SolarLeaks – a new chapter in the SolarWinds data breach

SolarWinds data breach every week returns like a boomerang – this time with SolarLeaks [.]net website, whose owners claim to be selling the stolen data from Microsoft, Cisco, FireEye, and SolarWinds. And it seems there were the same attackers who abused one of Mimecast’s certificates to access M365 accounts… And it’s not the end of Microsoft’s problems described today…

What more? Capcom, game manufacturer and publisher (i.e. Resident Evil, Street Fighter) released a new update for their ransomware attack and data breach investigation. The incident was worse than initially thought…

SolarLeaks site claims to sell data stolen in SolarWinds attacks

Yes, there are still rumours about SolarWinds hack and a sophisticated cyberattack that led to a supply chain attack affecting 18,000 customers. On Tuesday, a solarleaks [.]net website was launched that claims to be selling the stolen data from Microsoft, Cisco, FireEye, and SolarWinds. All of these companies are known to have been breached during the supply chain attack.

The website claims to be selling Microsoft source code and repositories for $600,000. As we mentioned in the last edition of Xopero Security Center, Microsoft confirmed that threat actors accessed their source code during their SolarWinds breach. The threat actors also claim to be selling the source code for multiple Cisco products, even more concerning, the company’s internal bug tracker. However, the company states that there is no evidence that attackers stole their source code.

What about FireEye? The website also claims to be selling the private red team tools, and source code that FireEye disclosed were stolen during their attack for $50,000.

Finally, the website sells SolarWinds source code and a dump of the customer portal for $250,000.

Oh, and there is a volume discount! For $1 million, you get all of the leaked data.

The SolarLeaks actors state that they will be selling the stolen data in batches, and more will be released at a later date. 

When looking at the WHOIS record for solarleaks[.]net, the assigned name servers also taunt researchers with the statement “You Can Get No Info”. It is not confirmed if this site is legitimate and if the site owners have the data they are selling.

Couple days later the SolarLeaks site was updated to include a new message stating that ProtonMail shutdown their email, and that buyers who want to see a sample of the data should send 100 XMR, or approximately $16,000, to a listed Monero address.

To make matters worse, a copycat site at SolarLeak[.]net has been created with the same website content, but a different Monero address. 

To be continued. 


Hackers abused one of Mimecast’s certificates to access Microsoft 365 accounts. They could be the SolarWinds attackers

Mimecast, a company that makes cloud email management software, on Tuesday, 12th, disclosed a security incident, alerting customers that “a sophisticated threat actor” has obtained one of its digital certificates and abused it to gain access to some of its clients’ Microsoft 365 accounts. The company said it learned of the incident from Microsoft after the tech giant detected unauthorized access to some accounts.

The London-based email software company said the certificate in question was used by several of its products to connect to Microsoft infrastructure – including Mimecast Sync and Recover, Continuity Monitor and IEP products.

The company said that around 10% of all its customers used the affected products with this particular certificate, however, the “sophisticated threat actor” abused the certificate to gain access to only a handful of these customers’ Microsoft 365 accounts.

The company is now asking all other customers to “immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate [they]’ve made available.”

An investigation into the incident is ongoing, with the company noting that it will work closely with Microsoft and law enforcement as appropriate. Interesting is that the tools and techniques used in this attack link these operators to those who recently targeted SolarWinds, The Wall Street Journal reports. Mimecast was a SolarWinds customer in the past but no longer uses the Orion software. The company has not determined how attackers got in or whether its earlier use of SolarWinds could have left it vulnerable. 

Source: 12

Sophisticated hacking campaign uses Windows and Android zero-days

The Google Project Zero team together with the Google Threat Analysis Group (TAG), discovered a watering hole attack targeting Windows and Android systems that was carried out by a highly sophisticated actor.

Threat actors behind the attacks exploited multiple vulnerabilities in Android, Windows, and chained them with Chrome flaws. The attackers exploited both zero-days and n-days exploits for the initial remote code execution to finally take over the victim’s devices

The attacks employed two exploit servers that were triggering multiple vulnerabilities through different exploit chains in watering hole attacks. 

The experts were able to extract the following code from the exploit servers:

  • Renderer exploits for four bugs in Chrome, one of which was still a 0-day at the time of the discovery.
  • Two sandbox escape exploits abusing three 0-day vulnerabilities in Windows.
  • A “privilege escalation kit” composed of publicly known n-day exploits for older versions of Android.

The chains used by the attackers included the following 0-days flaws:

  • CVE-2020-6418 – Chrome Vulnerability in TurboFan (fixed February 2020)
  • CVE-2020-0938 – Font Vulnerability on Windows (fixed April 2020)
  • CVE-2020-1020 – Font Vulnerability on Windows (fixed April 2020)
  • CVE-2020-1027 – Windows CSRSS Vulnerability (fixed April 2020)

Google highlighted the level of sophistication of this campaign, the threat actors appear to be well resourced and the overall operations well-engineered.

Note: In another campaign hackers are actively exploiting Windows Defender Zero-Day Bug, which has been patched by Microsoft together with 83 other vulnerabilities within their products. Please update now! 

Source: 12

Capcom: 390,000 people may be affected in the recent ransomware attack

On November 2nd, Capcom suffered a cyberattack by the Ragnar Locker ransomware operation who stated they stole 1TB of data from the company. The ransomware operation demanded an $11 million ransom in bitcoins to not release the stolen files and provide a decrypter.

The company has developed multiple multi-million-selling game franchises, including Street Fighter, Mega Man, Resident Evil, Darkstalkers, Devil May Cry, Dino Crisis, Onimusha, Dead Rising,  Ghosts ‘n Goblins, Sengoku Basara, Monster Hunter, Breath of Fire, and Ace Attorney as well as games based on Disney animated properties

Last week, Capcom released a new update for their data breach investigation, that revealed the incident was worse than initially thought. The company stated that they have confirmed 16 415 people whose personal information was exposed with a possible total number of 390,000 people! Including business partners, former employees, employees and related parties. 

For the confirmed 16,406 people, Capcom states the exposed data could be a mix of names, addresses, phone numbers, email addresses and business information (sales reports, financial information, game development documents and more).

BleepingComputer has been told by ransomware gangs that they save more valuable data for online auctions or to use in further attacks. This means that the data that was leaked may not be all of the data that they stole.

The company pointed out that the investigation is still ongoing and that new fact may come to light.

Have you played Capcom games? Then it is safer to assume that your data was breached during the attack. Be vigilant on further phishing attacks. Better change your Capcom password, and if used at other sites, change them there as well. 


Do you have thirst for knowledge? There are ten more cybersecurity stories below

1. Authorities take down World’s largest illegal Dark Web Marketplace (The Hacker News)
2. EMA: Some of Pfizer/BioNTech COVID-19 vaccine data was leaked online (Security Affairs)
3. United Nations security flaw exposed 100K staff records (DarkReading)
4. Adobe fixes critical code execution vulnerabilities in 2021’s first major patch round (ZDNet)
5. Operation Spalax: Targeted malware attacks in Colombia (WeLiveSecurity)
6. SolarWinds hack investigation reveals new Sunspot malware (Help Net Security)
7. Chinese Startup Leaks Social Profiles of 214 Million Users (Infosecurity Magazine)
8. It’s finally over! Time to uninstall Adobe Flash Player (Bleeping Computer)
9. SolarWinds Hack Potentially Linked to Turla APT (Threat Post)
10. ‘Chimera’ Threat Group Abuses Microsoft & Google Cloud Services (DarkReading)