US-based IT monitoring solutions provider SolarWinds has accused a former intern of creating a very weak password for its update server and storing it publicly on GitHub for over a year.
In February, the House Oversight and Homeland Security committees announced they would conduct a hearing to look into the role of private corporations in detecting, preventing, and remediating cyber attacks that caused damage to national security.
The hearing was slated to begin on 26th February and required the participation of Solarwinds CEO Sudhakar Ramakrishna, former CEO Kevin Thompson, Microsoft president Brad Smith, and FireEye CEO Kevin Mandia to testify before the two committees.
During a joint hearing by the House Oversight and Homeland Security committees, it came to light that a password to secure Solarwinds’ update server was stored in a private GitHub repository between June 2018 and November 2019. What’s more, the password was as guessable as one could be: solarwinds123.
“I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad. You and your company were supposed to be preventing the Russians from reading Defense Department emails!” said US Representative Katie Porter after learning about the password.
In response, SolarWinds CEO Sudhakar Ramakrishna blamed a former intern for having stored this password in the GitHub repository in 2017, adding that once the password was identified, it was rectified within days. Former CEO Kevin Thompson said the intern had committed a mistake by storing the password in their private GitHub account.
The password for the Solarwinds update server was first discovered by security researcher Vinoth Kumar who carried out a proof-of-concept demonstration to show Solarwinds that he could deposit files into the server. It is not known if Russian hackers used the same exploit to carry out the Solarwinds hack in December.
The infamous hacking incident involved hackers injecting the Supernova malware in vulnerable Orion products by designing it to appear as part of a SolarWinds product and to facilitate the deployment of a malicious code into the Orion platform.
The hackers trojanised versions 2019.4 HF 5 through 2020.2.1 of the SolarWinds Orion platform that were released between March and June 2020. Security firm FireEye said it discovered a new campaign by nation-state actors that involved hackers trojanising software updates of the SolarWinds Orion platform with a malware called Sunburst to infect organisations worldwide.
According to The New York Times, while the trojanised software update was downloaded by as many as 18,000 private and public organisations, Russian hackers behind the operation only targeted specific government agencies and private organisations. These included the Department of Homeland Security, the State Department, parts of the Pentagon, and the U.S. Treasury, and the U.S. Commerce Departments.