urlscan.io logo urlscan.io
SecurityTrails logo

savebreach.com Open in urlscan Pro
2400:8904::f03c:92ff:fe4f:ad5f  Public Scan

Back to summary
URL: https://savebreach.com/solarwinds-credentials-exposure-led-to-us-government-fireye-breach/
Submission: On April 30 via api from CA — Scanned from CA

Form analysis 2 forms found in the DOM

<form data-members-form="subscribe">
  <div class="form-group">
    <input class="subscribe-email" data-members-email="" placeholder="youremail@example.com" autocomplete="false">
    <button class="button primary" type="submit">
      <span class="button-content">Subscribe</span>
      <span class="button-loader"><svg version="1.1" id="loader-1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="40px" height="40px" viewBox="0 0 40 40" enable-background="new 0 0 40 40"
          xml:space="preserve">
          <path opacity="0.2" fill="#000" d="M20.201,5.169c-8.254,0-14.946,6.692-14.946,14.946c0,8.255,6.692,14.946,14.946,14.946
s14.946-6.691,14.946-14.946C35.146,11.861,28.455,5.169,20.201,5.169z M20.201,31.749c-6.425,0-11.634-5.208-11.634-11.634
c0-6.425,5.209-11.634,11.634-11.634c6.425,0,11.633,5.209,11.633,11.634C31.834,26.541,26.626,31.749,20.201,31.749z"></path>
          <path fill="#000" d="M26.013,10.047l1.654-2.866c-2.198-1.272-4.743-2.012-7.466-2.012h0v3.312h0
C22.32,8.481,24.301,9.057,26.013,10.047z">
            <animateTransform attributeType="xml" attributeName="transform" type="rotate" from="0 20 20" to="360 20 20" dur="0.5s" repeatCount="indefinite"></animateTransform>
          </path>
        </svg></span>
    </button>
  </div>
  <div class="message-success">
    <strong>Great!</strong> Check your inbox and click the link to confirm your subscription.
  </div>
  <div class="message-error"> Please enter a valid email address! </div>
</form>

<form data-members-form="subscribe">
  <div class="form-group">
    <input class="subscribe-email" data-members-email="" placeholder="youremail@example.com" autocomplete="false">
    <button class="button primary" type="submit">
      <span class="button-content">Subscribe</span>
      <span class="button-loader"><svg version="1.1" id="loader-1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="40px" height="40px" viewBox="0 0 40 40" enable-background="new 0 0 40 40"
          xml:space="preserve">
          <path opacity="0.2" fill="#000" d="M20.201,5.169c-8.254,0-14.946,6.692-14.946,14.946c0,8.255,6.692,14.946,14.946,14.946
s14.946-6.691,14.946-14.946C35.146,11.861,28.455,5.169,20.201,5.169z M20.201,31.749c-6.425,0-11.634-5.208-11.634-11.634
c0-6.425,5.209-11.634,11.634-11.634c6.425,0,11.633,5.209,11.633,11.634C31.834,26.541,26.626,31.749,20.201,31.749z"></path>
          <path fill="#000" d="M26.013,10.047l1.654-2.866c-2.198-1.272-4.743-2.012-7.466-2.012h0v3.312h0
C22.32,8.481,24.301,9.057,26.013,10.047z">
            <animateTransform attributeType="xml" attributeName="transform" type="rotate" from="0 20 20" to="360 20 20" dur="0.5s" repeatCount="indefinite"></animateTransform>
          </path>
        </svg></span>
    </button>
  </div>
  <div class="message-success">
    <strong>Great!</strong> Check your inbox and click the link to confirm your subscription.
  </div>
  <div class="message-error"> Please enter a valid email address! </div>
</form>

Text Content

 * Home
 * About
 * CyberSecurity
 * Contact

SolarWinds exposed FTP credentials in Public Github Repo: US Government Breach
 * Valuation Tool
 * Blockchain Audits

Subscribe
news


SOLARWINDS EXPOSED FTP CREDENTIALS IN PUBLIC GITHUB REPO: US GOVERNMENT BREACH

SolarWinds exposed their FTP server credentials in a public Github repo, which
was identified by cybersecurity expert Vinoth Kumar who reported it to
SolarWinds in 2019. Did some poor security practices lead to the US Government
breach?


