[BreachExchange] SolarWinds Blames Intern for 'solarwinds123' Password Lapse

[Destry Winant]

https://thehackernews.com/2021/03/solarwinds-blame-intern-for-weak.html

As cybersecurity researchers continue to piece together the sprawling
SolarWinds supply chain attack, top executives of the Texas-based
software services firm blamed an intern for a critical password lapse
that went unnoticed for several years.

The said password "solarwinds123" was originally believed to have been
publicly accessible via a GitHub repository since June 17, 2018,
before the misconfiguration was addressed on November 22, 2019.

But in a hearing before the House Committees on Oversight and Reform
and Homeland Security on SolarWinds on Friday, CEO Sudhakar
Ramakrishna testified that the password had been in use as early as
2017.

While a preliminary investigation into the attack revealed that the
operators behind the espionage campaign managed to compromise the
software build and code signing infrastructure of SolarWinds Orion
platform as early as October 2019 to deliver the Sunburst backdoor,
Crowdstrike's incident response efforts pointed to a revised timeline
that established the first breach of SolarWinds network on September
4, 2019.

To date, at least nine government agencies and 100 private sector
companies have been breached in what's being described as one of the
most sophisticated and well-planned operations that involved injecting
the malicious implant into the Orion Software Platform with the goal
of compromising its customers.

"A mistake that an intern made."

"I've got a stronger password than 'solarwinds123' to stop my kids
from watching too much YouTube on their iPad," Representative Katie
Porter of California said. "You and your company were supposed to be
preventing the Russians from reading Defense Department emails."

"I believe that was a password that an intern used on one of his
servers back in 2017 which was reported to our security team and it
was immediately removed," Ramakrishna said in response to Porter.

Former CEO Kevin Thompson echoed Ramakrishna's statement during the
testimony. "That related to a mistake that an intern made, and they
violated our password policies and they posted that password on their
own private GitHub account," Thompson said. "As soon as it was
identified and brought to the attention of my security team, they took
that down."

Security researcher Vinoth Kumar disclosed in December that he
notified the company of a publicly accessible GitHub repository that
was leaking the FTP credentials of the company's download website in
the clear, adding a hacker could use the credentials to upload a
malicious executable and add it to a SolarWinds update.

In the weeks following the revelation, SolarWinds was hit with a
class-action lawsuit in January 2021 that alleged the company failed
to disclose that "since mid-2020, SolarWinds Orion monitoring products
had a vulnerability that allowed hackers to compromise the server upon
which the products ran," and that "SolarWinds' update server had an
easily accessible password of 'solarwinds123'," as a result of which
the company "would suffer significant reputational harm."

While it's still not clear as to the extent the leaked password may
have enabled the hack, a third-party spokesperson for the company
claimed to the contrary.

"SolarWinds has determined that the credentials using that password
were for a third-party vendor application and not for access to the
SolarWinds IT systems," the spokesperson said. "Furthermore, the
third-party application did not connect with the SolarWinds IT
systems. As such, SolarWinds has determined that the credentials using
this password had nothing to do with the SUNBURST attack or other
breach of the company's IT systems."

NASA and FAA Also Targeted

Up to 18,000 SolarWinds customers are believed to have received the
trojanized Orion update, although the threat actor behind the
operation carefully chose their targets, opting to escalate the
attacks only in a handful of cases by deploying Teardrop malware based
on intel amassed during an initial reconnaissance of the target
environment for high-value accounts and assets.

Besides infiltrating the networks of Microsoft, FireEye, Malwarebytes,
and Mimecast, the attackers are also said to have used SolarWinds as a
jumping-off point to penetrate the National Aeronautics and Space
Administration (NSA) and the Federal Aviation Administration (FAA),
according to the Washington Post.

The seven other breached agencies are the Departments of State,
Justice, Commerce, Homeland Security, Energy, Treasury, and the
National Institutes of Health.

"In addition to this estimate, we have identified additional
government and private sector victims in other countries, and we
believe it is highly likely that there remain other victims not yet
identified, perhaps especially in regions where cloud migration is not
as far advanced as it is in the United States," Microsoft President
Brad Smith said during the hearing.

The threat group, alleged to be of Russian origin, is being tracked
under different monikers, including UNC2452 (FireEye), SolarStorm
(Palo Alto Unit 42), StellarParticle (CrowdStrike), and Dark Halo
(Volexity).

"The hackers launched the hack from inside the United States, which
further made it difficult for the U.S. government to observe their
activity," Deputy National Security Advisor Anne Neuberger said in a
White House briefing last month. "This is a sophisticated actor who
did their best to hide their tracks. We believe it took them months to
plan and execute this compromise."

Adopting a "Secure by Design" Approach

Likening the SolarWinds cyberattack to a "large-scale series of home
invasions," Smith urged the need for strengthening the tech sector's
software and hardware supply chains, and promoting broader sharing of
threat intelligence for real-time responses during such incidents.

To that effect, Microsoft has open-sourced CodeQL queries used to hunt
for Solorigate activity, which it says could be used by other
organizations to analyze their source code at scale and check for
indicators of compromise (IoCs) and coding patterns associated with
the attack.

In a related development, cybersecurity researchers speaking to The
Wall Street Journal disclosed that the suspected Russian hackers used
Amazon's cloud-computing data centers to mount a key part of the
campaign, throwing fresh light on the scope of the attacks and the
tactics employed by the group. The tech giant, however, has so far not
made its insights into the hacking activity public.

SolarWinds, for its part, said it's implementing the knowledge gained
from the incident to evolve into a company that is "Secure by Design"
and that it's deploying additional threat protection and threat
hunting software across all its network endpoints including measures
to safeguard its development environments.