16 December 2020

HOLY SHIT HOW BAD IS THIS Part 2: Anyone Could Access SolarWinds' Password "solarwinds123"

Hard-to-believe it was so easy. . . (from Tim Cushing again publishing in Techdirt)
The SolarWinds Perfect Storm: Default Password, Access Sales and More | Threatpost
"No doubt the company claims to take security seriously. But while users are being subjected to password requirements that demand them to utilize most of the alphabet and multiple shift key presses, internal security isn't nearly as restrictive.
Hackers at center of sprawling spy campaign turned SolarWinds' dominance against it | NewsNation Now

Here's the "OMFG are you goddamn kidding me" news via Reuters, which first broke the news of the malicious hacking.

Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”.

All five branches of the military. The NSA. The IRS. The USPS. DHS. The Treasury Department. Nearly every Fortune 500 company. All ten of the top ten telcos. The list goes on and on. And with this access, attackers could move laterally, using compromised credentials to eavesdrop on mutuals of targeted entities.

And all of this "secured" by a password so simple an idiot could have created it.

SolarWinds hackers' capabilities include bypassing MFA - Help Net Security

We're fucked. And we're fucked by people making far more money than we are who take our security far less seriously than we do. Say what you will about the security ambivalence of the general public, but it's the "experts" who endanger us with lax security measures who do the most damage . . ."

Filed Under: dhs, hackers, infrastructure, passwords, security
Companies: solarwinds 

-----------------------------------------------------------------------------------------------------------------------------

Security Researcher Reveals Solarwinds' Update Server Was 'Secured' With The Password 'solarwinds123'

(Mis)Uses of Technology

from the [checks-luggage-combination] dept

Wed, Dec 16th 2020 3:27amTim Cushing

"As was noted here earlier, up to 18,000 customers of globally-dominant network infrastructure vendor SolarWinds may have been compromised by malicious hackers. The hackers -- presumed to be operating on behalf of the Russian government -- deployed tainted updates (served up by SolarWinds) that gave them backdoors to snoop on internal communications and exfiltrate sensitive data.

The attack was so widespread and potentially catastrophic, the DHS's cyber wing issued an emergency directive that stated the only way to mitigate damage was to airgap devices and uninstall affected Orion software. Meanwhile, SolarWinds filed an update with the SEC detailing the extent of the damage. It was limited, but only if you consider 18-33,000 potential infections "limited." It's only a small percentage because Solarwinds's customer base is so large. The company boasts 300,000 customers, among them several government agencies and all five branches of the military. (It's not boasting much these days. It has memory-holed its "Customer" page during this trying time.)

Unfortunately, the directive from CISA was delivered a bit too late. CISA itself was compromised by the hack, something acknowledged by the DHS less than 24 hours after its dire directive was issued.

The fallout from this hacking -- which may have begun as early as March of this year -- will continue for a long, long time . . ."
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)