 * SAVE BREACH
   
   SaveBreach
   
   More posts by Save Breach.

SAVE BREACH

14 Dec 2020 • 7 min read

SolarWinds' credentials exposure from 2019 gives an important clue to how the
breach at FireEye and US government possibly took place. It sheds light over a
very important aspect that organizations often ignore – their insecure practices
and inefficiency in securing credentials. SaveBreach has identified weak
credentials in hundreds of organizations over the course of years that we tested
or, engaged in pentest with, and the SolarWinds breach seems to be just another
case of gross carelessness and weak credentials. Although not confirmed by
official sources, this is what we can conjecture for now. This reveals a very
important piece of the puzzle, that is  the attack was possibly not as
sophisticated as it was reported to be.

> Important – Please note that we are not claiming this is how SolarWinds got
> hacked. This post covers the insecure and lax security practices of SolarWinds
> which might have contributed to the security breach. But we are not saying
> this is how, it happened!

In an official blog post published yesterday, FireEye said a "highly evasive
attacker by leveraging SolarWinds Supply Chain to Compromise Multiple Global
Victims with SUNBURST Backdoor". The original blog post from FireEye has been
linked below

Highly Evasive Attacker Leverages SolarWinds Supply Chain to CompromiseMultiple
Global Victims With SUNBURST Backdoor
We have discovered a global intrusion campaign, and we are tracking the actors
behind this campaign as UNC2452.
FireEye

FireEye article about the SolarWind breach

However, a recent tweet from a cybersecurity researcher hints at the fact this
compromise probably dates back to 2019, that is more than an year before the
SolarWinds and US government breach were reported, and the attacker might have
been able to own their servers through very simple techniques. Password spraying
is a very common technique employed by malicious attackers to compromise
systems. In the case of SolarWinds this was even simpler, and weaker credentials
may have made the hacker's job just more easier.


SOLARWINDS EXPOSED THEIR FTP CREDENTIALS IN A PUBLIC GITHUB REPOSITORY

Cybersecurity expert, Vinoth Kumar hinted at the fact that the perpetrator may
have breached SolarWinds and its clients quite easily – this affects the US
government, and top organizations worldwide. Kumar made the following tweet
today,


Vinoth Kumar's tweet regarding the exposed FTP credentials of SolarWinds

For the readers who couldn't fully understand the tweet, Vinoth had apparently
gotten access to a SolarWinds FTP server on 19th November, 2019 through FTP
credentials leaked in a SolarWinds public GitHub repo (apparently a
configuration file as can be observed from the above email screenshot) which is
more than one year ago. He responsibly reported this security incident to the
SolarWinds PSIRT team.

The above tweet includes a screenshot of Vinoth's email communication with the
SolarWinds' security team who seem to have acknowledged the issue, but its
unclear whether after the incident SolarWinds hardened their server security.


NATION-STATE ADVERSARY OR, A SIMPLE GITHUB LEAK?

Exposing password in public GitHub repositories is a very common security lapse
among organizations but can be prevented quite easily with secure practices. We
have identified thousands of credentials belonging to companies and responsibly
reported such cases. This happened in the case of SolarWinds too, Vinoth found
their FTP server credentials which allowed read as well as write access to
SolarWinds' FTP server. This critical vulnerability could have allowed them to
upload malicious files and binaries to the SolarWinds Downloads FTP server,
which made the SolarWinds Orion software available to its clients for download.

Vinoth confirmed that the FTP credentials SolarWinds leaked had write access by
uploading a test file to the vulnerable FTP server – downloads.solarwinds.com
which apparently hosts very important files, and if tampered with, the results
can be disastrous, which was likely the reason of the US Government breach that
happened recently.


