SBN

SolarWinds aftermath continues with SolarLeaks

Early this week a website presumably owned by the actors behind the SolarWinds breach has surfaced, claiming to be selling data obtained using the SolarWinds backdoor.

The site, using the domain solarleaks.net, displays only a pgp signed message, in which the actors share the links to download the stolen information, which has already been encrypted. The message was signed on the 12th of January, using the RSA key 24516C2E1CC7890832771178E2C73BC53B9118A0.

The domain solarwinds.net was registered on the 11th of January in the afternoon, and has a sister domain located in the dark web, presumably to provide access in case of a takedown:

$ whois solarleaks.net                                                               ↵ 1

   Domain Name: SOLARLEAKS.NET
   Registry Domain ID: 2584153959_DOMAIN_NET-VRSN
   Registrar WHOIS Server: whois.tucows.com
   Registrar URL: http://www.tucows.com
   Updated Date: 2021-01-11T20:44:27Z
   Creation Date: 2021-01-11T20:44:26Z
   Registry Expiry Date: 2022-01-11T20:44:26Z
   Registrar: Tucows Domains Inc.
   Registrar IANA ID: 69
   Registrar Abuse Contact Email:
   Registrar Abuse Contact Phone:
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
   Name Server: 1-YOU.NJALLA.NO
   Name Server: 2-CAN.NJALLA.IN
   Name Server: 3-GET.NJALLA.FO
   DNSSEC: unsigned

Among the files offered, there is source code for Microsoft Windows, Cisco, SolarWinds, and FireEye’s private redteam tools, sources, and documentation, and the message promises that there is more to come.

The encryped files, which were hosted in mega, are no longer available.

You can read the full message here:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
​
Happy new year!
Welcome to solarleaks.net (mirror: 5bpasg2kotxllmzsv6swwydbojnfuvfb7d6363pwe5wrzhjyn2ptvdqd.onion)
​
We are putting data found during our recent adventure for sale.
​
[Microsoft Windows (partial) source code and various Microsoft repositories]
price: 600,000 USD
data: msft.tgz.enc (2.6G)
link: https://mega.nz/file/1ehgSSpD#nrtzQwh-qyCaUHBXo2qQ1dNbWiyVHCvg8J0As8VjrX0
​
[Cisco multiple products source code + internal bugtracker dump]
price: 500,000 USD
data: csco.tgz.enc (1.7G)
link: https://mega.nz/file/sSgQmJLT#NqaaYXsFkASwAc51lcjBnWjP4zrbqiN-XQ7GVZGbL_o
​
[SolarWinds products source code (all including Orion) + customer portal dump]
price: 250,000 USD
data: swi.tgz.enc (612M)
link: https://mega.nz/file/xawhBQgJ#f3X6lPORF16wh-O9GiNVMVDZ6rxRKX64_XVR5y9KpFM
​
[FireEye private redteam tools, source code, binaries and documentation]
price: 50,000 USD
data: feye.tgz.enc (39M)
link: https://mega.nz/file/hOBnVYjL#l3qojAvaFWtYtcB3vX4ZABG3tBLGyhJarBBbYaHnM-0
​
[More to come in the next weeks]
​
ALL LEAKED DATA FOR 1,000,000 USD (+ bonus)
​
Data is encrypted with strong key.
Serious buyers only: [email protected]
​
- -
Q: Is this really happening? Can you provide proof?
A: Yes and yes.
​
Q: Why no more details?
A: We aren't fully done yet and we want to preserve the most of our current access. Consider this a first batch.
​
Q: I'm [vendor] and want my data back?
A: Talk to us.
​
Q: Why not leak it for free?
A: Nothing comes free in this world.
​
Q: How to buy?
A: Contact us for more information.
-----BEGIN PGP SIGNATURE-----
​
iQEzBAEBCAAdFiEEJFFsLhzHiQgydxF44sc7xTuRGKAFAl/9yCsACgkQ4sc7xTuR
GKC/NwgAk/KZ9id9++Fi68M10rzd9uiC2DKTEX+qgJ9kEIASIvB/vh1uaS/mRZnj
GHf7I8D69zyI6FYlbndDN3DH6VUA21gD2dYxj7q79RpERQwV4PAO0iYRFBp0e3ho
nezYmVMMxB1GSsd+6AcdybLRJ1dmeIDB/mWnNa4S0jf45IkIw8/6j5965QxKlXBb
QlUShGTNom60BgpUOq7ud1ocH8c+HXbQdZpJ2LCq+CrQ+KuktMCsKUc1uydvTfDH
9zyjUtb3H9TC+zVugN3ANhtjDq0cIdOJQQ4vaGhnvLnXIDMvNQ1B4wxK+Ij50M8u
HD6LF0GUszJaNBdKylQaPV78sGqu3Q==
=HjXU
-----END PGP SIGNATURE-----

 

The post SolarWinds aftermath continues with SolarLeaks appeared first on Blueliv.

*** This is a Security Bloggers Network syndicated blog from Blueliv authored by Blueliv Labs. Read the original post at: https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/solarwinds-aftermath-continues-with-solarleaks/