- Guy who said he stole drugs from MS-13 now says viral story is fake 3 Years Ago
- Financial service company left 885 million private records exposed online Today 3:13 PM
- Sasha Obama went to prom and Twitter is delighted with the photos Today 2:22 PM
- Jon Voight says Trump is the greatest president since Lincoln in Twitter videos Today 1:31 PM
- #DeleteFacebook gains momentum after the platform refused to remove doctored Nancy Pelosi videos Today 11:58 AM
- ‘Game of Thrones’ failed women—and it’s a shame on its legacy Today 7:40 AM
- How to use Tor, the network that lets you browse the web anonymously Today 7:30 AM
- How to live stream Devin Haney vs. Antonio Moran on DAZN Today 7:00 AM
- Trump’s transphobic policies are disgusting—but they aren’t new Today 6:30 AM
- How to watch the Copa del Rey Final online for free Today 5:45 AM
- How to watch the DFB-Pokal final for free Today 5:30 AM
- Curvy Wife Guy drops music video for rap song ‘Chubby Sexy’ Friday 7:33 PM
- A ‘Black Mirror’-inspired miniseries is coming to YouTube via Netflix Latin America Friday 5:56 PM
- Kanye West appears on David Letterman’s Netflix show to talk Trump, TMZ, and Drake Friday 3:27 PM
- QAnon believers link small-town arrest to deep state conspiracy without evidence Friday 1:58 PM
Hack of NSA-linked group is legitimate, cybersecurity firm says
Kaspersky has ‘a high degree of confidence’ it’s the data from the Equation Group.
A day after an unknown group of hackers claimed to steal cyberweapons from the NSA, experts are now testing out the weapons and are finding they have a deep connection with the vaunted American hacking group.
In 2015, the Russian cybersecurity firm Kaspersky first discovered “Equation Group,” a suspected NSA-linked outfit that’s been called “the most advanced” threat on the internet. During the last few days, Kaspersky researchers investigated the leak from a group of hackers called Shadow Brokers alleging they hacked Equation Group and leaked the data.
Kaspersky confirmed “several hundred tools from the leak share a strong connection with our previous findings from the Equation Group.” Kaspersky researchers point to specific encryption algorithms shared across the NSA-linked group and the new leak.
“This code similarity makes us believe with a high degree of confidence that the tools from the Shadow Brokers leak are related to the malware from the Equation Group,” Kaspersky Lab’s Global Research & Analysis Team explained. “While the Shadow Brokers claimed the data was related to the Equation Group, they did not provide any technical evidence of these claims. The highly specific crypto implementation above confirms these allegations.”
Beyond Kaspersky, cybersecurity professionals are combing through data published by Shadow Brokers.
The Shadow Brokers leak is small but potent. In large part, that’s because it was published publicly, perhaps as a message—a middle finger—to the American government. Who sent the middle finger remains an open question, but most people, including former NSA contractor and whistleblower Edward Snowden, are pointing at Russia.
Dozens of exploits and implants are referenced in the leak.
The investigation is slow but at least two exploits appear to have been confirmed to be real, boosting the credibility of the unknown hackers’ grandiose assertions of stealing from American intelligence. It’s not clear exactly how that theft took place.
One is a decade old, while another exploit appears to be previously unknown.
“It confirms the assumption they are working exploits, then,” Matt Suiche, founder of UAE-based cybersecurity startup Comae Technologies, told the Daily Dot.
The leaked data targets firewalls—key systems used by governments and companies to secure all network traffic. If your firewall is compromised during a cyberattack, it can be like opening the front door during a flood.
Security architect Kevin Beaumont successfully tested an exploit against the Fortinet firewall that dates back a decade but can be used to attack unpatched networks.
I know some peeps handwaved the leak away by saying the exploits read like stoners wrote ’em.. But they’re definitely well paid stoners.
— Kevin Beaumont (@GossiTheDog) August 16, 2016
Early on Tuesday, information technologist @xorcat reported that an exploit called ExtraBacon against Cisco Adaptive Security Appliance (ASA) software, which protects corporate networks and data centers, works right out of the box as the Shadow Brokers provided it.
“ExtraBacon targets a particular firewall, Cisco ASA, running a particular version (8.x, up to 8.4), and you must have SNMP read access to it,” Khalil Sehnaoui, a Middle East-based cybersecurity specialist and founder of Krypton Security, explained to the Daily Dot. “If run successfully, the exploit will enable the attacker to access the firewall without a valid username or password.”
It’s a potent weapon for an insider.
Cisco is currently investigating the claims, a representative said, and it will announce any exploit it finds. A Cisco spokeswoman said users can best protect themselves by keeping everything up to date.
“Following sound system administration practices, hardening device configurations, and updating devices to run the current version of software are simple best practices for customers to protect their networks,” Yvonne Malmgren told the Daily Dot.
Expect the testing to continue slowly but surely.
“It’s all piecemeal analysis, very slow,” Timo Steffens, who works at the federal computer emergency response team of Germany (CERT-Bund), explained. “The problem is that the [information security] community is skilled with Windows binaries etc. But to test the Shadow Brokers exploits, you need the firewall devices. Most analysts don’t have access to those or only to one or two.”
The weapons are out, in other words, but most people don’t have a lab where they can properly test them.
But despite initial questions, the weapons are looking starkly real.
Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.