Threat Watch

New Leak Site Claims to Sell Data Stolen in SolarWinds Attacks

A new website called SolarLeaks appeared on January 12th, claiming without proof to have data that was stolen in the SolarWinds attacks. Among the companies SolarLeaks claims to have data for are Cisco, FireEye Microsoft and SolarWinds. The website included links to download encrypted files from the mega.nz file hosting service that they claim have data stolen from the four companies, and it lists various prices from $50,000 USD to $600,000 USD, along with an email address to contact for negotiation. According to reporters, the file download links no longer work, and email sent to the protonmail.com address given is returned as undeliverable. The message on the SolarLeaks website was digitally signed using PGP, but did not use key that could be publicly verified or attributed to any known threat group. Microsoft admitted in a December 31st blog post that its source code had been accessed during the breach but has said that there was no risk to any services or customer data.

“At Microsoft, we have an inner source approach – the use of open source software development best practices and an open source-like culture – to making source code viewable within Microsoft. This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk.”

Cisco acknowledged the leak site in a security advisory yesterday and currently believes that no source code has been stolen.

“Cisco is aware of this website and has no evidence at this time of any theft of intellectual property related to recent events. We are committed to transparency and should we find information our customers need to be aware of, we will share it through our established channels.”

ANALYST NOTES

Binary Defense highly recommends that any companies still utilizing vulnerable versions of the SolarWinds software update immediately and thoroughly investigate systems for any evidence that trusted domains were added to ADFS servers or that forged SAML tokens were used to access federated cloud resources without actually authenticating first. The claims made by the SolarLeaks website has not been verified and should not be relied on as facts. Defenders should watch for any future security announcements from Cisco, and be ready to apply security patches in a timely manner if Cisco advises it, but there is no current information to suggest that any immediate action is necessary. Binary Defense also recommends that companies stay vigilant, looking out for possible phishing attacks in the future and keeping products from affected companies up to date as security patches are released.

Source: https://www.bleepingcomputer.com/news/security/solarleaks-site-claims-to-sell-data-stolen-in-solarwinds-attacks/

https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/

https://tools.cisco.com/security/center/resources/solarwinds_orion_event_response