A new website identified as “SolarLeaks” offers data believed to have been looted by companies that were compromised by the SolarWinds attack.
Last month, SolarWinds was disclosed to have experienced a sophisticated cyber attack which resulted in 18,000 customers being impacted by the supply chain breach.
This sophisticated attack has “likely” been operated by a Russian State-sponsored hacking body, which tried to get access to cloud-stored data such as files and emails of victims, according to a joint statement released by FBI, CISA, and NSA.
Today, a newly released Solarleaks (.)net website was spotted, claiming to be selling out data stolen from big names like Microsoft, Cisco, FireEye, and SolarWinds, all of which are known to have been affected during the hacking attack on the Orion supply chain app.
The website’s price list sells Microsoft source code for $600,000. Cisco’s source code for internal bug tracking has also been put for sale. The platform also claims to offer the private red team software and the source code of FireEye for 50 000 dollars. SolarWind’s source code and dump of the customer portal could be bought for $250,000 from the data-leaking site. The platform notes that all the stolen data could be bought for $1 million. The actors behind the SolarLeaks lite claim that the stolen data will be sold in batches and more data will be published for sale in the coming days.
The registrar of the solarleaks.net domain is called NJALLA. This is a known registrar used by the Russian Fantasy Bear and Cozy Bear hacking groups. If you look at the WHOIS solarleaks[.]net record, the name servers are set to “You Can Get No Info”.
It is still not proven that the site is legitimate and the actors behind it really have the data they claim that they are selling. The mentioned email address returns with an error message stating that the e-mail did not exist.
In the meantime, the ongoing investigation of the SolarWinds attack reveals new details about the malware that was used.
Third malware strain detected in the SolarWinds supply chain attack.
A third strain of malware used in a Solar Winds’ Orion assault was discovered by CrowdStrike, one of the security companies that is actively involved in the hack’s investigation.
This discovery, dubbed Sunspot, adds to the previously uncovered malware strains of Sunburst (Solorigate) and Teardrop.
Crowdstrike announced today that Sunspot was introduced in September 2019, after hackers broke SolarWind’s internal network for the first time.
Sunspot was mounted on the SolarWinds build server, a software type that helps developers with the assembly of smaller components into larger software applications.
In their publication, CrowdStrike explained that Sunspot’s main aim was to watch build server for build commands related to Orion software, a top product of SolarWinds, largely used as an IT resources management network with more than 33,000 clients worldwide.
The malware used to secretly overwrite source code in the Orion app, with files that load the Sunburst malware.
The SolarWinds Supply Chain Attack Explained
The hacked Orion clients were then set to find their way into the official SolarWinds update servers and install themselves on the networks of Orion’s customers.
Once that had occurred, the Sunburst malware would then run in internal business and government networks where details on its victims would be gathered and then transmitted back to the hackers behind the SolarWinds attack.
The malicious actors would then determine whether a victim was worthy enough to exploit and then would install the Teardrop backdoor Trojan on those systems. The networks that were considered not of high value or too risky had Sunburst detached from them.
The news about a third malware strain being involved in the SolarWinds attack is a major update on the incident.
Analysis from researchers who have not been formally involved in the SolarWinds investigation has recently revealed another interesting discovery. A close look at the root code of Sunburst malware has shown significant similarities with another malware strain known as Kazuar, a malware used by the most advanced Russian state-run cyberespionage outfit, famous under the name of Turla Group.