A security researcher alerted network software giant SolarWinds last year that its software update server could be accessed using the password: “solarwinds123.”
“This could have been done by any attacker, easily,” Vinoth Kumar, the security researcher, said about discovering the relatively insecure password.
SolarWinds is facing increased scrutiny after disclosing that it has been the subject of a major hack. The company serves the vast majority of Fortune 500 companies and major U.S. government agencies.
Another cybersecurity expert, Kyle Hanslovan, noticed days after SolarWinds realized their software had been compromised the malicious updates were still available for download.
The company said in a Securities and Exchange Commission filing that it believes up to 18,000 customers installed updates of its Orion network, which experts say opened them up to an attack that centered around a malware known as SUNBURST.
“There has been significant media coverage of attacks on U.S. government agencies and other companies, with many of those reports attributing those attacks to a vulnerability in the Orion products. SolarWinds is still investigating whether, and to what extent, a vulnerability in the Orion products was successfully exploited in any of the reported attacks,” SolarWinds said in a filing to the Securities and Exchange Commission on Monday.
SolarWinds serves over 300,000 customers around the world. According to a partial customer listing that was taken offline, customers include all five branches of the U.S. military, more than 425 of the U.S. Fortune 500, and the Office of the President of the United States.
The companies include Dominion Voting Systems, which provides voting equipment and software to 28 states. Dominion’s CEO told state lawmakers in Michigan on Tuesday that the company has never used the SolarWinds Orion product which is subject to the vulnerability.
The Department of Homeland Security’s Cybersecurity & Infrastructure Agency (CISA) on Monday ordered all agencies that had downloaded the updates in question to disconnect the affected devices, saying it was the only known mitigation measure at present.
SolarWinds said on its website that its systems “experienced a highly sophisticated, manual supply chain attack,” adding, “We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.”
In the filing, SolarWinds said an investigation uncovered evidence that the vulnerability was inserted within Orion products and existed in updates released between March and June.
Customers were told to upgrade affected products to a new version or take the platform offline.
According to the cybersecurity firm FireEye, the hackers trojanized the Orion update to distribute the malware, or malicious code.
Zachary Stieber contributed to this report.