UPDATED 21:13 EST / JANUARY 14 2021

SECURITY

SolarLeaks website offers source code stolen in SolarWinds hack for sale

In the latest twist on the SolarWinds hacking story, a site called SolarLeaks is selling stolen data from the hack, including source code from Microsoft Corp., Cisco Systems Inc., FireEye Inc. and SolarWinds Worldwide LLC.

The SolarLeaks website is offering to sell partial source code of Microsoft Windows and various Microsoft repositories for $600,000, with proof of the code shared by an online file hosting service.

Those running the site are offering source code and an internal bug tracker for multiple Cisco products for $500,000, SolarWinds product source code including Orion and a customer portal dump for $250,000, and FireEye private red team tools, source code, binaries and documentation for $50,000, all three also with proof offered via a file hosting service.

Not surprisingly, the domain name used by the site has private registration but is hosted on an IP address registered to Njalla, a privacy-aware domain registration service run by Pirate Bay founder Peter Sunde. Bleeping Computer reported that the same service is also a known registrar for Russian hacking groups Fancy Bear and Cozy Bear.

The targeting of Cisco, FireEye and SolarWinds is well-known, with Cisco providing having provided an update on their investigation Jan. 12, be it that they state that they have “no evidence at this time of any theft of intellectual property related to recent events.” Where the offering becomes interesting is the inclusion of Microsoft Windows source code.

Microsoft was first reported to have been targeted in the SolarWinds attack Dec. 17 but it’s a claim the company initially denied. Microsoft later admitted that those behind the attack managed to gain access to some source code repositories. “The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated,” Microsoft’s Security Response Center wrote Dec. 31.

“The key unanswered question from Microsoft’s New Year’s Eve source leakage announcement was which code base was exposed?” Ronen Slavin, co-founder and chief technology officer of source code protection startup Cycode Ltd., told SiliconANGLE. “While we can’t confirm if the source code offered for sale is real, it claims to offer Windows source code. If it is fake, it’s an elaborate fake.”

If Windows and Cisco source code gets into the wrong hands, security is going to have to become a lot more vigilant, Slavin added.

“Attackers will effectively have the blueprints to reverse-engineer arguably the most important operating system and routing and security equipment, which is a powerful combination because enabling attackers to compromise both endpoints and connections between them greatly increases their ability to move within networks undetected,” he said. “The Cisco exposure is particularly troubling because it claims to include internal bug tracking data. If real, this would likely serve up zero-day exploits on a platter by pointing attackers directly at all of the vulnerabilities that Cisco themselves have identified in their own products, but haven’t yet fixed.”

Image: Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU