The SolarWinds saga keeps getting worse as time goes by. Several days ago, news broke that some 18,000 companies had been compromised by a nation-state actor. The attackers in question are believed to be affiliated with Cozy Bear, aka APT29, aka the Russian government. The hack has hit multiple US government agencies, the security company FireEye, and a whole lot of other companies.
When these sorts of breaches occur, a major question is how the hackers were able to gain entry in the first place. SolarWinds is a major US company that develops network and infrastructure management software, and it has an enormous client list. It appears security researchers have been trying to get the company to pay attention to major flaws in its defenses for some time.
Security researcher Vinoth Kumar told Reuters that he contacted the company in 2019, alerting it that anyone could access its update server by guessing the password “solarwinds123.” Reuters also reports that hackers claiming they could sell access to SolarWinds’ computers since 2017. It is not clear from the wording of the story whether the offer was for a method of infiltrating SolarWinds itself, or if the black hat was offering to sell access to computers that used SolarWinds software.
Then, there’s this tidbit:
“Kyle Hanslovan, the cofounder of Maryland-based cybersecurity company Huntress – noticed that, days after SolarWinds realized their software had been compromised, the malicious updates were still available for download.”
I want to be clear that this specific password is not thought to be the means by which Cozy Bear accessed SolarWinds network management tool, dubbed Orion, but it speaks to a terrible security culture at the company, given the data security needs of its customers. Because Orion is often used to manage routers and switches inside large corporate networks, penetrating the software gave black hats a marvelous window into the external and internal network traffic of nearly 20,000 companies, federal agencies, and other types of organizations.
Because the investigation is still ongoing, there’s a lot we don’t know, but roughly 33,000 customers out of a total customer base of 330,000 customers, are said to have deployed Orion. If SolarWinds figures are accurate, that means up to 54 percent of the product’s customer base may be compromised. We do know that APT29 didn’t directly compromise SolarWinds’ source code repository; the attack targeted the software build system.
FireEye describes the infection route as follows:
The trojanized update file is a standard Windows Installer Patch file that includes compressed resources associated with the update, including the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component. Once the update is installed, the malicious DLL will be loaded by the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe (depending on system configuration). After a dormant period of up to two weeks, the malware will attempt to resolve a subdomain of avsvmcloud[.]com.
The hackers that pulled off this attack are very, very good. New information suggests they were behind a series of attacks on a particular think tank back in 2019 and 2020. Ars Technica has more on this (it’s a little tangential to SolarWinds, but useful if you want to read more about what Cozy Bear has been doing and the tactics it uses).
There has been a flurry of news stories in the past few days. SolarWinds has taken down its high-profile client list, possibly to protect them from bad publicity. Microsoft and some of its industry partners have seized the command-and-control domain used to run the compromised machines.
The investigation into this hack is still ongoing and we don’t yet know the details of how it happened, but attacks of this scale and complexity are typically very serious. SolarWinds’ compromised software was used to penetrate the CDC, the Department of Homeland Security, the Justice Department, the Pentagon, and the State Department. Investigators expect they may uncover multiple attack vectors, rather than a single point of attack.
Investigations into the hack are ongoing at every level, but the United States Cyber Infrastructure and Security Agency is currently missing its head because President Donald Trump fired Christopher Krebs for refusing to endorse or support his baseless claims of electoral fraud. There have also been longstanding concerns that CISA lacks sufficient resources to respond to a crisis of this scope and size.
“We’re doing OK right now,” an anonymous CISA employee told Politico, but “that seems likely to change… Many agencies don’t know how on fire they are yet.”
This story is developing on a day-by-day basis, as new information comes to light. The weak password on the SolarWinds update server, while perhaps not directly responsible for the company’s current predicament, says little good about the underlying security situation.
- Google Uncovers iPhone Exploit That Can Steal Data Over Wi-Fi
- Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs
- Microsoft Spots Android Ransomware That Hijacks Your Home Button