We're not saying this is how SolarWinds was backdoored, but its FTP password 'leaked on GitHub in plaintext'

'solarwinds123' won't inspire confidence, if true

Updated SolarWinds, the maker of the Orion network management software that was subverted to distribute backdoored updates that led to the compromise of multiple US government bodies, was apparently told last year that credentials for its software update server had been exposed in a public GitHub repo.

Vinoth Kumar, a security researcher, claimed on Tuesday he had made such a report to SolarWinds last November, warning that it could be used to upload files to the server. The password he said he found, in plaintext for all to see, is a textbook example of a weak password that never should have been allowed.

In a message to The Register, Kumar said that on November 19, 2019, he told SolarWinds "their update server was accessible with the password 'solarwinds123' which is leaking in the public Github repo. They fixed the issue and replied to me on [November 22]."

Kumar initially said the repo had been open for two to three weeks but subsequently said he'd learned it had been that way since June 2018.

Using the exposed account name and password, he was able to upload a file to prove the system was insecure, he said he wrote in his report to SolarWinds, adding that a hacker could use the credentials to upload a malicious executable and add it to a SolarWinds update.

SolarWinds did not immediately respond to a request for comment. The developer is having a rough week since it emerged over the weekend that its IT software had been meddled with: its stock price is down 25 per cent since Monday.

According to FireEye, which looked into the Orion case as part of a probe into an intrusion into its own networks, the trojanized updates were digitally signed with a SolarWinds certificate between March and May 2020. The Washington Post reports that unnamed sources believe the Russian government-backed hacking crew known as APT29, or Cozy Bear, is responsible for inserting the backdoor into the Orion updates so that when installed on victims' networks – such as the US Treasury and Homeland Security's infrastructure – miscreants could enter through this hidden access point.


SolarWinds: Hey, only as many as 18,000 customers installed backdoored software linked to US govt hacks


As many as 18,000 of some 300,000 SolarWinds customers are believed to have installed these malicious updates, which included an altered .dll file. The IT company's customer list includes almost all of the Fortune 500, the US military and British government, and multiple American federal agencies.

Kumar is not saying alleged exposed server credentials played a role in the compromise of SolarWinds' Orion platform, though he acknowledges that's a possibility. If anything, it's an indicator SolarWinds' security prowess.

"I think it would be possible the attackers could have used the same FTP credentials initially before they acquired a signing certificate," he said.

"If they had accessed the build servers, they wouldn’t need FTP credentials. But if they just got hold of a signing certificate and FTP credentials, they could modify the .dll, sign it, and upload it to the FTP server."

Kumar said that once the malicious .dll used for the attack is analyzed to determine whether it was modified or recompiled from source, we may have a better idea about that. "But either way, it was really a weak security measure from a big company," he said.

In its 8-K [PDF] securities filing on Monday, SolarWinds said its Microsoft Office 365 accounts had been hijacked, and build system had been abused, which argues against the possibility that the exposed FTP credentials were used to upload malicious code.

"Based on its investigation to date, SolarWinds has evidence that the vulnerability was inserted within the Orion products and existed in updates released between March and June 2020 (the 'Relevant Period'), was introduced as a result of a compromise of the Orion software build system and was not present in the source code repository of the Orion products," the filing to the SEC stated. ®

Updated to add

Reuters reports that multiple criminals on underground forums had offered to sell access to SolarWinds’ computers.

Tech Resources

The State of Application Security 2020

Forrester analyzed the state of application security in 2020 and found over 75% of external attacks are attributed to web application and software exploits.

How backup modernization changes the ransomware game

If the thrill of backing up your data and wondering if you will ever see it again has worn off, start the new year by getting rid of the lingering pain of legacy backup. Bipul Sinha, CEO of the Cloud Data Management Company, Rubrik, and Miguel Zatarain, Director of Global Infrastructure Technology at PACCAR, Fortune 500 manufacturer of trucks and Rubrik customer, are talking to the Reg’s Tim Phillips about how to eliminate the costly, slow and spotty performance of legacy backup, and how to modernize your implementation in 2021 to make your business more resilient.

Webcast Slide Deck | Three reasons you need a hybrid multicloud

Businesses need their IT teams to operate applications and data in a hybrid environment spanning on-premises private and public clouds. But this poses many challenges, such as managing complex networking, re-architecting applications for the cloud, and managing multiple infrastructure silos. There is a pressing need for a single platform that addresses these challenges - a hybrid multicloud built for the digital innovation era. Just this Regcast to find out: Why hybrid multicloud is the ideal path to accelerate cloud migration.

Anatomy of a Private Cloud

Learn the key elements that combined, build a true Private Cloud

Biting the hand that feeds IT © 1998–2021