SolarWinds aftermath continues with SolarLeaks
Early this week a website presumably owned by the actors behind the SolarWinds breach has surfaced, claiming to be selling data obtained using the SolarWinds backdoor.
The site, using the domain solarleaks.net, displays only a pgp signed message, in which the actors share the links to download the stolen information, which has already been encrypted. The message was signed on the 12th of January, using the RSA key 24516C2E1CC7890832771178E2C73BC53B9118A0.
The domain solarwinds.net was registered on the 11th of January in the afternoon, and has a sister domain located in the dark web, presumably to provide access in case of a takedown:
$ whois solarleaks.net ↵ 1 Domain Name: SOLARLEAKS.NET Registry Domain ID: 2584153959_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.tucows.com Registrar URL: http://www.tucows.com Updated Date: 2021-01-11T20:44:27Z Creation Date: 2021-01-11T20:44:26Z Registry Expiry Date: 2022-01-11T20:44:26Z Registrar: Tucows Domains Inc. Registrar IANA ID: 69 Registrar Abuse Contact Email: Registrar Abuse Contact Phone: Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Name Server: 1-YOU.NJALLA.NO Name Server: 2-CAN.NJALLA.IN Name Server: 3-GET.NJALLA.FO DNSSEC: unsigned
Among the files offered, there is source code for Microsoft Windows, Cisco, SolarWinds, and FireEye’s private redteam tools, sources, and documentation, and the message promises that there is more to come.
The encryped files, which were hosted in mega, are no longer available.
You can read the full message here:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Happy new year! Welcome to solarleaks.net (mirror: 5bpasg2kotxllmzsv6swwydbojnfuvfb7d6363pwe5wrzhjyn2ptvdqd.onion) We are putting data found during our recent adventure for sale. [Microsoft Windows (partial) source code and various Microsoft repositories] price: 600,000 USD data: msft.tgz.enc (2.6G) link: https://mega.nz/file/1ehgSSpD#nrtzQwh-qyCaUHBXo2qQ1dNbWiyVHCvg8J0As8VjrX0 [Cisco multiple products source code + internal bugtracker dump] price: 500,000 USD data: csco.tgz.enc (1.7G) link: https://mega.nz/file/sSgQmJLT#NqaaYXsFkASwAc51lcjBnWjP4zrbqiN-XQ7GVZGbL_o [SolarWinds products source code (all including Orion) + customer portal dump] price: 250,000 USD data: swi.tgz.enc (612M) link: https://mega.nz/file/xawhBQgJ#f3X6lPORF16wh-O9GiNVMVDZ6rxRKX64_XVR5y9KpFM [FireEye private redteam tools, source code, binaries and documentation] price: 50,000 USD data: feye.tgz.enc (39M) link: https://mega.nz/file/hOBnVYjL#l3qojAvaFWtYtcB3vX4ZABG3tBLGyhJarBBbYaHnM-0 [More to come in the next weeks] ALL LEAKED DATA FOR 1,000,000 USD (+ bonus) Data is encrypted with strong key. Serious buyers only: [email protected] - - Q: Is this really happening? Can you provide proof? A: Yes and yes. Q: Why no more details? A: We aren't fully done yet and we want to preserve the most of our current access. Consider this a first batch. Q: I'm [vendor] and want my data back? A: Talk to us. Q: Why not leak it for free? A: Nothing comes free in this world. Q: How to buy? A: Contact us for more information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEJFFsLhzHiQgydxF44sc7xTuRGKAFAl/9yCsACgkQ4sc7xTuR GKC/NwgAk/KZ9id9++Fi68M10rzd9uiC2DKTEX+qgJ9kEIASIvB/vh1uaS/mRZnj GHf7I8D69zyI6FYlbndDN3DH6VUA21gD2dYxj7q79RpERQwV4PAO0iYRFBp0e3ho nezYmVMMxB1GSsd+6AcdybLRJ1dmeIDB/mWnNa4S0jf45IkIw8/6j5965QxKlXBb QlUShGTNom60BgpUOq7ud1ocH8c+HXbQdZpJ2LCq+CrQ+KuktMCsKUc1uydvTfDH 9zyjUtb3H9TC+zVugN3ANhtjDq0cIdOJQQ4vaGhnvLnXIDMvNQ1B4wxK+Ij50M8u HD6LF0GUszJaNBdKylQaPV78sGqu3Q== =HjXU -----END PGP SIGNATURE-----
The post SolarWinds aftermath continues with SolarLeaks appeared first on Blueliv.
*** This is a Security Bloggers Network syndicated blog from Blueliv authored by Blueliv Labs. Read the original post at: https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/solarwinds-aftermath-continues-with-solarleaks/