The attack was so widespread and potentially catastrophic, the DHS’s cyber wing issued an emergency directive that stated the only way to mitigate damage was to airgap devices and uninstall affected Orion software. Meanwhile, SolarWinds filed an update with the SEC detailing the extent of the damage. It was limited, but only if you consider 18-33,000 potential infections “limited.” It’s only a small percentage because Solarwinds’s customer base is so large. The company boasts 300,000 customers, among them several government agencies and all five branches of the military. (It’s not boasting much these days. It has memory-holed its “Customer” page during this trying time.)
Unfortunately, the directive from CISA was delivered a bit too late. CISA itself was compromised by the hack, something acknowledged by the DHS less than 24 hours after its dire directive was issued.
The fallout from this hacking — which may have begun as early as March of this year — will continue for a long, long time. But this latest news — delivered by Zack Whittaker — adds another layer of irony to the ongoing debacle. Orion is Solarwinds’ one-stop shop for IT software. It promises to secure customers’ IT infrastructure by bundling in the company’s network security products.
No doubt the company claims to take security seriously. But while users are being subjected to password requirements that demand them to utilize most of the alphabet and multiple shift key presses, internal security isn’t nearly as restrictive. Here’s the “OMFG are you goddamn kidding me” news via Reuters, which first broke the news of the malicious hacking.
Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”.
All five branches of the military. The NSA. The IRS. The USPS. DHS. The Treasury Department. Nearly every Fortune 500 company. All ten of the top ten telcos. The list goes on and on. And with this access, attackers could move laterally, using compromised credentials to eavesdrop on mutuals of targeted entities. And all of this “secured” by a password so simple an idiot could have created it.
