It seems like the NSA has been HACKED! But that might not be the truth. There has been many security news out on the message has NSA hacking group been hacked? It is hard to say for sure if that is true or not, but what seems to be true is that some of the hacking tools NSA has used (and Snowden has revealed) are now out on the wild.
So, Uh, Did The NSA Get Hacked? article tells that a group of hackers say they’ve breached a hacking group known as the Equation Group, which is widely speculated to be an offshoot of the National Security Agency.The Equation Group, according to Kaspersky Lab, targeted the same victims as the group behind Stuxnet, which is widely believed to have been a joint US-Israeli operation targeting Iran’s nuclear program, and also used two of the same zero-day exploits.
NSA Hacked? ‘Shadow Brokers’ Crew Claims Compromise Of Surveillance Op article asks has the NSA just been hacked? Security experts speaking with FORBES think it’s possible, after a group published malware and attack code allegedly belonging to the Equation Group, a crew linked to the US intelligence agency. But while many believe the leak looks legitimate, the hackers could have pulled off a very clever ruse.
NSA Hacked? ‘Shadow Brokers’ Crew Claims Compromise Of Surveillance Op article also tells that in 2015, researchers at Russian security company Kaspersky Lab revealed a highly-advanced arsenal of hacking tools used by the Equation campaign. They were believed to have been the work of the NSA as the code was linked with previous, allegedly US-sponsored hacks, including the infamous Regin and Stuxnet attacks (never definitively proven). The group’s connections to other high profile hacks and the use of similar codenames that were included in documents leaked by NSA whistleblower Edward Snowden raise serious suspicions.
What is released?
The hackers have provided some files including what could be parts of the agency’s surveillance tools The hackers have released files they claimed to have taken from the Equation Group. NSA Hacked? ‘Shadow Brokers’ Crew Claims Compromise Of Surveillance Op article tells that Two days ago, on August 13, a group calling themselves The Shadow Brokers released files on Github (now that account is disabled), claiming they came from the Equation Group. The files mostly contained installation scripts, configurations for command-and-control (C&C) servers, and exploits allegedly designed to target routers. The files included code allegedly designed to exploit firewalls from manufacturers Cisco, Juniper, Fortinet and Topsec. There are also some files posted to MEGA. Researchers who downloaded the sample posted by the group say it does include intriguing data, such as 300 megabytes of code that match up with actual exploits used by the NSA.
“I haven’t tested the exploits, but they definitely look like legitimate exploits,” Matt Suiche, founder of UAE-based cyber security firm Comae Technologies, told the Daily Dot.
“The proof files look pretty legit, and they are exactly the sorts of exploits you would expect a group that targets communications infrastructure“
Here’s part of a message the hackers, going by the name “The Shadow Brokers” posted: “How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set?”
The hackers have provided some files including what could be parts of the agency’s surveillance tools, but are demanding millions of dollars in bitcoins for the rest. The hackers say they’ve only released 40% of the breach, and will release the remaining 60% to the highest bidders. The Shadow Brokers said they would release the remaining data to the highest bidder in a Bitcoin auction if they received an extraordinary 1,000,000 Bitcoins, worth roughly $560 million, they would release all the files.
This project could be a way for some hackers to make a lot of money or some form of hoax or decoy. Hackers Say They Hacked NSA-Linked Group, Want 1 Million Bitcoins to Share More article notes: “If this is a hoax, the perpetrators put a huge amount of effort in,” the security researcher known as The Grugq told Motherboard. “The proof files look pretty legit, and they are exactly the sorts of exploits you would expect a group that targets communications infrastructure to deploy and use.” On the other hand one Kaspersky Lab researcher noted on Twitter that there is “nothing” in the dumped files that links them to the Equation Group, but some of their names are from the ANT Catalog, an NSA hacking toolset published by Der Spiegel in late 2013.
Good thing on this: More flaws on the different routers are revealed to public, and manufacturers can star making their products safer.
If the hack was real and as big as claimed, there is probably going to be a big manhunt to catch whoever did this. If this was not real, it will spark at least some security discussions.
Sources:
Hackers Claim to Auction Data They Stole From NSA-Linked Spies
So, Uh, Did The NSA Get Hacked?
NSA Hacked? ‘Shadow Brokers’ Crew Claims Compromise Of Surveillance Op
Hackers Say They Hacked NSA-Linked Group, Want 1 Million Bitcoins to Share More
NSA’s Hacking Group Hacked! Bunch of Private Hacking Tools Leaked Online
‘Shadow Brokers’ Claim to be Selling NSA Malware, in What Could Be Historic Hack
Mysterious Group Hacks The NSA
82 Comments
Tomi Engdahl says:
WikiLeaks promises to release hacked NSA cyberweapons
http://www.dailydot.com/layer8/wikileaks-equation-group-shadow-brokers/
An alleged hack of the NSA-linked group, code-named Equation Group, is now being backed by WikiLeaks, who claim to already have the full copy of NSA cyberweapons in their possession that will be released “in due course.”
The legitimacy of the leak is yet to be determined, but, despite early silence and then skepticism, many experts are increasingly saying the dump could be the real deal. One popular theory is that it might have been taken from a command-and-control server several years ago.
