SolarWinds' credentials exposure from 2019 gives an important clue to how the breach at FireEye and US government possibly took place. It sheds light over a very important aspect that organizations often ignore – their insecure practices and inefficiency in securing credentials. SaveBreach has identified weak credentials in hundreds of organizations over the course of years that we tested or, engaged in pentest with, and the SolarWinds breach seems to be just another case of gross carelessness and weak credentials. Although not confirmed by official sources, this is what we can conjecture for now. This reveals a very important piece of the puzzle, that is  the attack was possibly not as sophisticated as it was reported to be.

Important – Please note that we are not claiming this is how SolarWinds got hacked. This post covers the insecure and lax security practices of SolarWinds which might have contributed to the security breach. But we are not saying this is how, it happened!

In an official blog post published yesterday, FireEye said a "highly evasive attacker by leveraging SolarWinds Supply Chain to Compromise Multiple Global Victims with SUNBURST Backdoor". The original blog post from FireEye has been linked below

Highly Evasive Attacker Leverages SolarWinds Supply Chain to CompromiseMultiple Global Victims With SUNBURST Backdoor
We have discovered a global intrusion campaign, and we are tracking the actors behind this campaign as UNC2452.
FireEye article about the SolarWind breach

However, a recent tweet from a cybersecurity researcher hints at the fact this compromise probably dates back to 2019, that is more than an year before the SolarWinds and US government breach were reported, and the attacker might have been able to own their servers through very simple techniques. Password spraying is a very common technique employed by malicious attackers to compromise systems. In the case of SolarWinds this was even simpler, and weaker credentials may have made the hacker's job just more easier.

SolarWinds Exposed their FTP credentials in a public GitHub Repository

Cybersecurity expert, Vinoth Kumar hinted at the fact that the perpetrator may have breached SolarWinds and its clients quite easily – this affects the US government, and top organizations worldwide. Kumar made the following tweet today,

Vinoth Kumar's tweet regarding the exposed FTP credentials of SolarWinds

For the readers who couldn't fully understand the tweet, Vinoth had apparently gotten access to a SolarWinds FTP server on 19th November, 2019 through FTP credentials leaked in a SolarWinds public GitHub repo (apparently a configuration file as can be observed from the above email screenshot) which is more than one year ago. He responsibly reported this security incident to the SolarWinds PSIRT team.

The above tweet includes a screenshot of Vinoth's email communication with the SolarWinds' security team who seem to have acknowledged the issue, but its unclear whether after the incident SolarWinds hardened their server security.

Nation-State adversary or, a simple Github Leak?

Exposing password in public GitHub repositories is a very common security lapse among organizations but can be prevented quite easily with secure practices. We have identified thousands of credentials belonging to companies and responsibly reported such cases. This happened in the case of SolarWinds too, Vinoth found their FTP server credentials which allowed read as well as write access to SolarWinds' FTP server. This critical vulnerability could have allowed them to upload malicious files and binaries to the SolarWinds Downloads FTP server, which made the SolarWinds Orion software available to its clients for download.

Vinoth confirmed that the FTP credentials SolarWinds leaked had write access by uploading a test file to the vulnerable FTP server – which apparently hosts very important files, and if tampered with, the results can be disastrous, which was likely the reason of the US Government breach that happened recently.

SolarWinds might have been compromised at least an year ago, in November 2019

SolarWinds' PSIRT team's last reply to Vinoth was on 22nd November, 2019 which is 3 days after his report,

SolarWinds Security Team's response to Vinoth Kumar acknowledging the vulnerability

They have informed him that the Github repository exposing the credentials was subsequently taken down by SolarWinds. This may have played an important role in the latest security breach of SolarWinds that led to the US Government breach.

Complex Attack or, a Case of Weak Credentials?

Vinoth further mentions in the tweet that the password was *****123. Our guess is that, the password of that FTP server was solarwinds123, leaving the redacted part, which is a very weak credential. solarwinds123 is an example of the weakest credentials one can think of.  Credentials of the FTP download server which was exposed on the SolarWinds GitHub repo are as follows – solarwindsnet:solarwinds123

It would take seconds for advanced credential stuffing tools to exfiltrate into SolarWinds networks leading to the supply chain of the malware used in this attack, which seems to be the case here. Weak and easy to guess credentials continue to be a very common cause of breaches that happens these days. We have observed a lot of big companies using admin:admin and easy to guess credentials in their internal panels, while we performed pentests and bug hunting research.

