Wednesday, December 16, 2020

SolarWinds Breach

Reuters (via Zack Whittaker, Hacker News):

On Monday, SolarWinds confirmed that Orion - its flagship network management software - had served as the unwitting conduit for a sprawling international cyberespionage operation. The hackers inserted malicious code into Orion software updates pushed out to nearly 18,000 customers.

And while the number of affected organizations is thought to be much more modest, the hackers have already parlayed their access into consequential breaches at the U.S. Treasury and Department of Commerce.


Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”


Others - including Kyle Hanslovan, the cofounder of Maryland-based cybersecurity company Huntress - noticed that, days after SolarWinds realized their software had been compromised, the malicious updates were still available for download.

TJ Luoma:

Wait… is this the same SolarWinds that bought Pingdom a few years ago?

SaveBreach (via Hacker News):

As per the screenshot posted by Vinoth, which we wrote about in our previous post, SolarWinds were possibly using unencrypted plain FTP server for their Downloads server in the age of global CDN technologies. However, not a direct attack vector its very likely that the FTP server had more vulnerabilities and unencrypted communication can always be intercepted, and modified. But we don’t believe this maybe something as concerning as the FTP password leak.


To corroborate his claim, Vinoth shared the the following link to the Configuration file exposed that was exposed in the mib-importer GitHub repo possibly belonging to a SolarWinds employee[…] So we concluded that the credentials to the FTP server and other potentially sensitive information in that exposed repository possibly existed for more than 1 year in the public domain until Vinoth reported it to the SolarWinds PSIRT.


Update (2020-12-24): See also: Brian Krebs, Nick Heer, Bruce Schneier.

John Gruber:

This hack should be Exhibit A in the response to every future dummy in the government who advocates for mandatory encryption backdoors on the grounds that you can trust the government with the keys.

Update (2021-01-01): Bruce Schneier:

Recent news articles have all been talking about the massive Russian cyberattack against the United States, but that’s wrong on two accounts. It wasn’t a cyberattack in international relations terms, it was espionage. And the victim wasn’t just the US, it was the entire world. But it was massive, and it is dangerous.


SolarWinds has removed its customer list from its website, but the Internet Archive saved it: all five branches of the US military, the state department, the White House, the NSA, 425 of the Fortune 500 companies, all five of the top five accounting firms, and hundreds of universities and colleges. In an SEC filing, SolarWinds said that it believes “fewer than 18,000” of those customers installed this malicious update, another way of saying that more than 17,000 did.

Microsoft (via Hacker News):

Our investigation has, however, revealed attempted activities beyond just the presence of malicious SolarWinds code in our environment. This activity has not put at risk the security of our services or any customer data, but we want to be transparent and share what we’re learning as we combat what we believe is a very sophisticated nation-state actor.

Update (2021-02-05): See also: Bruce Schneier.

Update (2021-09-08): Bruce Schneier:

Robert Chesney wrote up the Solar Winds story as a case study, and it’s a really good summary.

Update (2023-05-03): Bruce Schneier:

New reporting from Wired reveals that the Department of Justice detected the SolarWinds attack six months before Mandiant detected it in December 2020, but didn’t realize what it detected—and so ignored it.

Nick Heer:

Zetter’s thorough investigation into the circumstances of the 2020 SolarWinds breach — including her previously reported story about the FBI’s foreknowledge — is worth your time. It is also a reminder to me that the circumstances of Bloomberg’s Supermicro story, another supposed supply chain compromise, remain mysteriously uncorroborated and without similar on-the-record journalism.


Update (2024-06-18): Renee Dudley:

Former employee says software giant dismissed his warnings about a critical flaw because it feared losing government business. Russian hackers later used the weakness to breach the National Nuclear Security Administration, among others.

Via Nick Heer:

It seems that both Microsoft and the Department of Justice knew well before anyone else — perhaps as early as 2016 in Microsoft’s case — yet neither did anything with that information. Other things were deemed more important.

Comments RSS · Twitter

Leave a Comment