- Kidnapped teen used Snapchat to get rescued 3 Years Ago
- What fans do and don’t want to see in future ‘Far Cry’ installments 3 Years Ago
- Aaron Carter accused of stealing lion art for merch Today 3:10 PM
- Instagram’s hidden like counts were inspired by a ‘Black Mirror’ episode Today 2:06 PM
- Student says they were expelled for tricking teacher into making inappropriate TikTok Today 12:26 PM
- Space Force uniforms relentlessly mocked, memed Today 10:52 AM
- Man flamed after admitting he called police on Target employee over a toothbrush Today 9:10 AM
- Netflix’s ‘Vivir Dos Veces’ searches for a last chance at first love Today 8:00 AM
- Camila Cabello must do more about her racist history Today 6:00 AM
- Instagram and Facebook are reportedly blocking queer ads Friday 8:58 PM
- Review: Tyler Perry’s ‘A Fall From Grace’ is both nonsensical and utterly predictable Friday 6:48 PM
- Is Hulu censoring the Iran episode of Anthony Bourdain’s ‘Parts Unknown’? Friday 6:05 PM
- Trump admin celebrates Michelle Obama’s birthday by proposing rollback of her signature initiative Friday 4:01 PM
- TSA apologizes after agent grabs indigenous woman’s braids, says ‘giddyup’ Friday 3:28 PM
- Blue Bell ice cream licker pleads guilty Friday 2:54 PM
A day after an unknown group of hackers claimed to steal cyberweapons from the NSA, experts are now testing out the weapons and are finding they have a deep connection with the vaunted American hacking group.
In 2015, the Russian cybersecurity firm Kaspersky first discovered “Equation Group,” a suspected NSA-linked outfit that’s been called “the most advanced” threat on the internet. During the last few days, Kaspersky researchers investigated the leak from a group of hackers called Shadow Brokers alleging they hacked Equation Group and leaked the data.
Kaspersky confirmed “several hundred tools from the leak share a strong connection with our previous findings from the Equation Group.” Kaspersky researchers point to specific encryption algorithms shared across the NSA-linked group and the new leak.
“This code similarity makes us believe with a high degree of confidence that the tools from the Shadow Brokers leak are related to the malware from the Equation Group,” Kaspersky Lab’s Global Research & Analysis Team explained. “While the Shadow Brokers claimed the data was related to the Equation Group, they did not provide any technical evidence of these claims. The highly specific crypto implementation above confirms these allegations.”
Beyond Kaspersky, cybersecurity professionals are combing through data published by Shadow Brokers.
The Shadow Brokers leak is small but potent. In large part, that’s because it was published publicly, perhaps as a message—a middle finger—to the American government. Who sent the middle finger remains an open question, but most people, including former NSA contractor and whistleblower Edward Snowden, are pointing at Russia.
Dozens of exploits and implants are referenced in the leak.
The investigation is slow but at least two exploits appear to have been confirmed to be real, boosting the credibility of the unknown hackers’ grandiose assertions of stealing from American intelligence. It’s not clear exactly how that theft took place.
One is a decade old, while another exploit appears to be previously unknown.
“It confirms the assumption they are working exploits, then,” Matt Suiche, founder of UAE-based cybersecurity startup Comae Technologies, told the Daily Dot.
The leaked data targets firewalls—key systems used by governments and companies to secure all network traffic. If your firewall is compromised during a cyberattack, it can be like opening the front door during a flood.
Security architect Kevin Beaumont successfully tested an exploit against the Fortinet firewall that dates back a decade but can be used to attack unpatched networks.
I know some peeps handwaved the leak away by saying the exploits read like stoners wrote ’em.. But they’re definitely well paid stoners.
— Kevin Beaumont (@GossiTheDog) August 16, 2016
Early on Tuesday, information technologist @xorcat reported that an exploit called ExtraBacon against Cisco Adaptive Security Appliance (ASA) software, which protects corporate networks and data centers, works right out of the box as the Shadow Brokers provided it.
“ExtraBacon targets a particular firewall, Cisco ASA, running a particular version (8.x, up to 8.4), and you must have SNMP read access to it,” Khalil Sehnaoui, a Middle East-based cybersecurity specialist and founder of Krypton Security, explained to the Daily Dot. “If run successfully, the exploit will enable the attacker to access the firewall without a valid username or password.”
It’s a potent weapon for an insider.
Cisco is currently investigating the claims, a representative said, and it will announce any exploit it finds. A Cisco spokeswoman said users can best protect themselves by keeping everything up to date.
“Following sound system administration practices, hardening device configurations, and updating devices to run the current version of software are simple best practices for customers to protect their networks,” Yvonne Malmgren told the Daily Dot.
Expect the testing to continue slowly but surely.
“It’s all piecemeal analysis, very slow,” Timo Steffens, who works at the federal computer emergency response team of Germany (CERT-Bund), explained. “The problem is that the [information security] community is skilled with Windows binaries etc. But to test the Shadow Brokers exploits, you need the firewall devices. Most analysts don’t have access to those or only to one or two.”
The weapons are out, in other words, but most people don’t have a lab where they can properly test them.
But despite initial questions, the weapons are looking starkly real.
Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.