[German]Was sloppiness or at least a lax security culture at the US software manufacturer SolarWinds possibly responsible for their compromised updates of the Orion products, that has been shipped for months with the SUNBURST Trojan? This Trojan has been used to hack numerous US government agencies and the security vendor FireEye in recent months. Here is a look into a security abyss …
Review of the 'SUNBURST hack'
It has been known for a few days that the security provider FireEye and a number of US authorities were hacked. In the articles US Treasury and US NTIA hacked and FireEye hacked, Red Team tools stolen I had reported about successful hacks of the US security company FireEye as well as the US Treasury and other US agencies. Hackers had been able to intrude their IT systems for months, read mails and pull documents.
In the publications, based on an analysis by the security company FireEye, there is always talk of a 'sophisticated cyber attack' by state hackers. They succeeded in a coup by compromising the update process of the software manufacturer SolarWinds in a chain supply attack. With its Orion product range, SolarWinds supplies monitoring software for Windows that can be used to monitor an IT infrastructure and its networks. The software therefore has the appropriate privileges to access Active Directory structures, etc.
SolarWinds' network and security products are used by top companies, government agencies and educational institutions. SolarWinds also serves the major U.S. telecommunications companies, all five branches of the U.S. military, and other prominent government organizations such as the Pentagon, State Department, NASA, National Security Agency (NSA), Postal Service, NOAA, Department of Justice, and the Office of the President of the United States. NATO and co. are also among them. Anyone who compromises the SolarWinds Orion products can penetrate the infrastructure that is monitored by the tools. This can all be read in my articles linked above.
Did it need a sophisticated SolarWinds hack?
The exciting question now is: How did the (presumably state-related) hackers (from the environment of the presumably Russian foreign intelligence service) manage to overcome the SolarWinds security barriers in order to insert their Trojan into a signed DLLS that was rolled out via a signed update package?
Short answer: I don't currently know. But after 35 years as an IT writer and 13 years as a blogger, nothing is foreign. There are servers open, passwords of the Password123 kind in use, or an administrator simply needs a bit of money, and there you go. However, I confess that my jaw dropped when I received a special comment on a post at a German forum. A reader pointed me to the tweet below, written by security researcher Vinoth Kumar.
Vinoth Kumar alerted the SolarWinds security team on September 19, 2019 – a year ago – that he had found a password for their upload and download server in a GitHub repository.
If you enlarge the screenshot in the above tweet, you will find the information for FTP access including password in plain text in an XML configuration file (Kumar has removed the information in the screenshot, however). At the time, the security researcher uploaded a .txt file as a proof of concept and wrote that any hacker could upload malicious program files (.exe) via this way. These would then be distributed with each release of SolarWinds products. Kumar emailed the Product Security Response Team (PSIRT) about this finding at the time. Then, on November 22, 2019, the response came from the SolarWinds security people.
The security team thanked Kumar and stated that they have closed this vulnerability. SaveTheBreach compiled the story in this article on December 14, 2020. It is now known that the FTP password used was *****123 (it is colocated admin123). It doesn't matter, such passwords are cracked very quickly via credential stuffing (where lists of known passwords are tried out).
To put it clearly: The above case is no proof that the successful attack on the supply chain with the placement of the Trojan in a DLL digitally signed by SolarWinds was done via the simple FTP approach. Vinoth Kumar says in a Q&A on SaveTheBreach that he believes the attack was sophisticated. But he states that the incident already sheds a telling light on the security culture of the company that provides monitoring software. If the security culture of a company has such weaknesses, it is already permissible to assume that there are other problem areas that may have been exploitable by the attackers.
In a filing to U.S. Securities and Exchange Commission SolarWinds confirmed, that they has been informed from Microsoft about a compromised Office 365 too (see also this article). So it's totally unclear, which parts of the SolarWinds infrastructure has been compromised.
Final Note: Security vender Volexity reported here, that the hacker behind the SolarWinds attack has been observed within another operation, where the same thread actor was able to bypass a Multifactor Authentification (MFA) and intrudes three times into a startup. So it seems that the thread actors are having advanced skills.