The hackers who orchestrated the infamous SolarWinds attack also accessed networks by exploiting weak password practices, according to researchers with the Cybersecurity and Infrastructure Security Agency.
The SolarWinds attack generated headlines when it was discovered that sophisticated malware had been used to breach the widely used IT management software. With SolarWinds being so prominent in government IT, CISA has been investigating the incident, and is now reporting that the same hackers – thought to be affiliated with the Russian government – also gained access to government systems through techniques other than the SolarWinds malware injection.
“CISA incident response investigations have identified that initial access in some cases was obtained by password guessing, password spraying, and inappropriately secured administrative credentials accessible via external remote access services,” CISA asserts in its new report.
It’s another illustration – perhaps the most startling yet – of the weakness of password-based security in the present day. And while the primary attack method was through the injection of malware through a SolarWinds update, as Nextgov reports, SolarWinds itself had reportedly been using a simple, easy-to-guess password for its own update server.
Other, more sophisticated methods of attack were also used, however, with some researchers asserting that the SolarWinds hackers even found a way to use a stolen secret key to bypass the 2FA security of the Outlook Web App.
That, like the password breaches, points to the need for highly secure authentication credentials such as biometrics, which can’t be hacked or stolen. Biometric security is gaining traction in the government sector, and as the full extent of the SolarWinds attack becomes clear, it could help to add a sense of urgency to the implementation of such security systems going forward.
January 8, 2020 – by Alex Perala