Top executives of the SolarWinds firm believe that the root cause of the recently disclosed supply chain attack is an intern that has used a weak password for several years.
Initial investigation suggested that the password “solarwinds123” was publicly accessible via a misconfigured GitHub repository since June 17, 2018. The issue was addressed on November 22, 2019.
In December, Security researcher Vinoth Kumar revealed he notified the company of a publicly accessible GitHub repository that was leaking the FTP credentials of the company’s download website in the clear text. An attacker could have used these credentials to upload tainted updates to the company download site.
New details emerged about the security breach, in a hearing before the House Committees on Oversight and Reform and Homeland Security, CEO Sudhakar Ramakrishna confirmed that the password had been in use as early as 2017.
A preliminary investigation revealed that the threat actors behind the SolarWinds attack compromised the SolarWinds Orion supply chain as early as October 2019, but later Crowdstrikes’ researchers dated the initial compromise on September 4, 2019.
“I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad,” Representative Katie Porter of California said. “You and your company were supposed to be preventing the Russians from reading Defense Department emails.”
“I believe that was a password that an intern used on one of his servers back in 2017 which was reported to our security team and it was immediately removed,” Ramakrishna said in response to Porter.
The investigators don’t exclude the use of stolen credentials and brute-force attacks as possible attack vectors.
Confronted by Rep. Rashida Tlaib, former SolarWinds CEO Kevin Thompson declared that the password issue was “a mistake that an intern made.” “They violated our password policies and they posted that password on an internal, on their own private Github account,” Thompson explained. “As soon as it was identified and brought to the attention of my security team, they took that down.”
According to SolarWinds, up to 18,000 customers may have been impacted by the supply chain attack, including prominent IT and security firms (Microsoft, FireEye, Malwarebytes, CrowdStrike, and Mimecast), several Government agencies (Departments of State, Justice, Commerce, Homeland Security, Energy, Treasury, and the National Institutes of Health), the National Aeronautics and Space Administration (NSA), and the Federal Aviation Administration (FAA).
“In addition to this estimate, we have identified additional government and private sector victims in other countries, and we believe it is highly likely that there remain other victims not yet identified, perhaps especially in regions where cloud migration is not as far advanced as it is in the United States,” Microsoft President Brad Smith said during the hearing.
Experts pointed out that attackers are very advanced and did all the best to remain under the radar, such as launching the attack from inside the United States to cover its activities.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, supply chain attack)