Solarwind, FireEye, Microsoft and Cisco leaks

January 13, 2021 Article 1226 words 6 mins read

Note

The message from the solarleaks.net owner(s) has been updated, check the bottom of this post. Keep in mind that no torrent files are hosted on this website.

Encrypted files purportedly containing source code of Microsoft Windows, Cisco, FireEye and SolarWinds products were published on a new website today. I’ll keep updating this post as more information is uncovered, if you want to tell me anything about this subject please email me.

The website

The message was posted on the solarleaks.net website with a mirror on the Tor network, use the Tor Browser for it.

website: solarleaks[.]net
tor onion: 5bpasg2kotxllmzsv6swwydbojnfuvfb7d6363pwe5wrzhjyn2ptvdqd[.]onion

What we know so far

The message has been signed with the RSA key with the fingerprint 24516C2E1CC7890832771178E2C73BC53B9118A0. Keep in mind that this is the fingerprint of the key the message claims to have been signed with, but there is no actual verification happening. There is currently no key on any keyserver with that fingerprint.

$ gpg --verify solarleaks.net.asc
gpg: Signature made Tue Jan 12 16:02:51 2021 GMT
gpg:                using RSA key 24516C2E1CC7890832771178E2C73BC53B9118A0
gpg: Can't check signature: No public key

The domain was registered with njal.la, a service started by Peter Sunde, founder of The Pirate Bay.

Domain Name: SOLARLEAKS.NET
Updated Date: 2021-01-11T20:44:27Z
Creation Date: 2021-01-11T20:44:26Z
Registry Expiry Date: 2022-01-11T20:44:26Z

The IP serving the website is 185.193.126.236 and we can check whois.radb.net to see what AS number that IP belongs to.

$ whois -h whois.radb.net '185.193.126.236'
route:          185.193.126.0/23
origin:         AS39287

That AS number belongs to abstract.fi in Finland and they have a few IPs assigned to them.

$ whois -h whois.radb.net '!gAS39287'
A144
197.231.220.0/22 195.14.20.0/24 45.158.116.0/22 80.78.16.0/20 95.215.16.0/22 185.193.125.0/24 185.193.126.0/23 45.142.140.0/22 198.167.192.0/19
C

The ProtonMail address solarleaks@protonmail.com has the following public key:

The files

Mega.nz seems to have removed the four files for now but the files on the solarleaks[.]net website are still up and I added some mirrors for them.

feye.tgz.enc - 39M
SHA256: fee8afa1081fffe6543cf0e82de05fdc4eca4e148aac98d074bc4aa1532d47bf
Description: FireEye private redteam tools, source code, binaries and documentation.
Download: Mega | solarleaks | mirror
swi.tgz.enc - 612M
SHA256: fbfce5fd66dde0aa94d39ba5f271e0b52b618edc63328b0cfcbf6709caf185db
Description: SolarWinds products source code (all including Orion) + customer portal dump.
Download: Mega | solarleaks | mirror
csco.tgz.enc - 1.7G
SHA256: 9aa822193900d67fcf240e6af8a8b7c296ef006c0386766aebd7de4d72f243cf
Description: Cisco multiple products source code + internal bugtracker dump.
Download: Mega | solarleaks | mirror
msft.tgz.enc - 2.6G
SHA256: 4289a4e60b97cfba370838e68a06b7faabc45bc8960c990b8af63606f7c419df
Description: Microsoft Windows (partial) source code and various Microsoft repositories.
Download: Mega | solarleaks

The ‘secret’ hint

I can speculate that the 25b23446e6c29a8a1a0aac37fc3b65543fae4a7a385ac88dc3a5a3b1f42e6a9e secret in the updated message is the SHA256 hash of a sample that is not public yet.

Monero

Some info on the Monero address from the updated message.

