SolarWinds leaked FTP credentials through a public GitHub repo since 2018

183 点作者 hackerpain超过 4 年前

14 条评论

abarringer超过 4 年前

Also this --> Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123” <a href="https://www.reuters.com/article/global-cyber-solarwinds/hackers-at-center-of-sprawling-spy-campaign-turned-solarwinds-dominance-against-it-idUSKBN28P2N8" rel="nofollow">https://www.reuters.com/article/global-cyber-solarwinds/hack...</a>

earthboundkid超过 4 年前

Wait, FTP as in actual goddamn FTP, or actually SFTP but we call it FTP?I could make fun, except in 2018, I moved a company off of FTP and onto S3. To be fair to the company, no developer had worked there since 2016, so they were just running on autopilot. Still, anyone even vaguely concerned with security should have stopped using FTP since sometime in the early 00s.

评论 #25443431 未加载

评论 #25443162 未加载

评论 #25443177 未加载

评论 #25444562 未加载

评论 #25443386 未加载

评论 #25443155 未加载

评论 #25443333 未加载

mbag超过 4 年前

Here is one interesting project that lets you see in almost real time leaked secrets (or suscpected secrets there might be fasle positives) across Github, Gists, Gitlab, and Bitbucket: <a href="https://www.shhgit.com/" rel="nofollow">https://www.shhgit.com/</a>You can also run your own instance: <a href="https://github.com/eth0izzle/shhgit/" rel="nofollow">https://github.com/eth0izzle/shhgit/</a>

评论 #25443722 未加载

sschueller超过 4 年前

It doesn't take much of a "sophisticated hack" if they post their passwords publicly.

评论 #25443188 未加载

评论 #25443048 未加载

评论 #25443111 未加载

评论 #25442784 未加载

评论 #25442823 未加载

EvanAnderson超过 4 年前

This is egregious, for sure, but it doesn't explain how a DLL signed with their certificate ended up in the wild.Have SolarWinds' handling practices for their code signing certificate come to light? It's sounding more and more like we're going to find out it was a "PFX file w/ the password 'password' saved on a network share" kind of situation.

评论 #25445229 未加载

评论 #25443979 未加载

评论 #25450012 未加载

KukiAirani超过 4 年前

I assumed that all software in the supply chain for defense would go through an audit that exposes things like this. Did that never happen?

评论 #25443131 未加载

评论 #25443337 未加载

评论 #25443517 未加载

评论 #25443508 未加载

评论 #25443390 未加载

评论 #25443228 未加载

vesche超过 4 年前

I discussed this in a video I made on the SolarWinds compromise if anyone is interested - <a href="https://youtu.be/ONd0ERCUy0k?t=760" rel="nofollow">https://youtu.be/ONd0ERCUy0k?t=760</a>Original Tweet came from @vinodsparrow - <a href="https://twitter.com/vinodsparrow/status/1338431183588188160" rel="nofollow">https://twitter.com/vinodsparrow/status/1338431183588188160</a>Keep in mind the binary files that contained the backdoor were digitally signed by SolarWinds after being tampered with. So this FTP credential leak might be part of the supply chain compromise, but is not the whole enchilada.

bulatb超过 4 年前

This was posted yesterday and flagged into oblivion. Unless new information has come out, there wasn't and still isn't any reason to believe this leak had anything to do with 2020's megabreach.Edit: To clarify, this version follows up the flagged post with a bit more information and a lot more speculation. It does a lot of work to "not" make claims while setting them up and basically making them.<a href="https://news.ycombinator.com/item?id=25419140" rel="nofollow">https://news.ycombinator.com/item?id=25419140</a>

评论 #25443643 未加载

评论 #25443956 未加载

netsharc超过 4 年前

Considering how often people commit their credentials, it seems Git or GitHub need a --i-need-a-nanny option that would check if you're about to publish things that you would not rather publish. But then it would have to be an installation option because the people who goof up like this would not know/remember to add that CLI parameter; but I would bet a lot of people would turn on said nanny option that would warn you if you're about to commit lines containing the word "password" or "secret" or "key" (obviously it would have to be more clever than this simple text compare, otherwise it would warn on lines like "function checkPassword(String userSuppliedPassword) {"...

评论 #25443562 未加载

评论 #25443258 未加载

评论 #25443280 未加载

评论 #25443422 未加载

评论 #25443475 未加载

评论 #25443603 未加载

sombrero_guitar超过 4 年前

Highly sophisticated attack that only nation state could have accomplished or leaked FTP credentials that any script kiddie could have used?

giantg2超过 4 年前

Glad I'm not the ASC for that product

willis936超过 4 年前

Does github have a log of IP addresses that cloned the repo? Not that an IP address has much information.

评论 #25443708 未加载

markus_zhang超过 4 年前

I love the word "since" in the title.

ChrisMarshallNY超过 4 年前

This type of thing can happen easily with Git. We just submit a directory, and every damn file in that directory gets submitted.What I do, is have a file that aggregates my sensitive stuff (like server secrets and whatnot), and call that file something like "DoNotCheckThisIntoSourceControl.swift". I then add a git ignore line, on that name.I'll also sometimes store it outside of the repo root (I use Xcode, so I can drag files in from anywhere).

评论 #25443399 未加载

评论 #25443805 未加载

评论 #25443358 未加载