Solarwinds Conveniently Shifts Blame on Intern for One of History’s Most Sophisticated Security Breaches
The world has been caught in a spin by one of history’s most well-thought-out, well-planned, and sophisticated security breaches that happened in mid-2020.
The SolarWinds hack-what all happened
To recap, this was a ‘supply chain attack’ made on a network management tool called Orion, created by an IT management and remote monitoring software company, SolarWinds. To shed light on supply chain attacks, they are a type of cyber-attack that seeks to infiltrate a weaker element of a supply chain in order to gain access to the real targets.
In this case, the attack on the Orion server would in turn open ways for the hacking team, believed to be Russian (suspected to be Cozy Bear AKA APT29), to access the external and internal traffic of hundreds of the company’s clients.
The attack consisted of the server getting hacked into and uploading a trojan-based update file in the form of a Windows Patch Installer being sent to several of the products 300,000+ users that included fortune 500 companies, government agencies, and even top security providers, like FireEye.
An update on all the ‘solarwinds123’ drama
According to reports, the data of around 18,000 companies has been compromised due to this attack—with the situation still being extensively analyzed. As more damage gets uncovered, the higher-ups at SolarWinds claim little to no responsibility as they conveniently shift the blame of the security breach on an intern who was allegedly unsupervised as the critical password lapse happened—which then went unnoticed for years.
We find it strange!
The password “solarwinds123” is reported to have been publicly accessible through a GitHub repository as early as June of 2018, and it was November of 2019 when FireEye finally caught of a whiff of ‘something being off’.
Sudhakar Ramakrishna, current CEO of SolarWinds testified that the ‘solarwinds123’ password had been in use since 2017 in a hearing before the House of Committees.
“I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPads” Rep. Katie Porter of California had to say. To which Ramakrishna responded, “I believe that was a password that an intern used on one of his servers back in 2017 which was reported to our security team and it was immediately removed.”
Ramakrishna’s statement was backed up by the company’s former CEO, Kevin Thompson, who testified that “That related to a mistake that an intern made and they violated our password policies and they posted that password on their own private GitHub account. As soon as it was identified and brought to the attention of my security team, they took that down.”
It appears that the company was warned though
It has also recently come to the surface that the leak was discovered and reported to the company by the security researcher, Vinoth Kumar, where he clearly talked of a public GitHub repository containing the FTP credentials of SolarWinds’ download website. He also warned the company stating that black hats can use the credentials to inject malware to a SolarWinds update, putting the security of thousands of companies at risk.
An email exchange between SolarWinds and Kumar made it evident that the password leak allowed Kumar to successfully log in to the server and deposit his own files—as proof that the researcher had looked into the issue in-depth and was in contact with SolarWinds regarding it.
Soon after, in January 2021, the company faced a lawsuit that held them accountable for failing to disclose the fact that the “Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran” along with the fact that the SolarWinds update was poorly secured by a password as weak as “solarwinds123”.
A word on the extent of damage
Apart from infiltrating networks of big names, for example, Microsoft, Mimecast, Malwarebytes, and even FireEye, it is also being speculated that the black hat group has used SolarWinds as a diving board to gain access to a sea of government organizations like the FAA (Federal Aviation Administration), and the NSA (National Aeronautics and Space Administration).
Even though the attack is still being investigated, and might take several months, but at this point in time, it is unclear as to the extent and scope of the damage that has taken place. According to Kevin Mandia, the CEO of FireEye—the security company that first discovered the threat, we may never really know how much damage the hack has caused us.
“The bottom line: We may never know the full range and extent of damage, and we may never know the full range and extent as to how the stolen information is benefitting an adversary,” he concluded.
Tighten up your security with Ivacy
Having said that, steps have been taken to the effect of strengthening the security around the tech sectors’ supply chains, as Microsoft launched open-source CodeQL queries. These can be used to look for Solorigate activity and can be used by companies to analyze their own source code and run checks for IoCs (or Indicators of Compromise).
A much simpler way, however, of making systems more secure is to use a data breach checking tool to gauge how secure your data really is. If you want to check how secure your password is, Ivacy’s password checker is a free, easy-to-use tool that will give you an estimate of its strength by telling you much time it will take to hack it.
Not sure what to use as a password? Ivacy’s free password generator will generate a unique, strong password for you to give your data an extra layer of protection