SolarWinds was hacked because its credentials were publicly available on GitHub

SolarWinds was hacked

Earlier this week was reported a massive attack on the supply chain that affected SolarWinds and its customers. SolarWinds may have been hacked because its credentials were publicly available on GitHub for a while.

The list of victims continues to grow, and it is now known that hackers have compromised:

  • American information security company FireEye;
  • US Department of the Treasury;
  • US Department of Commerce National Informatics and Telecommunications Administration (NTIA);
  • National Institutes of Health, US Department of Health (NIH);
  • Agency for Cybersecurity and Infrastructure Protection, organized by the US Department of Homeland Security (DHS CISA);
  • Department of Homeland Security (DHS);
  • US Department of State.

Unknown hackers infected the Orion platform, designed for centralized monitoring and control, with SUNBURST (aka Solorigate) malware. Typically, Orion is used in large networks to track all IT resources such as servers, workstations, mobile phones and IoT devices.

Microsoft, FireEye and the US Department of Homeland Security Agency for Cybersecurity and Infrastructure Protection (DHS CISA) released their own indicators of compromise and instructions for working with infected systems.

Among the company’s 300,000 customers, only 33,000 are known to have used Orion, and all of them have already been notified of the incident. At the same time, according to SolarWinds, an infected version of the Orion platform was installed on 18,000 clients.

SolarWinds has not officially disclosed exactly how the hackers managed to infiltrate its network. Many medias drew attention to the statements of cybersecurity researcher Vinoth Kumar, who claims that the credentials from the SolarWinds update server were freely available in the company’s official GitHub repository back in 2018. According to Kumar, he noticed this leak in November, and the password for the server was simple: “solarwinds123”.

Using these credentials, I was able to upload the file to the company’s server, thus proving the system was insecure, about which I notified SolarWinds about in November 2020. As a result, the leak was fixed on November 22.wrote Kumar.

The researcher does not state that this particular credential played any role in the hacking of the Orion platform, but admits that it is possible. The fact is that the malicious Orion binaries were nevertheless signed, which points at a wider compromise of the company’s network.

If they had access to the build servers, they would not need FTP credentials. But if they just got hold of the signing certificate and credentials from FTP, they could modify the .dll, sign it and upload it to the FTP server.Kumar told The Register.

The theory of leaked credentials is also confirmed by the Reuters news agency, according to whose sources, access to SolarWinds systems for a long time has been for sale on the darknet.

Meanwhile, ZDNet, citing its own industry sources, writes that Microsoft and its partners have seized control of the domain that played a major role in compromising SolarWinds and gave it a sinkhole.

The domain avsvmcloud [.] Com served as the command-and-control server for the SUNBURST malware, which spread across the networks of 18,000 SolarWinds clients via the malicious version of Orion.according to journalists ZDNet.

Sources of the publication describe this operation as “protective”, aimed at preventing malware operators from sending new commands to infected computers.

Let me also remind you that Microsoft accused Russia and North Korea of attacks on pharmaceutical companies.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *