In the latest twist on the SolarWinds hacking story, a site called SolarLeaks is selling stolen data from the hack, including source code from Microsoft Corp., Cisco Systems Inc., FireEye Inc. and SolarWinds Worldwide LLC.

The SolarLeaks website is offering to sell partial source code of Microsoft Windows and various Microsoft repositories for $600,000, with proof of the code shared by an online file hosting service.

Those running the site are offering source code and an internal bug tracker for multiple Cisco products for $500,000, SolarWinds product source code including Orion and a customer portal dump for $250,000, and FireEye private red team tools, source code, binaries and documentation for $50,000, all three also with proof offered via a file hosting service.

Not surprisingly, the domain name used by the site has private registration but is hosted on an IP address registered to Njalla, a privacy-aware domain registration service run by Pirate Bay founder Peter Sunde. Bleeping Computer reported that the same service is also a known registrar for Russian hacking groups Fancy Bear and Cozy Bear.

The targeting of Cisco, FireEye and SolarWinds is well-known, with Cisco providing having provided an update on their investigation Jan. 12, be it that they state that they have “no evidence at this time of any theft of intellectual property related to recent events.” Where the offering becomes interesting is the inclusion of Microsoft Windows source code.

Microsoft was first reported to have been targeted in the SolarWinds attack Dec. 17 but it’s a claim the company initially denied. Microsoft later admitted that those behind the attack managed to gain access to some source code repositories. “The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated,” Microsoft’s Security Response Center wrote Dec. 31.

“The key unanswered question from Microsoft’s New Year’s Eve source leakage announcement was which code base was exposed?” Ronen Slavin, co-founder and chief technology officer of source code protection startup Cycode Ltd., told SiliconANGLE. “While we can’t confirm if the source code offered for sale is real, it claims to offer Windows source code. If it is fake, it’s an elaborate fake.”

If Windows and Cisco source code gets into the wrong hands, security is going to have to become a lot more vigilant, Slavin added.

“Attackers will effectively have the blueprints to reverse-engineer arguably the most important operating system and routing and security equipment, which is a powerful combination because enabling attackers to compromise both endpoints and connections between them greatly increases their ability to move within networks undetected,” he said. “The Cisco exposure is particularly troubling because it claims to include internal bug tracking data. If real, this would likely serve up zero-day exploits on a platter by pointing attackers directly at all of the vulnerabilities that Cisco themselves have identified in their own products, but haven’t yet fixed.”

Image: Wikimedia Commons