Address: 486FSvAbzo9X3PPvoP5x[...]TgRDUSi6X9cwwJjMF594Dd31P97Sx4o (simplified, read the updated message for the full address)
Public view key: 67de815b6e3701c4ea80d90ca679c790c5b8d533ded75e6a006da31b8daf94c4
Public spend key: aaadb84586d6b8b39aaf958979dc32cb58b1ce9db423bd140489f7ef7cbfe066

The message

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Happy new year!
Welcome to solarleaks.net (mirror: 5bpasg2kotxllmzsv6swwydbojnfuvfb7d6363pwe5wrzhjyn2ptvdqd.onion)

We are putting data found during our recent adventure for sale.

[Microsoft Windows (partial) source code and various Microsoft repositories]
price: 600,000 USD
data: msft.tgz.enc (2.6G)
link: https://mega.nz/file/1ehgSSpD#nrtzQwh-qyCaUHBXo2qQ1dNbWiyVHCvg8J0As8VjrX0

[Cisco multiple products source code + internal bugtracker dump]
price: 500,000 USD
data: csco.tgz.enc (1.7G)
link: https://mega.nz/file/sSgQmJLT#NqaaYXsFkASwAc51lcjBnWjP4zrbqiN-XQ7GVZGbL_o

[SolarWinds products source code (all including Orion) + customer portal dump]
price: 250,000 USD
data: swi.tgz.enc (612M)
link: https://mega.nz/file/xawhBQgJ#f3X6lPORF16wh-O9GiNVMVDZ6rxRKX64_XVR5y9KpFM

[FireEye private redteam tools, source code, binaries and documentation]
price: 50,000 USD
data: feye.tgz.enc (39M)
link: https://mega.nz/file/hOBnVYjL#l3qojAvaFWtYtcB3vX4ZABG3tBLGyhJarBBbYaHnM-0

[More to come in the next weeks]

ALL LEAKED DATA FOR 1,000,000 USD (+ bonus)

Data is encrypted with strong key.
Serious buyers only: solarleaks@protonmail.com

- -
Q: Is this really happening? Can you provide proof?
A: Yes and yes.

Q: Why no more details?
A: We aren't fully done yet and we want to preserve the most of our current access. Consider this a first batch.

Q: I'm [vendor] and want my data back?
A: Talk to us.

Q: Why not leak it for free?
A: Nothing comes free in this world.

Q: How to buy?
A: Contact us for more information.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEJFFsLhzHiQgydxF44sc7xTuRGKAFAl/9yCsACgkQ4sc7xTuR
GKC/NwgAk/KZ9id9++Fi68M10rzd9uiC2DKTEX+qgJ9kEIASIvB/vh1uaS/mRZnj
GHf7I8D69zyI6FYlbndDN3DH6VUA21gD2dYxj7q79RpERQwV4PAO0iYRFBp0e3ho
nezYmVMMxB1GSsd+6AcdybLRJ1dmeIDB/mWnNa4S0jf45IkIw8/6j5965QxKlXBb
QlUShGTNom60BgpUOq7ud1ocH8c+HXbQdZpJ2LCq+CrQ+KuktMCsKUc1uydvTfDH
9zyjUtb3H9TC+zVugN3ANhtjDq0cIdOJQQ4vaGhnvLnXIDMvNQ1B4wxK+Ij50M8u
HD6LF0GUszJaNBdKylQaPV78sGqu3Q==
=HjXU
-----END PGP SIGNATURE-----

Update

The message was updated later with this contents:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Happy new year!
Welcome to solarleaks.net (mirror: 5bpasg2kotxllmzsv6swwydbojnfuvfb7d6363pwe5wrzhjyn2ptvdqd.onion)

We are putting data found during our recent adventure for sale.

