A security researcher has claimed that it previously informed SolarWinds that its forward-facing servers were accessible using a ridiculously basic password in a strange turn of events. The security researcher advised the company at the root of the SolarWinds cyberattack that its password security was severely lacking in 2019.
Still, the company did not update the passwords in question.
SolarWinds officials claimed that the breached passwords were put in place by an intern, but that doesn’t exactly absolve the company of any wrongdoing.
SolarWinds Pins Leaked Password on Intern
Currently, researchers and security companies around the world are attempting to piece together what happened during one of the most far-reaching cyberattacks in modern history.
The top brass at SolarWinds is blaming a former intern for leaking its password, with the company claiming that the intern used the same password across its network. Once the attackers figured out the main password on the site’s defenses, they could have free reign inside the operation.
Wondering how basic the password was? The allegedly leaked password was “solarwinds123”, which is truly astonishing if true given the scope of SolarWinds operations and clientele.
SolarWinds CEO Sudhakar Ramakrishna said that the company is investigating claims that the attacker’s brute-force attacked a host of accounts to find an insecure entry route. Even if that is true, it still raises significant questions regarding the internal security practices of a company supplying software to major government agencies.
When questioned by Representative Rashida Tlaib, former SolarWinds CEO Kevin Thompson said the password issue was “a mistake that an intern made.”
However, at that point, the company is committing to three massive issues.
First, the company allowed an intern to access front-facing software and allowed them to change the password? Many in the security community find this unbelievable at face value.
Second, assuming that is the case, SolarWinds did zero contingency on the intern’s account to check for password changes and other potentially vital interactions with the platform? Again, security experts cast aspersions on this claim, given the quality of SolarWinds clientele and the potential danger a breach could lead to—as we have now seen.
Third, SolarWinds said that the password was changed back in 2017. If that’s the case, and the company didn’t vet the password put in place by an intern over three years previous, there is another massive security issue here.
SolarWinds Isn’t Done
The SolarWinds cyberattack has claimed several major scalps, not least the security companies and government departments that fell victim to the attack. However, the latest set of allegations to arise from the attack paint the company at the root of the issue, SolarWinds, in a bad light.
Or, as Representative Katie Porter of California said at the US Senate SolarWinds hearing held earlier this week, “I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad.”