SOLARWINDS MIGHT HAVE BEEN COMPROMISED AT LEAST AN YEAR AGO, IN NOVEMBER 2019

SolarWinds' PSIRT team's last reply to Vinoth was on 22nd November, 2019 which
is 3 days after his report,


SolarWinds Security Team's response to Vinoth Kumar acknowledging the
vulnerability

They have informed him that the Github repository exposing the credentials was
subsequently taken down by SolarWinds. This may have played an important role in
the latest security breach of SolarWinds that led to the US Government breach.


COMPLEX ATTACK OR, A CASE OF WEAK CREDENTIALS?

Vinoth further mentions in the tweet that the password was *****123. Our guess
is that, the password of that FTP server was solarwinds123, leaving the redacted
part, which is a very weak credential. solarwinds123 is an example of the
weakest credentials one can think of.  Credentials of the FTP download server
which was exposed on the SolarWinds GitHub repo are as follows –
solarwindsnet:solarwinds123

It would take seconds for advanced credential stuffing tools to exfiltrate into
SolarWinds networks leading to the supply chain of the malware used in this
attack, which seems to be the case here. Weak and easy to guess credentials
continue to be a very common cause of breaches that happens these days. We have
observed a lot of big companies using admin:admin and easy to guess credentials
in their internal panels, while we performed pentests and bug hunting research.

This is an ideal example to learn from, what the consequence of weak credentials
can be. Organizations should learn from these breaches how easy it is for
attackers to compromise an entire organization just by guessing credentials and
performing password stuffing attacks.

Although there is more to it that led to the series of events, but the exposed
and weak credentials might have played a major role in the SolarWinds hack. The
attackers might have been able to gain persistence by obtaining SolarWinds
internal credentials and then able to backdoor the SolarWinds Orion (which
FireEye called the SUNBURST backdoor,
https://downloads.solarwinds.com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp)
by uploading it to the SolarWinds Downloads FTP server, and distributing the
same via SolarWinds website to its clients.


Q&A WITH CYBERSECURITY EXPERT VINOTH KUMAR

We asked cybersecurity expert Vinoth about his opinions on this breach, and how
organizations can secure themselves from such sophisticated attacks.

Q: As you mentioned you found some credentials in the open, do you think the
attackers went for a similar approach to use simple OSINT techniques in order to
exfiltrate the data?

Vinoth: I think the attackers must have used the same approach as the FTP server
was open & credentials were not strong enough. But it was a sophisticated attack
as the binaries were signed.

Q: How do you think organizations can protect themselves from breaches and
exposing their credentials?

Vinoth: Normally most of the companies includes us use the automated scanner for
GitHub repos scanning to see any leaked internal credential also security
credential scanning should be part of SDLC process.

Vinoth's social handles and website – vinothsparrow and VinothKumar.me


NOTABLE VICTIMS OF THE SOLARWINDS BREACH

US Treasury, the US NTIA, and possibly FireEye itself. Besides, the victims
include various governmental, consulting, tech, telecom and extractive entities
worldwide. The vulnerability affected certain backdoored versions of SolarWinds
Orion Platform.


WHO ARE POSSIBLY AFFECTED?

Below is a list of SolarWinds clients however its not clear if all are affected.
As per SolarWinds, the breach only affected clients using certain backdoored
versions of the Solarwind Orion software. As per the SolarWinds website, its
currently being used by –

 * More than 425 of the US Fortune 500
 * All ten of the top ten US telecommunications companies
 * All five branches of the US Military
 * The US Pentagon, State Department, NASA, NSA, Postal Service, NOAA,
   Department of Justice, and the Office of the President of the United States
 * All five of the top five US accounting firms
 * Hundreds of universities and colleges worldwide

SOME OF SOLARWIND'S CLIENTS

(Some yet to confirm if they are affected)

