VMware source code stolen

VMware has confirmed that source code for one of its products has been exposed online.

VMware has confirmed that source code for one of its products has been exposed online.

(Spying through the keyhole image by Larsjuh, CC BY 2.0)

The company said that it became aware of the code on 23 April, and has confirmed that it is from its VMware ESX product, which is used by enterprises to run virtualised environments.

VMware Security Response Center director Iain Mulholland said that the code itself dates back to 2003 and 2004, and its exposure may not necessarily mean increased risks for customers.

Although the company has only just confirmed that the code belongs to it, the code was in the wild for three weeks prior to the confirmation.

The code was posted on Pastebin on 2 April by a user calling himself Hardcore Charlie. Hardcore Charlie said that he stumbled across the source code while allegedly infiltrating the systems of the China National Electronics Import and Export Corporation (CEIEC), a company that claims to perform business solutions, overseas engineering and defence electronics system integration.

CEIEC previously denied that it had been breached, stating, "the information reported is totally groundless, highly subjective and defamatory".

Among the information dug up by Hardcore Charlie are scans of email correspondence between several VMware employees from what appears to be an internal VMware mailing list, all printed on CEIEC letterheads and stamped using the company's seal.

Although VMware said that it "proactively shares its source code and interfaces with other industry participants", it has not revealed whether CEIEC should have had this information in the first place.

Other documents that Hardcore Charlie found during his attack include recent memos and forms appearing to be from the US Department of the Army, operation maps from Afghanistan, an apparent CEIEC executive summary of a "hostile network infiltration" on a target and a memo seemingly from the Philippine consul general for Sri Lanka, urging support for Iran on its nuclear program.

In conversations with Kaspersky blog Threatpost, Hardcore Charlie said that with the help of YamaTough, who is better known for stealing Symantec's source code, he obtained a number of stolen hashed Sina.com accounts. After cracking the hashes, he found one that provided him with access to one of CEIEC's subsidiaries. It in turn contained accounts for CEIEC's main network.

Hardcore Charlie is expected to post the remainder of the documents on 5 May.