[Microsoft Windows (partial) source code and various Microsoft repositories]
price: 600,000 USD
data: msft.tgz.enc (2.6G)
link: https://mega.nz/file/1ehgSSpD#nrtzQwh-qyCaUHBXo2qQ1dNbWiyVHCvg8J0As8VjrX0

[Cisco multiple products source code + internal bugtracker dump]
price: 500,000 USD
data: csco.tgz.enc (1.7G)
link: https://mega.nz/file/sSgQmJLT#NqaaYXsFkASwAc51lcjBnWjP4zrbqiN-XQ7GVZGbL_o

[SolarWinds products source code (all including Orion) + customer portal dump]
price: 250,000 USD
data: swi.tgz.enc (612M)
link: https://mega.nz/file/xawhBQgJ#f3X6lPORF16wh-O9GiNVMVDZ6rxRKX64_XVR5y9KpFM

[FireEye private redteam tools, source code, binaries and documentation]
price: 50,000 USD
data: feye.tgz.enc (39M)
link: https://mega.nz/file/hOBnVYjL#l3qojAvaFWtYtcB3vX4ZABG3tBLGyhJarBBbYaHnM-0

[More to come in the next weeks]

ALL LEAKED DATA FOR 1,000,000 USD (+ bonus)

Data is encrypted with strong key.

- -
Q: Is this really happening? Can you provide proof?
A: Yes and yes.

Q: Why no more details?
A: We aren't fully done yet and we want to preserve the most of our current access. Consider this a first batch.

Q: I'm [vendor] and want my data back?
A: Talk to us.

Q: Why not leak it for free?
A: Nothing comes free in this world.

Q: How to buy?
A: Contact us for more information.
- -

UPDATE: We received too many messages at the moment and can't reply to everyone in a timely fashion.
Also, we are being censored as we speak and must act quickly. Our main and backup email addresses has been shut down.

We understand you want more information but we can't give away data for free. That would be an insult to our trusted buyers.
However we can provide sample data (for all leaks + bonus) as proof of ownership.

As we are considering serious partners only, this is how we will be dealing with inquiries:
Send exactly 100 XMR to the address below, add a payment id with your email address so we can contact you back. You should encode your email address as 32 bytes data in the payment id.

486FSvAbzo9X3PPvoP5xoBb1iVewDqhJ44MCRuUW8BCsJ8TuiSyiaW4ZwLGLJJ1UTgRDUSi6X9cwwJjMF594Dd31P97Sx4o

The payment id part is very important because this is our only way to contact you back (protonmail decided to shut us down). Only a matter of time before this website goes down too.
We will then discuss with another private email address (we will use the same gpg key 24516C2E1CC7890832771178E2C73BC53B9118A0).

This payment will be considered a small down payment, which will be substracted to your final purchase. We won't refund if you're not interested in the data after seeing the archive content.

What will you get? Sample data contains all of the archives metadata (content listing) + SolarWinds customer portal SQL dump as a gift.

NO NEGOTIATION. Don't waste our time. We will be in touch after your first confirmed payment.

Some hints on how we got our data: 
25b23446e6c29a8a1a0aac37fc3b65543fae4a7a385ac88dc3a5a3b1f42e6a9e

People with knowledge will know.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEJFFsLhzHiQgydxF44sc7xTuRGKAFAl/+6kkACgkQ4sc7xTuR
GKBtBgf/YdTgNcacc+akoNQjW7thmAcjaTWNo5RhAn+7YblwBhiF4mlgjuyilHCH
bhL8S5oL8keoa1WNQ1DSZZHtbYO6iF+iMpEcbfnUWSUeIED7/WN8ffD1hFE/soi8
LZ7gpyvuTD5zz9Maw/JKeHk9sCqo2O9IODV5YZrCzX+eBI5wvW8ub65NhwXdUfX1
nNLz5v23vShovf9bbV/tPcuVf7fIns5Lq9I3ndKiqV68u39qXvChDh1PwNikjdUp
TdkXG293BMry3lJVAzL3YRWQrXzr0YL9nBzf5PTjflu4m4RBeeyDXDcMtMY/VS/n
DQag3iEcETK7RuMrqmSatj/Ti31RDg==
=aIb7
-----END PGP SIGNATURE-----

The new message was signed with the same key:

$ gpg --verify new-solarleaks.net.asc                                                                            
gpg: Signature made Wed Jan 13 12:40:41 2021 GMT
gpg:                using RSA key 24516C2E1CC7890832771178E2C73BC53B9118A0
gpg: Can't check signature: No public key

author sizeof(cat)

created January 13, 2021

updated January 19, 2021

tags #leaks, #cisco, #microsoft