Acxiom,Ameritrade,AT&T,Bellsouth Telecommunications,Best Western Intl.,Blue
Cross Blue Shield,Booz Allen Hamilton,Boston Consulting,Cable &
Wireless,Cablecom Media AG,Cablevision,CBS,Charter
Communications,Cisco,CitiFinancial,City of Nashville,City of Tampa,Clemson
University,Comcast Cable,Gillette Deutschland GmbH,Harvard University,Hertz
Corporation,ING Direct,IntelSat,J.D. Byrider,Johns Hopkins University,Kennedy
Space Center,Kodak,Korea Telecom,Leggett and Platt,Level 3 Communications,Liz
Claiborne,Lockheed Martin,Lucent,MasterCard,McDonald’s
Restaurants,Microsoft,National Park Service,NCR,NEC,Nestle,New York Power
Authority,New York Times,Nielsen Media Research,Nortel,Perot Systems
Japan,Phillips Petroleum,Pricewaterhouse Coopers,Procter & Gamble,US Dept. Of
Defense,US Postal Service,US Secret Service,Visa USA,Volvo,Williams
Communications,Yahoo


PROTECTION FROM GITHUB LEAKS AND CREDENTIAL STUFFING ATTACKS

Organizations should perform through security audits and maintain bug bounty
program. As in this case, Vinoth was able to identify the exposed credentials
possibly through a simple GitHub dork. And the fact that the credentials were
possibly weak, should make the hacker's life even easier.

Leading startups and companies rely on SaveBreach for in-depth security audits,
and pentesting services. We have deployed internal tools that are able to find
the hardest ways to track leakage of data, credential stuffing attacks and
monitor GitHub leaks.

With years from bug bounty and actual hacking experience, we think out of the
box in our approach to securing your company's assets so that they are
well-guarded against every unconventional way to compromise your systems. Reach
out to us at team [at] savebreach (.com) to discuss about your organization's
security – we can perform a Free security pentest so that you can decide whether
to move forward!


SUBSCRIBE TO SAVEBREACH | CYBER SECURITY, INFOSEC, BUG BOUNTY, PENTESTING &
MORE...

Get the latest posts delivered right to your inbox

Subscribe
Great! Check your inbox and click the link to confirm your subscription.
Please enter a valid email address!


MORE IN NEWS

 * Q&A WITH ONE OF THE RICHEST BUG BOUNTY HUNTERS WHO MADE OVER $2M IN BOUNTIES
   
   16 Jul 2021 – 4 min read

 * HACKER MAKES $2 MILLION DOLLARS IN BUG BOUNTY EARNINGS
   
   23 Dec 2020 – 4 min read

 * SOLARWINDS LEAKED FTP CREDENTIALS THROUGH A PUBLIC GITHUB REPO "MIB-IMPORTER"
   SINCE 2018
   
   16 Dec 2020 – 4 min read

See all 3 posts →
news


SOLARWINDS LEAKED FTP CREDENTIALS THROUGH A PUBLIC GITHUB REPO "MIB-IMPORTER"
SINCE 2018

The leaked FTP credentials were being exposed by SolarWinds since June 2018 in
mib-importer GitHub repo. There was potentially more sensitive data in that
repo, says security researcher Vinoth Kumar.

 * Save Breach

Save Breach 16 Dec 2020 • 4 min read
PayPal


THOUGHTS ON THE CONFUSING PROCESS TO SETUP 2FA ON PAYPAL ACCOUNT

The process to setup 2FA on PayPal for account security was by far the most
difficult, time consuming and confusing process ever. In this post, we have
simplified and explained the process.

 * Save Breach

Save Breach 20 Nov 2020 • 6 min read
SaveBreach | Cyber Security, InfoSec, Bug Bounty, Pentesting & more... © 2023
Latest Posts Facebook Twitter
You've successfully subscribed to SaveBreach | Cyber Security, InfoSec, Bug
Bounty, Pentesting & more...!
Could not sign up! Invalid sign up link.


SUBSCRIBE TO SAVEBREACH | CYBER SECURITY, INFOSEC, BUG BOUNTY, PENTESTING &
MORE...

Stay up to date! Get all the latest & greatest posts delivered straight to your
inbox

Subscribe
Great! Check your inbox and click the link to confirm your subscription.
Please enter a valid email address!