This is an ideal example to learn from, what the consequence of weak credentials can be. Organizations should learn from these breaches how easy it is for attackers to compromise an entire organization just by guessing credentials and performing password stuffing attacks.

Although there is more to it that led to the series of events, but the exposed and weak credentials might have played a major role in the SolarWinds hack. The attackers might have been able to gain persistence by obtaining SolarWinds internal credentials and then able to backdoor the SolarWinds Orion (which FireEye called the SUNBURST backdoor, by uploading it to the SolarWinds Downloads FTP server, and distributing the same via SolarWinds website to its clients.

Q&A with Cybersecurity Expert Vinoth Kumar

We asked cybersecurity expert Vinoth about his opinions on this breach, and how organizations can secure themselves from such sophisticated attacks.

Q: As you mentioned you found some credentials in the open, do you think the attackers went for a similar approach to use simple OSINT techniques in order to exfiltrate the data?

Vinoth: I think the attackers must have used the same approach as the FTP server was open & credentials were not strong enough. But it was a sophisticated attack as the binaries were signed.

Q: How do you think organizations can protect themselves from breaches and exposing their credentials?

Vinoth: Normally most of the companies includes us use the automated scanner for GitHub repos scanning to see any leaked internal credential also security credential scanning should be part of SDLC process.

Vinoth's social handles and website – vinothsparrow and

Notable Victims of the SolarWinds Breach

US Treasury, the US NTIA, and possibly FireEye itself. Besides, the victims include various governmental, consulting, tech, telecom and extractive entities worldwide. The vulnerability affected certain backdoored versions of SolarWinds Orion Platform.

Who are possibly affected?

Below is a list of SolarWinds clients however its not clear if all are affected. As per SolarWinds, the breach only affected clients using certain backdoored versions of the Solarwind Orion software. As per the SolarWinds website, its currently being used by –

  • More than 425 of the US Fortune 500
  • All ten of the top ten US telecommunications companies
  • All five branches of the US Military
  • The US Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States
  • All five of the top five US accounting firms
  • Hundreds of universities and colleges worldwide

Some of Solarwind's Clients

(Some yet to confirm if they are affected)

Acxiom,Ameritrade,AT&T,Bellsouth Telecommunications,Best Western Intl.,Blue Cross Blue Shield,Booz Allen Hamilton,Boston Consulting,Cable & Wireless,Cablecom Media AG,Cablevision,CBS,Charter Communications,Cisco,CitiFinancial,City of Nashville,City of Tampa,Clemson University,Comcast Cable,Gillette Deutschland GmbH,Harvard University,Hertz Corporation,ING Direct,IntelSat,J.D. Byrider,Johns Hopkins University,Kennedy Space Center,Kodak,Korea Telecom,Leggett and Platt,Level 3 Communications,Liz Claiborne,Lockheed Martin,Lucent,MasterCard,McDonald’s Restaurants,Microsoft,National Park Service,NCR,NEC,Nestle,New York Power Authority,New York Times,Nielsen Media Research,Nortel,Perot Systems Japan,Phillips Petroleum,Pricewaterhouse Coopers,Procter & Gamble,US Dept. Of Defense,US Postal Service,US Secret Service,Visa USA,Volvo,Williams Communications,Yahoo

Protection from GitHub Leaks and Credential Stuffing attacks

Organizations should perform through security audits and maintain bug bounty program. As in this case, Vinoth was able to identify the exposed credentials possibly through a simple GitHub dork. And the fact that the credentials were possibly weak, should make the hacker's life even easier.

Leading startups and companies rely on SaveBreach for in-depth security audits, and pentesting services. We have deployed internal tools that are able to find the hardest ways to track leakage of data, credential stuffing attacks and monitor GitHub leaks.

With years from bug bounty and actual hacking experience, we think out of the box in our approach to securing your company's assets so that they are well-guarded against every unconventional way to compromise your systems. Reach out to us at team [at] savebreach (.com) to discuss about your organization's security – we can perform a Free security pentest so that you can decide whether to move forward!