SolarWinds data breach every week returns like a boomerang – this time with SolarLeaks [.]net website, whose owners claim to be selling the stolen data from Microsoft, Cisco, FireEye, and SolarWinds. And it seems there were the same attackers who abused one of Mimecast’s certificates to access M365 accounts… And it’s not the end of Microsoft’s problems described today…
What more? Capcom, game manufacturer and publisher (i.e. Resident Evil, Street Fighter) released a new update for their ransomware attack and data breach investigation. The incident was worse than initially thought…
SolarLeaks site claims to sell data stolen in SolarWinds attacks
Yes, there are still rumours about SolarWinds hack and a sophisticated cyberattack that led to a supply chain attack affecting 18,000 customers. On Tuesday, a solarleaks [.]net website was launched that claims to be selling the stolen data from Microsoft, Cisco, FireEye, and SolarWinds. All of these companies are known to have been breached during the supply chain attack.
The website claims to be selling Microsoft source code and repositories for $600,000. As we mentioned in the last edition of Xopero Security Center, Microsoft confirmed that threat actors accessed their source code during their SolarWinds breach. The threat actors also claim to be selling the source code for multiple Cisco products, even more concerning, the company’s internal bug tracker. However, the company states that there is no evidence that attackers stole their source code.
What about FireEye? The website also claims to be selling the private red team tools, and source code that FireEye disclosed were stolen during their attack for $50,000.
Finally, the website sells SolarWinds source code and a dump of the customer portal for $250,000.
Oh, and there is a volume discount! For $1 million, you get all of the leaked data.
The SolarLeaks actors state that they will be selling the stolen data in batches, and more will be released at a later date.
When looking at the WHOIS record for solarleaks[.]net, the assigned name servers also taunt researchers with the statement “You Can Get No Info”. It is not confirmed if this site is legitimate and if the site owners have the data they are selling.
Couple days later the SolarLeaks site was updated to include a new message stating that ProtonMail shutdown their email, and that buyers who want to see a sample of the data should send 100 XMR, or approximately $16,000, to a listed Monero address.
To make matters worse, a copycat site at SolarLeak[.]net has been created with the same website content, but a different Monero address.
To be continued.
Hackers abused one of Mimecast’s certificates to access Microsoft 365 accounts. They could be the SolarWinds attackers
Mimecast, a company that makes cloud email management software, on Tuesday, 12th, disclosed a security incident, alerting customers that “a sophisticated threat actor” has obtained one of its digital certificates and abused it to gain access to some of its clients’ Microsoft 365 accounts. The company said it learned of the incident from Microsoft after the tech giant detected unauthorized access to some accounts.
The London-based email software company said the certificate in question was used by several of its products to connect to Microsoft infrastructure – including Mimecast Sync and Recover, Continuity Monitor and IEP products.
The company said that around 10% of all its customers used the affected products with this particular certificate, however, the “sophisticated threat actor” abused the certificate to gain access to only a handful of these customers’ Microsoft 365 accounts.
The company is now asking all other customers to “immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate [they]’ve made available.”
An investigation into the incident is ongoing, with the company noting that it will work closely with Microsoft and law enforcement as appropriate. Interesting is that the tools and techniques used in this attack link these operators to those who recently targeted SolarWinds, The Wall Street Journal reports. Mimecast was a SolarWinds customer in the past but no longer uses the Orion software. The company has not determined how attackers got in or whether its earlier use of SolarWinds could have left it vulnerable.
Sophisticated hacking campaign uses Windows and Android zero-days
The Google Project Zero team together with the Google Threat Analysis Group (TAG), discovered a watering hole attack targeting Windows and Android systems that was carried out by a highly sophisticated actor.
Threat actors behind the attacks exploited multiple vulnerabilities in Android, Windows, and chained them with Chrome flaws. The attackers exploited both zero-days and n-days exploits for the initial remote code execution to finally take over the victim’s devices
The attacks employed two exploit servers that were triggering multiple vulnerabilities through different exploit chains in watering hole attacks.
The experts were able to extract the following code from the exploit servers:
- Renderer exploits for four bugs in Chrome, one of which was still a 0-day at the time of the discovery.
- Two sandbox escape exploits abusing three 0-day vulnerabilities in Windows.
- A “privilege escalation kit” composed of publicly known n-day exploits for older versions of Android.
The chains used by the attackers included the following 0-days flaws:
- CVE-2020-6418 – Chrome Vulnerability in TurboFan (fixed February 2020)
- CVE-2020-0938 – Font Vulnerability on Windows (fixed April 2020)
- CVE-2020-1020 – Font Vulnerability on Windows (fixed April 2020)
- CVE-2020-1027 – Windows CSRSS Vulnerability (fixed April 2020)
Google highlighted the level of sophistication of this campaign, the threat actors appear to be well resourced and the overall operations well-engineered.
Note: In another campaign hackers are actively exploiting Windows Defender Zero-Day Bug, which has been patched by Microsoft together with 83 other vulnerabilities within their products. Please update now!
Capcom: 390,000 people may be affected in the recent ransomware attack
On November 2nd, Capcom suffered a cyberattack by the Ragnar Locker ransomware operation who stated they stole 1TB of data from the company. The ransomware operation demanded an $11 million ransom in bitcoins to not release the stolen files and provide a decrypter.
The company has developed multiple multi-million-selling game franchises, including Street Fighter, Mega Man, Resident Evil, Darkstalkers, Devil May Cry, Dino Crisis, Onimusha, Dead Rising, Ghosts ‘n Goblins, Sengoku Basara, Monster Hunter, Breath of Fire, and Ace Attorney as well as games based on Disney animated properties
Last week, Capcom released a new update for their data breach investigation, that revealed the incident was worse than initially thought. The company stated that they have confirmed 16 415 people whose personal information was exposed with a possible total number of 390,000 people! Including business partners, former employees, employees and related parties.
For the confirmed 16,406 people, Capcom states the exposed data could be a mix of names, addresses, phone numbers, email addresses and business information (sales reports, financial information, game development documents and more).
BleepingComputer has been told by ransomware gangs that they save more valuable data for online auctions or to use in further attacks. This means that the data that was leaked may not be all of the data that they stole.
The company pointed out that the investigation is still ongoing and that new fact may come to light.
Have you played Capcom games? Then it is safer to assume that your data was breached during the attack. Be vigilant on further phishing attacks. Better change your Capcom password, and if used at other sites, change them there as well.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Xopero began in 2009, founded as a company serving primarily SMB users. Our goal was to create more accessible and affordable secure data protection solution for any businesses. In 2015, Xopero started cooperation with QNAP Inc. – one of the key global NAS providers. This addition expanded our portfolio to include a true backup appliance, In 2017, Xopero fully extended into global market thanks to cooperation with ESET. Our company took the place previously occupied by StorageCraft in the ESET Technological Alliance.