SolarWinds’ update server was accessible by using the simple password “solarwinds123” in late 2019, according to a security researcher.
News broke on Sunday that SolarWinds’ OrionIT product was hacked as far back as March, with malware added to a software update that was downloaded by thousands of clients. The cyberattack went undetected for months, compromising the computers at top federal government agencies and potentially impacting hundreds of prominent American corporations.
As the damage continues to be investigated, experts have begun pointing to concerns about potentially substandard security protocols. Security researcher Vinoth Kumar told Reuters he alerted SolarWinds last year that its update server could easily be accessed by anyone using the simple password: “solarwinds123.”
“This could have been done by any attacker, easily,” Kumar told the news agency.
When reached for comment by Newsweek, Kumar forwarded his email correspondence with SolarWinds. He first notified the company of the issue on November 19, 2019. SolarWinds’ information security team responded a few days later on November 22, 2019.
“Thank you again for reporting the misconfiguration in a responsible manner. The GitHub repository misconfiguration has been addressed and it’s no longer publicly accessible, also treatment has been applied to the exposed credentials. We’d like to ask that you verify this on your end,” the team wrote in response to Kumar.
Kumar initially told Newsweek that the issue had been present for more than three weeks before it was fixed. After this article published, the researcher followed-up to say that he’d discovered the problem appeared to be present all the way back in June 2018.
A spokesperson for SolarWinds declined to comment, citing an ongoing investigation.
Multiple government clients of SolarWinds—including the Department of Homeland Security, the Treasury Department and the Commerce Department—were reportedly compromised due to the cyberattack. It is not clear whether the password issue had any bearing on the successful cyberattack, but it demonstrates a potential failure on the part of the company to adequately safeguard its security. The hack is believed to have begun in the spring, several months after Kumar identified the password issue on the update server.
On Tuesday, the White House National Security Council said that a “Cyber Unified Coordination Group (UCG) has been established to ensure continued unity of effort across the United States Government in response to a significant cyber incident.” The UCG is intended to centralize coordination for investigating major cyberattacks.
Previously on Sunday the Cybersecurity and Infrastructure Security Agency at the DHS released an emergency directive to government agencies to identify and shut down use of the SolarWinds software by noon on Monday. Private companies have been scrambling to identify whether any of their data was reviewed or stolen.
“SolarWinds currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000,” the company said in an SEC filing on Monday.
Although responsibility for the cyberattack has not been confirmed, Russia has emerged as a prime suspect. Russia’s embassy in Washington, D.C. and a spokesperson for Russian President Vladimir Putin have denied that the country was involved.
Updated December 15, 2020 at 6:08 p.m. ET: This article has been updated with additional comment from Vinoth Kumar, and to note that SolarWinds declined to comment.