SolarWinds exposed FTP credentials in Public Github Repo: US Government Breach

The article&#x2F;twitter thread don&#x27;t offer anything definitive. It could be this leaked password was how their supply chain got compromised, it might not be.<p>Just anecdotally I&#x27;m looking at my own release infrastructure and it would take a bit more work to get compromised binaries to our customers than a leaked secret in a public git repo - and if it <i>was</i> reported that we leaked some key or password that gave the keys of the kingdom away, it would be trivial to change it and verify that we didn&#x27;t push malware.<p>This article can explain how malware made it into a download server, maybe. But does it explain the fact the malware was signed? Maybe, but that suggests a bigger fuck up than leaking a password.

I still think about how Instagram&#x27;s entire kingdom (source code, SSL certs, AWS credentials) was left wide open because someone deployed an open source admin tool on a single server and never changed the default hardcoded secret key:<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=10754194" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=10754194</a><p><a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20151217205414&#x2F;http:&#x2F;&#x2F;www.exfiltrated.com&#x2F;research-Instagram-RCE.php" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20151217205414&#x2F;http:&#x2F;&#x2F;www.exfilt...</a>

This article is extremely dishonest and should be removed. It offers zero proof this is what lead to the compromise. The leaked credentials were reported over a year ago and patched according to FireEye.<p>There are already comments here from users who presumably haven&#x27;t read the article and are parroting this as fact.

Are the authors suggesting the weak credentials were the only part of the attack? Or are they suggesting they were the first part in a rather sophisticated supply chain attack?<p>The credentials by themselves don’t give execute privileges, or persistence, or in fact any access to non-SolarWinds systems. So both can be true.

When reading press releases about cyberattacks, substitute &quot;embarrassing&quot; for &quot;sophisticated&quot; to improve the accuracy of the release.

This is just pure speculation at this point. The facts are that a leak existed and allegedly was fixed after the report. It’s quite a jump to conclude that this exact leak was used in the attack.

Sophistication isn&#x27;t necessarily mean technical wizardry. IMHO, it&#x27;s pretty sophisticated to thoroughly look for easily-exploitable goofs, and extract maximum value from them. The big advantage nation states have is probably mainly staffing and funding, and why use a zero-day when a leaked password will do?

Given the timing of the NSA announcement that Russian intelligence was actively exploiting the VMware-related CVE-2020-4006 just a couple of weeks before the Fireeye and .Gov announcements, I&#x27;m wondering if that was the source of the intrusion.<p>The platform in question handles mobile device management, identity brokering, and mobile email management, among other things. It would certainly align with the reports about Treasury and other departments having email compromised.<p><a href="https:&#x2F;&#x2F;www.securityweek.com&#x2F;russian-hackers-exploiting-recently-patched-vmware-flaw-nsa-warns" rel="nofollow">https:&#x2F;&#x2F;www.securityweek.com&#x2F;russian-hackers-exploiting-rece...</a><p>“The exploitation via command injection led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), which in turn granted the actors access to protected data,”

Sophistication is how the hackers hide their tracks and exfiltrate the stuff after they have come in. Coming in can be a simple stuff, or can be a zero day vulnerability.

The article title is &quot;SolarWinds exposed FTP credentials in Public Github Repo&quot; (in 2019) which is far less definitive than the misleading title submitted on HN.

it just looks like the upload credentials for an incoming directory were easy, but that doesn&#x27;t imply a weakness. I can &quot;upload&quot; stuff to Google Drive. that doesn&#x27;t mean Google is easy to hack.

What&#x27;s the best way to prevent accidental github leaks? I once accidentally leaked an API key (albeit for a relatively unimportant service, and I realized soon afterwards).

The email mentioned in the tweet is over a year old, with the response fixing the issue over a year old...the tweet in question is pointing out that their decisions relating to security are extremely questionable, not that this was the way they got in.<p>This is also what he said in the Q&amp;A session:<p>&gt; I think the attackers must have used the same approach as the FTP server was open &amp; credentials were not strong enough. But it was a sophisticated attack as the binaries were signed.

This article is literally pure-speculative garbage.<p>You have one guy saying he found an FTP credential in github and on the other hand a nation-state attack and putting two and two together with no proof or reasoning other than they both happened at some point in time.

Good time run to <a href="https:&#x2F;&#x2F;github.com&#x2F;zricethezav&#x2F;gitleaks" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;zricethezav&#x2F;gitleaks</a> on your projects

&gt; For the readers who couldn&#x27;t fully understand the tweet, Vinoth had apparently gotten access to a SolarWinds FTP server on 19th November, 2020 which is more than 1 year ago.<p>2019.

This reads like it was written by a bot. It&#x27;s filled with sentence fragments and grammar errors.

FTP? FTP does not have encryption (in contrast to HTTPS), correct?

Someone on HN called it before this broke. Governments are quick to blame &quot;state-sponsored actors&quot; to cover up for their own flawed security practices.

Github is a single point of failure for the open source community