VMware Hacked, Source Code Leaked
VMware is admitting that hackers have placed their dirty hands on some of the company’s source code and posted it online. However, VMware is claiming that there is no increased risk to customers due to the security breach. About 300MB of source code was leaked.
“Our security team became aware of the public posting of a single file from the VMware ESX source code and the possibility that more files may be posted in the future. The posted code and associated commentary dates to the 2003 to 2004 timeframe. The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers,” the company stated. According to VMware, source code and interfaces are shared with industry participants to “enable the broad virtualization ecosystem today.” There is a possibility that more of the source code will be leaked in the near future but VMware believes it poses no increased security risk for its customers.
The virtualization software house first became aware of the breach on April 23, after the posting on Pastebin of a single file pertaining to their VMware ESX source code. The company has warned that future public postings of source code are possible but insists there is little risk to those using their virtualization suite.
Speculation currently suggests that the source of the leak is a Chinese import-export company, the China National Electronics Import-Export Corporation (CEIEC), who suffered at the hands of hackers in March. At the time, it was reported that a potential 1 terabyte of data was stolen
Hardcore Charlie confirmed in IRC conversations with Kaspersky that the stolen data can be traced back to the breach of Sina.com server resulting in thousands of email accounts being compromised. He went on to say that he enlisted the help of another hacker, @YamaTough to crack the cryptographic hashes securing the Sina data. Access to CEIEC was later found in emails once decrypted.
Kaspersky also later confirmed “what appear to be internal VMware communications, pasted onto CEIEC letterhead and with official looking stamps,” which Mulholland speculated “were manually added into the company’s source code repository to provide context for developers.”