Tilly Kotmann (), developer for the Android platform from Switzerland, leading Telegram channel about data leaks, in the public domain 20 GB of internal technical documentation and source code obtained as a result of a large information leak from Intel. This is claimed to be the first set in a collection provided by an anonymous source. Many documents are marked as confidential, corporate secrets, or distributed only under a non-disclosure agreement.
The most recent documents are dated early May and include information about the new server platform Cedar Island (Whitley). There are also documents from 2019, for example, describing the Tiger Lake platform, but most of the information is dated 2014. In addition to documentation, the set also contains code, debugging tools, schematics, drivers, and training videos.
Some from the set:
- Intel ME (Management Engine) manuals, flash utilities and examples for various platforms.
- BIOS reference implementation for the Kabylake (Purley) platform, examples and initialization code (with change history from git).
- Intel CEFDK (Consumer Electronics Firmware Development Kit) sources.
- Code of FSP-packages (Firmware Support Package) and production schemes of various platforms.
- Various utilities for debugging and development.
- - Rocket Lake S platform simulator.
- Various plans and documents.
- Binary drivers for an Intel camera made for SpaceX.
- Schematics, documents, firmware, and tools for the yet-to-be-released Tiger Lake platform.
- Instructional videos on Kabylake FDK.
- Intel Trace Hub and files with decoders for different versions of Intel ME.
- Reference implementation of the Elkhart Lake platform and code samples to support the platform.
- Descriptions of hardware blocks in Verilog language for different Xeon platforms.
- BIOS/TXE debug builds for different platforms.
- Bootguard SDK.
- Process simulator for Intel Snowridge and Snowfish.
- Various schemes.
- Marketing material templates.
Intel said it has launched an investigation into the incident. According to preliminary information, the data were obtained through the information system "", which contains information in limited access for customers, partners and other companies with which Intel interacts. It is most likely that the information was uploaded and published by someone with access to this information system. One of the former employees of Intel when discussing his version on Reddit, pointing out that the leak was probably the result of employee sabotage or a hack by one of the motherboard OEMs.
Anonymous submitting documents for publication that the data was loaded from an insecure server hosted by the Akamai CDN, and not from the Intel Resource and Design Center. The server was discovered by accident during a bulk host scan using nmap and was hacked through a vulnerable service.
Some publications have mentioned the possible discovery of backdoors in the Intel code, but these statements are groundless and based only on
the phrase "Save the RAS backdoor request pointer to IOH SR 17" in a comment in one of the code files. In the context of ACPI RAS Reliability, Availability, Serviceability. The code itself performs the processing of determining and correcting memory errors, saving the result in register 17 of the I / O hub, and does not contain a "backdoor" in the understanding of information security.
The set has already sold out on BitTorrent networks and is available through . The size of the zip archive is about 17 GB (the unlock passwords are "Intel123" and "intel123").
Additionally, it can be noted that at the end of July, Tilly Kotmann in the public domain repositories obtained as a result of data leaks from about 50 companies. The list includes companies such as
Microsoft, Adobe, Johnson Controls, GE, AMD, Lenovo, Motorola, Qualcomm, Mediatek, Disney, Daimler, Roblox and Nintendo, as well as various banks, financial, automotive and travel companies.
The main source of the leak was the incorrect configuration of the DevOps infrastructure and the leaving of access keys in public repositories.
Most of the repositories were copied from local DevOps systems based on the SonarQube, GitLab and Jenkins platforms, access to which appropriately limited (in Web-accessible local instances of DevOps platforms default settings, implying the possibility of public access to projects).
In addition, at the beginning of July, as a result of the Waydev service used to generate analytical reports on activity in Git repositories, a database was leaked, including one that included OAuth tokens for accessing repositories on GitHub and GitLab. Such tokens could be used to clone the private repositories of Waydev clients. The captured tokens were subsequently used to compromise infrastructures и .
Source: opennet.ru
