SolarWinds CEO Blames Intern for GitHub Password Fiasco

essidsolutions

The CEO of SolarWinds has admitted in a Congressional committee hearing that an easily-guessable password for the company’s critical update server was stored in a private GitHub repository for more than a year.

Not long after one of the most dreadful cyberattacks in U.S. history destroyed SolarWinds’ reputation as a supplier of secure IT monitoring solutions to organizations worldwide, the company has found itself embroiled in another controversy centered on its data security practices.

In a joint hearing of U.S. House of Representatives Oversight and Homeland Security committees on Friday, SolarWinds’ CEO Sudhakar RamakrishnaOpens a new window admitted that an intern assigned the company’s update server the password ‘solarwinds123′, and if that was not enough, the intern posted the password to their private GitHub account which anyone could access.

Ramakrishna, who replaced former CEO Kevin Thompson in January, said at the hearing that the weak password was in use in 2017. And according to Vinoth Kumar, a security researcher who discovered the password on GitHub, SolarWinds didn’t fix the problem until November 2019. So if the password had in fact, been used to infiltrate SolarWinds systems, it might have been as early as November 2019 and not March 2020.

Was reading about a sophisticated attack on FireEye leveraging Solarwinds. Hmmm how that would happened?🤔. Then realized their password was *****123 🤣 #FireEyeOpens a new window #SolarWindsOpens a new window pic.twitter.com/foGzEOdytGOpens a new window

— Vinoth Kumar (@vinodsparrow) December 14, 2020Opens a new window

“They violated our password policies and they posted that password on an internal, on their own private Github account. As soon as it was identified and brought to the attention of my security team, they took that down,” Kevin ThompsonOpens a new window , the former CEO of SolarWinds, said in the hearing.

See Also: Why a Security-First Infrastructure Is Your Only Option in 2021

According to Microsoft President Brad SmithOpens a new window , the SolarWinds hack was the “largest and most sophisticated attackOpens a new window the world has ever seen.” The attack – a cyber espionage campaign – impacted nine federal government agencies and infected 18,000 companies including Microsoft, all of which used SolarWinds Orion, a network monitoring tool.

The hacking of the Orion platform was allegedly perpetrated by a state-sponsored Russian  actor known as APT29, also known as Cozy Bear. According to CrowdStrikeOpens a new window , APT29 is the same group that compromised the Democratic National Committee’s email servers in 2016. The cyberattack came to light on December 9 when FireEye disclosed that a nation-state group hacked its systems to gain access to internal hacking tools. Days later, it came to light that a software update for SolarWinds Orion software infected with malicious code was downloaded and used by 18,000 enterprise customers.

According to security researchers at Silverfort,  hackers behind the cyberattack on SolarWinds could have exploited service accounts used by the company to move laterally within the network, something that hackers often do by exploiting various vulnerabilities associated with service accounts. According to the researchers, movement across an organizational network through in-house service accounts becomes a risky proposition with improperly defined access policies, especially when a service account is externally exposed.

Aside from being subjected to a Congressional hearing in the aftermath of the cyberattack, SolarWinds was also slapped with a class-action lawsuit in January by one of its Texas-based shareholders.

See Also: National Finance Center Targeted by Chinese Actors Using SolarWinds Exploit

The lawsuit statesOpens a new window , “Specifically, Defendants made false and/or misleading statements and/or failed to disclose that: (1) since mid-2020, SolarWinds Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran; (2) SolarWinds’ update server had an easily accessible password of ‘solarwinds123′; (3) consequently, SolarWinds’ customers, including, among others, the Federal Government, Microsoft, Cisco, and Nvidia, would be vulnerable to hacks; (4) as a result, the Company would suffer significant reputational harm; and (5) as a result, Defendants’ statements about SolarWinds’s business, operations and prospects were materially false and misleading and/or lacked a reasonable basis at all relevant times.”

In January, SolarWinds affirmed their resolve for better security practices by instilling ‘secure by design‘ culture for its critical business and product development systems. We just hope it isn’t too little, too late.

Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!