More details continue to emerge on the hack of software from SolarWinds WorldWide LLC used by the U.S. government and others as Microsoft Corp. today moved to protect customers from the compromise.

The hack, first reported Sunday and blamed on Russian state-sponsored hackers, came about after SolarWinds pushed compromised software to some 18,000 of its customers in both March and June. The dates are relevant because it’s likely that those behind the compromise have been stealing data since March.

Which companies and government departments have been affected is not entirely clear at this time, since only some have come forward to admit they have been compromised. First was the U.S. Commerce and Treasury Departments, with Homeland Security also now reported to have been attacked. Although not officially confirmed, there are now reports that the State Department and the National Institutes for Health were hacked as well.

The list is likely to continue to grow, since SolarWinds’ Orion information technology monitoring and management software is known to be used by the U.S. military, the Pentagon, the Justice Department, the National Aeronautics and Space Administration, the Executive Office of the President and the National Security Agency.

The potential theft of information from both government and private enterprise is considered to be so extreme that the DHS Cybersecurity and Infrastructure Agency has published an emergency directive. The directive orders that all government agencies take urgent action to immediately disconnect any SolarWinds Orion products and to block all traffic to and from hosts where any version of SolarWinds Orion software has been used.

Leading the effort in mitigating the compromise, Microsoft and a coalition of tech companies have intervened to seize and “sinkhole” a domain that played a central role in the SolarWinds hack ZDNet reported today. The coalition targeted “avsmcloud dot com,” which is said to have served as a command-and-control server for the malware delivered to SolarWinds customers.

Microsoft is also moving to mitigate risks with SolarWinds and Windows, saying it will start forcibly blocking and isolating versions of the SolarWinds Orion software that are known to be compromised. Compromised versions of the software will be blocked by Microsoft Defender Antivirus starting from 8 a.m. PST Wednesday, Dec. 16. “This will quarantine the binary even if the process is running,” Microsoft said.

Exposed password

While a forensic investigation is underway to trace the origin of the hack and how it took place, one rather bizarre claim has emerged: that SolarWinds was using basic passwords, including one that had been exposed on GitHub.

The claim came from security researcher Vinoth Kumar, who said he told the company that its update server was accessible in November 2019 using the password “solarwinds123.” SolarWinds is said to have fixed the issue within three days, but Kumar said the password and access were likely there for two or three weeks.

Although there’s no evidence that this was the path to infection in this case, that a major contractor to the highest levels of the U.S. government would not only expose its password on GitHub but also use weak passwords as well is extraordinary in and of itself.

Jesse Rothstein, co-founder and chief technology officer of enterprise cybersecurity analytics company ExtraHop Networks Inc., told SiliconANGLE that given the resources and sophistication of these hackers, including the use of supply chain attacks against infrastructure and workloads, traditional defenses are ineffective and organizations should prioritize network detection. “Because the network is as close to ground truth as you can get, difficult to evade, and impossible to turn off, sophisticated analysis of network data offers the best opportunity to detect, investigate and respond to these threats before a breach can occur,” he said.

Jamil Jaffer, senior vice president for strategy, partnerships and corporate development at IronNet Cybersecurity Inc., noted that the jury is still out on whether or not this vulnerability has been exploited before and if it’s part of a broader campaign.

“Although this event is certainly a big deal, the idea that foreign adversaries are leveraging attacks to collect intelligence is not a new concept,” Jaffer said. “Moreover, there is no information yet to suggest that the access obtained through this vulnerability was used to manipulate, modify, or destroy information. Were such information to come to light, we might be presented with a very different scenario than what is currently before us.”

Image: The Digital Artist/Pixabay