SolarWinds’ update server was accessible by using the simple password “solarwinds123″ in late 2019, according to a security researcher.

News broke on Sunday that SolarWinds’ OrionIT product was hacked as far back as March, with malware added to a software update that was downloaded by thousands of clients. The cyberattack went undetected for months, compromising the computers at top federal government agencies and potentially impacting hundreds of prominent American corporations.

As the damage continues to be investigated, experts have begun pointing to concerns about potentially substandard security protocols. Security researcher Vinoth Kumar told Reuters he alerted SolarWinds last year that its update server could easily be accessed by anyone using the simple password: “solarwinds123.”

“This could have been done by any attacker, easily,” Kumar told the news agency.

Kumar initially told Newsweek that the issue had been present for more than three weeks before it was fixed. After this article published, the researcher followed-up to say that he’d discovered the problem appeared to be present all the way back in June 2018.

Alleged Russian SolarWinds Hack ‘Probably an 11′ On Scale of 1 to 10, Cybersecurity Expert Warns
https://www.newsweek.com/alleged-russian-solarwinds-hack-probably-11-scale-1-10-cybersecurity-expert-warns-1554606

Acybersecurity expert warned that the alleged Russian hack of SolarWinds software, which affected top government agencies, is “probably an 11″ in terms of seriousness on a scale of one to 10

~18,000 organizations downloaded backdoor planted by Cozy Bear hackers
Russia-backed hackers use supply chain attack to infect public and private organizations.
https://arstechnica.com/information-technology/2020/12/18000-organizations-downloaded-backdoor-planted-by-cozy-bear-hackers/

About 18,000 organizations around the world downloaded network management tools that contained a backdoor that a nation state used to install malware in organizations the used the software, the tools provider, SolarWinds, said on Monday.

The disclosure from Austin, Texas-based SolarWinds, came a day after the US government revealed a major security breach hitting federal agencies and private companies. The US Departments of Treasury, Commerce, and Homeland Security departments were among the federal agencies on the receiving end of hacks that gave access to email and other sensitive resources, Reuters reported. Federal agencies using the software were instructed on Sunday to disconnect systems that run the software and perform a forensic analysis of their networks.

Security firm FireEye, which last week disclosed a serious breach of its own network, said that hackers backed by a nation-state compromised a SolarWinds software update mechanism and then used it to infect selected customers who installed a backdoored version of the company’s Orion network management tool.

The backdoor infected customers who installed an update from March to June of this year, SolarWinds said in a document filed on Monday with the Securities and Exchange Commission. The implant “was introduced as a result of a compromise of the Orion software build system and was not present in the source code repository of the Orion products,” Monday’s filing said. SolarWinds, which said it has about 300,000 Orion customers, put the number of affected customers at about 18,000.

“SolarWinds by its nature has very privileged access to other parts of your infrastructure,” Chapple, a former computer scientist at the National Security Agency, said in an interview. “You can think of SolarWinds as having the master keys to your network, and if you’re able to compromise that type of tool, you’re able to use those types of keys to gain access to other parts of the network. By compromising that, you have a key basically to unlock the network infrastructure of a large number of organizations.”

The hacks are part of what the federal government and officials from FireEye, Microsoft, and other private companies said was a widespread espionage campaign that a sophisticated threat actor was carrying out through a supply chain attack.

In blog post FireEye published Sunday night, the company said it uncovered a global intrusion campaign that used the backdoored SolarWinds’ update mechanism as an initial entryway “into the networks of public and private organizations through the software supply chain.” Publications—including The Washington Post and The New York Times—cited unnamed government officials saying Cozy Bear, a hacking group believed to be part of the Russian Federal Security Service (FSB) was behind the compromises.

Rethinking and remaking the supply chains, production, financial markets and global economies to be resilient will be essential. But how?

How can businesses perform better in this new world and become more resilient for the next crisis? Put differently, how can companies ensure their survival while contributing to the safeguard of their respective economies? According to Verzelen, five things must happen:

Employees must be protected.
Financial health must be maintained.
Marketing and sales must be adaptive.
The supply chain must be safeguarded.
The ecosystem must be helped.

https://techcrunch.com/2020/08/17/how-tech-can-build-more-resilient-supply-chains/?tpcc=ECFB2020

Three Ways to Hack a Printed Circuit Board
https://spectrum.ieee.org/computing/hardware/three-ways-to-hack-a-printed-circuit-board

The lessons of COVID-19 may be numerous but one stands out. The global supply chain is skewed towards one part of the world. This represents a great danger to everyone. If this wasn’t clear before, despite attempts by some to point out the dangers of this imbalance, it is now obvious the system needs to be corrected. And corrected it will be. Globally, and by the different regions.

The price of production outsourcing to China is too high. Today, it is measured in the loss of lives — by the tens of thousands. The expected cost-efficiencies cannot be justified anymore.

The supply chain is almost impossible to adequately defend, but there is a strategic way forward.

Imagine you vet a third-party chat bot vendor and after rigorous testing and multiple levels of approval, they are now authorized to be a point of presence on your website. You did it! Now you can check the box and call it a day, right? Well, not quite. Let’s assume that vendor gets breached, and the hackers use the trusted relationship the vendor has cultivated with you to their advantage (remember, the vendor passed all the rigorous testing).