traces of the malware, the products that are built from those codebases包含恶意软件。“构建劫持”的过程更详细地解释了this technical analysis from Crowdstrike

CodeQL安全分析

GitHub CodeQL is a semantic code analysis engine that uses疑问分析源代码并找到不需要的模式。例如,CodeQL可以跟踪来自不可信的源(例如,HTTP请求)的数据,该数据最终在潜在的危险位置(例如,在SQL语句中的字符串连接中导致SQL注入漏洞)。

CodeQL查询可以在源代码数据库上运行CodeQL在构建过程中生成(用于编译语言)。为此,CodeQL密切关注构建过程,然后提取用于构建二进制文件的源代码的相关部分。提取过程的输出是关系形式的源代码的结构化表示:CodeQL数据库。

使用codeql来检测Solorive的痕迹

If a build server is backdoored with the build hijacking component of the Solorigate malware campaign, the malware will inject additional source code at compilation time. If CodeQL is observing the build process on the infected server, it will extract the injected malicious source code together with the genuine source code. The resulting CodeQL database will therefore contain traces of the malicious Solorigate source code. Note that if your CodeQL database is generated on a machine that isnot感染,数据库不包含任何注入的源代码。

图表显示博客文章中描述的代码扫描工作流程

The CodeQL queries that werecontributed by the Microsoft team将检测由恶意软件注入的恶意C#代码模式。运行这些查询的最佳方法是手动在潜在受影响的服务器上创建CodeQL数据库,并使用Visual Studio代码的CodeQL扩展分析该数据库。

Alternatively, you can generate the CodeQL database and run the queries through a CI/CD pipeline. This could detect build injection on the systems that run your CI/CD jobs (and may be used to build your release artifacts).

使用Visual Studio代码运行CodeQL查询

  1. 安装致码问题的vs code插件,并跟随Quick start guide设置起动工作空间
  2. 生成CodeQL数据库通过在潜在受感染的构建服务器上构建C#源代码。
  3. 将CodeQL数据库传输到计算机。
    笔记:the CodeQL database itself does not contain any (potentially dangerous) compilation artifacts or infected executables. It contains (1) a plaintext copy of the source code that was compiled, and (2) a relations representation of that code.
  4. 将潜在受影响的CodeQL数据库加载到VS代码中
  5. 导航QL / CSharp / QL / SRC / CodeQL-Suites,你会在哪里找到solorigate.qlsCodeQL query suite file. Right-click on the file, and selectcodeql:在所选文件中运行查询

ui屏幕截图,显示如何运行codeql查询如何

Repeat steps 2-5 for every codebase that is potentially affected.

在GitHub代码扫描中运行CodeQL查询

为了在GitHub代码扫描中运行C#CodeBase上的附加CodeQL查询,创建文件.github / codeql / solorige.qls在您想要分析的存储库中:

- 导入:codeql-suites / solorige.qls来自:codeql-csharp

接下来,设置默认的CodeQL工作流(或编辑现有工作流),并修改模板的“初始化码QL”部分,如下所示:

- name: Initialize CodeQL uses: github/codeql-action/init@v1 with: languages: csharp queries: ./.github/codeql/solorigate.qls

如果您的代码需要特殊构建命令编译,请参阅关于自定义CodeQL码扫描分析的文档

With the above configuration, the additional CodeQL queries will be run. If CodeQL detects any malware indicators (Solorigate or otherwise) in your source code, it will produce an在GitHub代码扫描Web界面中提醒

代码扫描警报的屏幕截图

有关更多信息和配置示例,请参阅用于在GitHub代码扫描中运行自定义代码问题查询的文档

Next steps

If CodeQL flags up suspicious elements in a product or codebase, you should conduct a careful manual code review of the affected area. In particular, we suggest that you compare the code that was seen by CodeQL to the original source code.

The queries contributed by Microsoft’s Solorigate response team serve as a heuristic for detecting backdoors, like the one involved in the Solorigate attack. A negative result does not necessarily rule out that a system or network is compromised. Analyzing codebases using CodeQL should be considered just one part in a mosaic of techniques to audit for compromise. For more information on the attack and advice on other auditing techniques, please refer to theMicrosoft崇尚资源中心

如果您对CodeQL和Solorion有任何疑问,请联系您的GitHub高级安全代表。如果您目前不是GitHub客户,请通过此表格与我们联系,我们很乐意进一步协助。

进一步阅读

如果您想了解更多有关SoloriGe查询的技术背景,请参阅this post on the Microsoft Blog