A day after an unknown group of hackers claimed to steal cyberweapons from the NSA, experts are now testing out the weapons and are finding they have a deep connection with the vaunted American hacking group.
In 2015, the Russian cybersecurity firm Kaspersky first discovered “Equation Group,” a suspected NSA-linked outfit that’s been called “the most advanced” threat on the internet. During the last few days, Kaspersky researchers investigated the leak from a group of hackers called Shadow Brokers alleging they hacked Equation Group and leaked the data.
Kaspersky confirmed “several hundred tools from the leak share a strong connection with our previous findings from the Equation Group.” Kaspersky researchers point to specific encryption algorithms shared across the NSA-linked group and the new leak.
“This code similarity makes us believe with a high degree of confidence that the tools from the Shadow Brokers leak are related to the malware from the Equation Group,” Kaspersky Lab’s Global Research & Analysis Team explained. “While the Shadow Brokers claimed the data was related to the Equation Group, they did not provide any technical evidence of these claims. The highly specific crypto implementation above confirms these allegations.”
Beyond Kaspersky, cybersecurity professionals are combing through data published by Shadow Brokers.
The Shadow Brokers leak is small but potent. In large part, that’s because it was published publicly, perhaps as a message—a middle finger—to the American government. Who sent the middle finger remains an open question, but most people, including former NSA contractor and whistleblower Edward Snowden, are pointing at Russia.
Dozens of exploits and implants are referenced in the leak.
The investigation is slow but at least two exploits appear to have been confirmed to be real, boosting the credibility of the unknown hackers’ grandiose assertions of stealing from American intelligence. It’s not clear exactly how that theft took place.
One is a decade old, while another exploit appears to be previously unknown.
“It confirms the assumption they are working exploits, then,” Matt Suiche, founder of UAE-based cybersecurity startup Comae Technologies, told the Daily Dot.
The leaked data targets firewalls—key systems used by governments and companies to secure all network traffic. If your firewall is compromised during a cyberattack, it can be like opening the front door during a flood.
Security architect Kevin Beaumont successfully tested an exploit against the Fortinet firewall that dates back a decade but can be used to attack unpatched networks.
I know some peeps handwaved the leak away by saying the exploits read like stoners wrote 'em.. But they're definitely well paid stoners.— Kevin Beaumont (@GossiTheDog) August 16, 2016
Early on Tuesday, information technologist @xorcat reported that an exploit called ExtraBacon against Cisco Adaptive Security Appliance (ASA) software, which protects corporate networks and data centers, works right out of the box as the Shadow Brokers provided it.
“ExtraBacon targets a particular firewall, Cisco ASA, running a particular version (8.x, up to 8.4), and you must have SNMP read access to it,” Khalil Sehnaoui, a Middle East-based cybersecurity specialist and founder of Krypton Security, explained to the Daily Dot. “If run successfully, the exploit will enable the attacker to access the firewall without a valid username or password.”
It’s a potent weapon for an insider.
Cisco is currently investigating the claims, a representative said, and it will announce any exploit it finds. A Cisco spokeswoman said users can best protect themselves by keeping everything up to date.
“Following sound system administration practices, hardening device configurations, and updating devices to run the current version of software are simple best practices for customers to protect their networks,” Yvonne Malmgren told the Daily Dot.
Expect the testing to continue slowly but surely.
“It’s all piecemeal analysis, very slow,” Timo Steffens, who works at the federal computer emergency response team of Germany (CERT-Bund), explained. “The problem is that the [information security] community is skilled with Windows binaries etc. But to test the Shadow Brokers exploits, you need the firewall devices. Most analysts don’t have access to those or only to one or two.”
The weapons are out, in other words, but most people don’t have a lab where they can properly test them.
But despite initial questions, the weapons are looking starkly real.