The SolarWinds Perfect Storm: Default Password, Access Sales and More

A perfect storm may have come together to make SolarWinds such a successful attack vector for the global supply-chain cyberattack discovered this week – including its use of a default password (“SolarWinds123”) that gave attackers an open door into its software-updating mechanism.

That story is unfolding as defenders take action. Microsoft for instance began blocking the versions of SolarWinds updates containing the malicious binary, known as the “Sunburst” backdoor, starting Wednesday.

The backdoor was injected into SolarWinds.Orion.Core.BusinessLayer.dll, a SolarWinds digitally signed component of the Orion software framework, which is a plugin that communicates via HTTP to third-party servers.

“Starting on Wednesday, December 16 at 8:00 AM PST, Microsoft Defender Antivirus will begin blocking the known malicious SolarWinds binaries,” a Microsoft security blog explained. Microsoft calls the backdoor “Solorigate.”

On Monday, SolarWinds confirmed that adversaries (likely nation-state-backed) were able to inject malicious code into normal software updates for the Orion network-management platform. This installed the Sunburst/Solorigate backdoor inside the platform, which the attackers were subsequently able to take advantage of in targeted attacks on the U.S. Departments of Treasury and Commerce, DHS, FireEye and others around the world.

In all, SolarWinds said that it pushed out tainted software updates to almost 18,000 government agencies, contractors and enterprises over the course of the incident (between March and June), as Threatpost previously reported.

Orion is a product with such market dominance that company CEO Kevin Thompson bragged on an October earnings call that “we don’t think anyone else in the market is really even close in terms of the breadth of coverage we have. We manage everyone’s network gear.”

That alone would make in an irresistible target for a widespread supply-chain attack, but other alleged security lapses appear to have sealed the deal.

For instance, security researcher Vinoth Kumar told Reuters that he discovered a hard-coded password for access to SolarWinds’ update server last year – the very easy-to-guess “solarwinds123.”

“This could have been done by any attacker, easily,” Kumar told the news service.

Sources also told Reuters that cybercriminals were spotted hawking access to SolarWinds’ infrastructure in underground forums, as far back as 2017. One of the access-dealers, they said, was the notorious Kazakh native known as “fxmsp,” which made headlines last year for hacking McAfee, Symantec and Trend Micro; and who is wanted by the Feds for perpetrating a widespread backdoor operation spanning six continents.

To boot, a German newspaper flagged the fact that SolarWinds has a support page advising users to disable antivirus scanning for Orion products’ folders in order to avoid issues in the product’s efficacy. It’s not an uncommon practice, but security researchers did note that it make the platform more of a target:

This is nuts. Solarwinds had a support page (now removed) advising users to DISABLE antivirus scanning for Orion products’ folders. pic.twitter.com/ptUKR4zQ8d

— Costin Raiu (@craiu) December 16, 2020

Also, even though the last push of the trojanized updates happened in June, the malicious updates remained available for download until this week. And Huntress researcher Kyle Hanslovan said that he has seen the malicious DLL still available via various update mechanisms.

Threatpost has reached out to Hanslovan and other researchers for more information on all of these findings. For its part, SolarWinds has declined to issue any statement other than what it said in a media statement on Sunday: “We strive to implement and maintain appropriate administrative, physical, and technical safeguards, security processes, procedures, and standards designed to protect our customers.”

For now, researchers said that organizations should take steps to assess whether they are infected with Sunburst/Solorigate; and if so, if they were targeted for further intrusion.

“While not every SolarWinds customer was likely a primary target for this particular activity, that doesn’t mean that additional persistence mechanisms were established en-masse in a way that would affect most or all customers,” Daniel Trauner, director of security, Axonius, told Threatpost. “Disabling any servers running backdoored versions of the product and disconnecting those hosts from your network is smart, but that’s certainly not enough. Organizations should immediately look for evidence of further persistence or lateral movement from those hosts. This applies to those who have already patched as well.”

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows; Limor Kessem, Executive Security Advisor, IBM Security; and Allie Mellen, a security strategist in the Office of the CSO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.