[German]A website called SolarLeaks offers source code allegedly captured from the Solarburst backdoor attacks in SolarWinds Orion products at Cisco, Microsoft, and SolarWinds. However, these could be copycats. In addition, a third malware, SunBurst, was discovered on SolarWinds’ build systems. It was through the malware that the supply chain attack took place.
I came across the issue via Bleeping Computer’s tweet, which is quite mysterious. The related article can be found here. A new site solarleaks[dot]net offers source code allegedly captured in the attacks via the solarburst backdoor in SolarWinds Orion products at Cisco, Microsoft and SolarWinds.
In the past few hours, this page seems to have possibly gone offline several times – currently, however, it is accessible again. Below is a screenshot of the page:
Allegedly, parts of the Windows source code, various Cisco source codes as well as the source code of the SolarWinds Orion product and the FireEye Red Team tools are to be had. Costs a total of $1 million for everything, but there is also the option to buy parts.
It’s a big fake/fraud?
The intriguing question is whether the offer is a huge scam. Because the operators of the website demand 100 moneros (cryptocurrency), which currently corresponds to 167.49 US dollars, as an upfront payment in order to do business with interested parties. Only then, they say, can they send sample material. If 1,000 people go for it, that alone would already mean $167,000 in revenue for nothing.
According to this tweet, the domain for the site was registered through NJALLA, a provider also used by hacker groups Fancy Bear and Cozy Bear. This suggests that those behind the site have at least a little bit of information about how Russian hacker groups operate. However, follow-up tweets raise the question of why they aren’t selling the SolarWinds customer database in pieces. No one is going to plunk down a quarter-million US dollars for the SolarWinds stuff.
In this tweet, someone points out that the domain has been in use for 13 years and some things point to the Lazarus Group (suspected North Korean state hackers). When setting up the site, those behind it made mistakes, according to this tweet, so that IP addresses that connected to the server were viewable. That has probably been corrected in the meantime.
Josef Cox has found mirror servers and writes that so far there is no proof that the operators have real material in their fingers. Lorenzo Franceschi assumes fraud in this tweet. Lawrence Abrams from Bleeping Computer also assumes fraud in this tweet, since no valid e-mail address was provided for communication. Let’s see what else comes to light.
Third SolarWinds malware SunSpot detected
Meanwhile, new details about the supply chain attack continue to come to light. Previously, it was known that the SolarWinds Orion software was compromised by the SolarBurst backdoor and that another malware, introduced through a vulnerability in the Orion products, was found on some systems. ZDnet reports in this article that a third malware was found on the build servers of the victim SolarWinds.
Cybersecurity firm CrowdStrike, one of the companies directly involved in investigating the attack on SolarWinds’ supply chain, discovered the malware and named it SunSpot. A technical analysis of the malware can be found in this CrowdStrike report. In summary, the following can be extracted:
- SUNSPOT is a malware from StellarParticle that was used to inject the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.
- SUNSPOT monitors running processes involved in compiling the Orion product and replaces one of the source files to insert the SUNBURST backdoor code.
- SUNSPOT was designed with several safeguards to prevent Orion builds from failing and alerting developers to the attacker’s presence.
Thus, the SunSpot malware is responsible for the original source code manipulation. The attackers went to great lengths to drive the supply chain attack. Brian Krebs then goes on to disclose the timing of the attack in this report. According to this SolarWinds blog post, the attackers first penetrated the company’s IT systems on September 4, 2019.
The above graph shows how long the attackers were able to move around the system undetected. In June 2020, the malware was removed from the SolarWinds build servers – the attackers had probably nested on the systems of the intended victims. SolarWinds was not informed about the SunBurst malware until December 2020, and SolarSpot was not even found until January 11, 2021.
FireEye hacked, Red Team tools stolen
US Treasury and US NTIA hacked
SolarWinds products with SunBurst backdoor, cause of FireEye and US government hacks?
Sloppiness at SolarWinds responsible for compromised software?
News in the fight against SUNBURST infection, domain seized
SUNBURST malware: Analytic Tool SolarFlare, a ‘Kill Switch’ and EINSTEIN’s fail
SUNBURST malware was injected into SolarWind’s source code base
SUNBURST: US nuclear weapons agency also hacked, new findings
SolarWinds hack: Microsoft and others also affected?
SUNBURST hack: Microsoft’s analysis and news
2nd backdoor found on infected SolarWinds systems
SolarWinds hackers had access to Microsoft source code
SolarWinds hack: Hacker goals; outsourcing are under investigation?
News from the SolarWinds hack; JetBrains software as a gateway?
Kaspersky: SolarWinds Sunburst backdoor resembles Russian ATP malware
Cookies helps to fund this blog: Cookie settings