Repercussions of leaked source code

Intel has confirmed that a source code leak for the UEFI BIOS of Alder Lake CPUs (Intel's 12th generation Intel Core processors, released in November 2021) is authentic. The GitHub repository named 'ICE_TEA_BIOS' that was uploaded by a user named 'LCFCASD.' This repository contained what was described as the 'BIOS Code from project C970.'

As per BleepingComputer, the leak contains 5.97 GB of files, source code, private keys, change logs, and compilation tools, with the latest timestamp on the files being 9/30/22, likely when a hacker or insider copied the data. The leaked source code also contains numerous references to Lenovo, including code for integrations with 'Lenovo String Service', 'Lenovo Secure Suite', and 'Lenovo Cloud Service.'

At this time, it is unclear whether the source code was stolen during a cyberattack or leaked by an insider. However, Intel has confirmed to Tom's Hardware that the source code is authentic and is its "proprietary UEFI code."

What could a hacker get from leaked source code?

• Leaked source code could be used to reverse engineer an application. With reverse engineering, an attacker could discover vulnerabilities which couldn't be easily discovered otherwise.

• Attacker could determine attack paths to functionalities which lead to unauthorized access.

• Sensitive content like hardcoded credentials could also lead to sensitive data breach.

Security measures to protect source code

Don't store sensitive information in code

Don't rely only on read-restricted access to code as security measure.

Ensure that source code for application reviewed (SAST, DAST) before push to repository for any insecure coding practices.

Have defined modules for critical functionality of application follow least privilege principle.

Previous similar incidents[6]

Leaked Chats Show LAPSUS$ Stole T-Mobile Source Code By February 2022, LAPSUS$ had pivoted to targeting high-tech firms based in the United States. On Feb. 26, LAPSUS$ broke into graphics and computing chip maker NVIDIA. The group said it stole more than a terabyte of NVIDIA data, including source code and employee credentials.

On March 7, consumer electronics giant Samsung confirmed what LAPSUS$ had bragged on its Telegram channel: That the group had stolen and leaked nearly 200 GB of source code and other internal company data.

Ref:

[1] https://www.bleepingcomputer.com/news/security/intel-confirms-leaked-alder-lake-bios-source-code-is-authentic/

[2]https://www.synopsys.com/glossary/what-is-code-review.html

[3]https://owasp.org/www-pdf-archive/OWASP_Code_Review_Guide_v2.pdf

[4]https://www.tomshardware.com/news/intel-confirms-6gb-alder-lake-bios-source-code-leak-[5]new-details-emerge

[6]https://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/