SolarWinds, the maker of the Orion network management software that was subverted to distribute backdoored updates that led to the compromise of multiple US government bodies, was apparently told last year that credentials for its software update server had been exposed in a public GitHub repo.
Vinoth Kumar, a security researcher, claimed on Tuesday he had made such a report to SolarWinds last November, warning that it could be used to upload files to the server. The password he said he found, in plaintext for all to see, is a textbook example of a weak password that never should have been allowed.
In a message to The Register, Kumar said that on November 19, 2019, he told SolarWinds “their update server was accessible with the password ‘solarwinds123’ which is leaking in the public Github repo. They fixed the issue and replied to me on [November 22]. But that Github repo was open for two to three weeks before I reported.”
— Vinoth Kumar (@vinodsparrow) December 14, 2020
Using the exposed account name and password, he was able to upload a file to prove the system was insecure, he said he wrote in his report to SolarWinds, adding that a hacker could use the credentials to upload a malicious executable and add it to a SolarWinds update.
SolarWinds did not immediately respond to a request for comment. The developer is having a rough week since it emerged over the weekend that its IT software had been meddled with: its stock price is down 25 per cent since Monday.
According to FireEye, which looked into the Orion case as part of a probe into an intrusion into its own networks, the trojanized updates were digitally signed with a SolarWinds certificate between March and May 2020. The Washington Post reports that unnamed government sources believe the Russian government-backed hacking crew known as APT29, or Cozy Bear, is responsible for inserting the backdoor into the Orion updates so that when installed on victims’ networks – such as the US Treasury and Homeland Security’s infrastructure – miscreants could enter through this hidden access point.
SolarWinds: Hey, only as many as 18,000 customers installed backdoored software linked to US govt hacks
As many as 18,000 of some 300,000 SolarWinds customers are believed to have installed these malicious updates, which included an altered .dll file. The IT company’s customer list includes almost all of the Fortune 500, the US military and British government, and multiple American federal agencies.
Kumar is not saying alleged exposed server credentials played a role in the compromise of SolarWinds’ Orion platform, though he acknowledges that’s a possibility. If anything, it’s an indicator SolarWinds’ security prowess.
“I think it would be possible the attackers could have used the same FTP credentials initially before they acquired a signing certificate,” he said.
“If they had accessed the build servers, they wouldn’t need FTP credentials. But if they just got hold of a signing certificate and FTP credentials, they could modify the .dll, sign it, and upload it to the FTP server.”
Kumar said that once the malicious .dll used for the attack is analyzed to determine whether it was modified or recompiled from source, we may have a better idea about that. “But either way, it was really a weak security measure from a big company,” he said.
In its 8-K [PDF] securities filing on Monday, SolarWinds said its Microsoft Office 365 accounts had been hijacked, and build system had been abused, which argues against the possibility that the exposed FTP credentials were used to upload malicious code.
“Based on its investigation to date, SolarWinds has evidence that the vulnerability was inserted within the Orion products and existed in updates released between March and June 2020 (the ‘Relevant Period’), was introduced as a result of a compromise of the Orion software build system and was not present in the source code repository of the Orion products,” the filing to the SEC stated. ®