We at Acunetix and Invicti are deeply concerned with the aftermath of the SolarWinds hack and offer our deepest commiserations to all the security personnel who are facing this situation just before Christmas, and to SolarWinds themselves who have been an unwilling agent to the compromise of more than 18,000 organizations.

At the same time, we would like to reassure our customers, partners, and prospects that we are not a customer of SolarWinds and are therefore not in any way affected by this hack. As always, we continue to take the utmost care to ensure that our on-premises and online software and our update download servers are not compromised in any way.

What Happened at SolarWinds?

If you’re not up to date on the news: The SolarWinds Orion network monitoring software, used by more than 18,000 organizations all over the world, was compromised several months ago. An update, downloadable from the SolarWinds update server, was poisoned with a malicious backdoor. This backdoor allowed unknown threat actors to spy on SolarWinds Orion customers and potentially control their systems remotely or escalate into their networks.

The original attack vector remains unknown but there are hints that might give us a clue of what originally happened. Since the first traces of backdoor being used date back to March 2020, it is very probable that SolarWinds was hacked at the beginning of 2020 or in late 2019. This is in line with certain Tweets that suggest that SolarWinds had an open repository on GitHub and used weak passwords. This would not be surprising at all. Openly accessible repositories and exposed databases account for some of the biggest hacks in recent years and common password vulnerabilities are often the underlying cause of major break-ins.

Another potential vector is that the SolarWinds Office 365 account was supposedly compromised, according to information that SolarWinds received from Microsoft. SolarWinds believes that data contained in emails might have allowed the attackers to gain access to other systems (which also suggests poor email culture – you should not use email to send sensitive data). This yet again suggests that it might have been a weak password policy that has been the underlying cause of the breach. Remember, it just takes one user with a weak password for a malicious hacker to enter.

Conclusions from the SolarWinds Hack

While the hack itself is most probably nothing out of the ordinary, what is very much out of the ordinary in this situation is the fact how long it has remained undiscovered. This is what suggests that while the vulnerability might have been trivial, the exploitation itself was not. The attackers, whoever they really are, took a great deal of care to remain undetected in all the infiltrated networks. This is why it is believed that it must have been a major intelligence operation.

This leads to the conclusion that even if you consider a vulnerability or an asset just a minor one, it may be used by the attacker to escalate deeper into your systems – for example, a simple SQL injection on a database that contains no personal data may lead to a complete system compromise. What’s even worse, the attacker may then use your compromised systems to perform an attack on others – an attack that may be even harder to detect, such as in the case of SolarWinds.

Another important conclusion from this hack is that if SolarWinds Orion was a cloud product, the hack would not be possible because there would be no downloadable updates. If the organizations had no internal networks (if they had all their applications in the cloud) and they never needed Orion in the first place, it would not happen either. This may be yet another nudge for organizations to move their assets to the cloud. However, they must not forget that the cloud also has its security concerns. And one of these security concerns is the fact that all cloud apps are web applications.

How Can Acunetix Help?

Since we deal with web application security, Acunetix cannot help organizations with securing their legacy applications and internal networks, such as those that have been infiltrated by the backdoor in SolarWinds Orion. However, Acunetix is an indispensable tool for when you move those applications to the cloud – we also check for exposed databases and weak passwords. To keep all your web assets secure, your best bet is to start with a web vulnerability scanner.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.