Earlier this week was reported a massive attack on the supply chain that affected SolarWinds and its customers. SolarWinds may have been hacked because its credentials were publicly available on GitHub for a while.
The list of victims continues to grow, and it is now known that hackers have compromised:
- American information security company FireEye;
- US Department of the Treasury;
- US Department of Commerce National Informatics and Telecommunications Administration (NTIA);
- National Institutes of Health, US Department of Health (NIH);
- Agency for Cybersecurity and Infrastructure Protection, organized by the US Department of Homeland Security (DHS CISA);
- Department of Homeland Security (DHS);
- US Department of State.
Unknown hackers infected the Orion platform, designed for centralized monitoring and control, with SUNBURST (aka Solorigate) malware. Typically, Orion is used in large networks to track all IT resources such as servers, workstations, mobile phones and IoT devices.
Microsoft, FireEye and the US Department of Homeland Security Agency for Cybersecurity and Infrastructure Protection (DHS CISA) released their own indicators of compromise and instructions for working with infected systems.
Among the company’s 300,000 customers, only 33,000 are known to have used Orion, and all of them have already been notified of the incident. At the same time, according to SolarWinds, an infected version of the Orion platform was installed on 18,000 clients.
SolarWinds has not officially disclosed exactly how the hackers managed to infiltrate its network. Many medias drew attention to the statements of cybersecurity researcher Vinoth Kumar, who claims that the credentials from the SolarWinds update server were freely available in the company’s official GitHub repository back in 2018. According to Kumar, he noticed this leak in November, and the password for the server was simple: “solarwinds123”.
The researcher does not state that this particular credential played any role in the hacking of the Orion platform, but admits that it is possible. The fact is that the malicious Orion binaries were nevertheless signed, which points at a wider compromise of the company’s network.
The theory of leaked credentials is also confirmed by the Reuters news agency, according to whose sources, access to SolarWinds systems for a long time has been for sale on the darknet.
Meanwhile, ZDNet, citing its own industry sources, writes that Microsoft and its partners have seized control of the domain that played a major role in compromising SolarWinds and gave it a sinkhole.
Sources of the publication describe this operation as “protective”, aimed at preventing malware operators from sending new commands to infected computers.
Let me also remind you that Microsoft accused Russia and North Korea of attacks on pharmaceutical companies.