It’s not yet clear when WikiLeaks got the archive or why they’re taking longer to release the “pristine copy,” which presumably means the entire thing.
Tomi Engdahl says:
Everything you need to know about the NSA hack (but were afraid to Google)
https://techcrunch.com/2016/08/16/everything-you-need-to-know-about-the-nsa-hack-but-were-afraid-to-google/
In what Edward Snowden deems “not unprecedented,” hackers calling themselves the Shadow Brokers have collected NSA-created malware from a staging server run by the
Equation Group, an internal hacking team. The Shadow Brokers published two chunks of data, one “open” chunk and another encrypted file containing the “best files” that they will sell for at least $1 million. Wikileaks has said they already own the “auction” files and will publish them in “due course.”
They’ve also released images of the file tree containing a script kiddie-like trove of exploits ostensibly created and used by the NSA as well as a page calling out cyber warriors and “Wealthy Elites.” The page also contains links to the two files, both encrypted.
The “free” file contains many staging programs designed to inject malware into various servers. From my cursory inspection the files look to be more functional than damaging and show NSA hackers how to quickly deploy their tools and then close infiltrations without a trace. It is yet unclear how these files can be used to damage networked computers
What Does It Mean?
First, we need to understand what these files are and what they do. These are hacking tools including RATs – or remote access Trojans – and exploits designed to attack web and file servers. The “free” files are all dated from the Summer of 2013 which suggests they aren’t completely up to date and they contain fairly innocuous-looking tools with ominous names like “eligiblebombshell” and “escalateplowman.” Most of these are human-readable and written in Python or shell script although there are some compiled binaries.
Without training, however, it is not clear if any of the files are particularly dangerous on their own.
These are, however, the files that an NSA agent would use if they were trying to hack your server.
Don’t Panic
Edward Snowden
@Snowden
The hack of an NSA malware staging server is not unprecedented, but the publication of the take is.
The files don’t appear to contain any identifying data nor do they clearly point to any single agent in the field. Owning these files on your computer, however, could suggest to a foreign power that you are part of the NSA’s nefarious schemes, a slight concern when crossing borders.
This isn’t a damaging leak, per se. It is a dump of tools used by NSA agents in the field, akin to the image of the TSA master keys used to create 3D printed copies. It’s an embarrassing breach and should have never happened.
This is not new data, either. The hacker seems to have been ejected from the server in June 2013 and unless the auction files contain newer exploits, most of these tools are probably neutered or out of date.
OK, Panic
The fact that any of this was found is a black eye for the NSA. While Snowden rightly notes that the agency is not made of magic, leaving an entire staging server up, even in the benighted summer of 2013, is a foolish and reckless move. Now that these files are public state actors can easily pin a certain type of attack on the NSA. “This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server,” wrote Snowden.
Tomi Engdahl says:
‘You’re welcome’: Snowden casts light on NSA hack
https://www.rt.com/usa/356170-snowden-analysis-nsa-hack/
The files released by a hacker group that claims to have breached the NSA are authentic, whistleblower Edward Snowden has said, explaining the documents’ importance and potential impact on the US elections and relations with allies around the world.
Snowden, who blew the whistle on NSA surveillance operations in 2013, posted a series of tweets on Tuesday with his take on the hack.
“NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is,” the whistleblower wrote, adding, “I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack.”
Noting that “circumstantial evidence and conventional wisdom” have placed the blame for the hack on Russia, Snowden speculated that the Equation Group hack is “likely a warning that someone can prove US responsibility for any attacks that originated from this malware server.”
If the hacked files can prove that Washington has been hacking its allies, or even interfering in their elections, revealing that could have “significant foreign policy consequences,” Snowden noted. “This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast,” the whistleblower concluded.
However, it is possible the files may be made public anyway, as WikiLeaks announced Monday it had “already obtained the archive of NSA cyber weapons” and intends to “release our own pristine copy in due course.”
Tomi Engdahl says:
Ed Snowden Explains Why Hackers Published NSA’s Hacking Tools
https://www.techdirt.com/articles/20160816/07465535255/ed-snowden-explains-why-hackers-published-nsas-hacking-tools.shtml
You break many things indeed! (For what it’s worth, it appears that GitHub and Tumblr both killed the accounts where whoever hacked this stuff first posted it).
The files that were leaked were mostly installation scripts, but also exploits designed for specific routers and firewalls. And, it’s noted, that some of the tools named line up with previously leaked NSA codenames.
Of course, June 2013 is interesting for another reason. That’s when Ed Snowden passed on his documents to a small group of reporters and the very first stories based on the Snowden leaks started. So it seems noteworthy that Snowden has put together a bit of a tweetstorm for his take on the hack and release of the hacking tools. To make it easier to read, we’ve put it all together here:
The hack of an NSA malware staging server is not unprecedented, but the publication of the take is. Here’s what you need to know:
NSA traces and targets malware C2 servers in a practice called Counter Computer Network Exploitation, or CCNE. So do our rivals. NSA is often lurking undetected for years on the C2 and ORBs (proxy hops) of state hackers. This is how we follow their operations. This is how we steal their rivals’ hacking tools and reverse-engineer them to create “fingerprints” to help us detect them in the future.
Here’s where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us — and occasionally succeed. Knowing this, NSA’s hackers (TAO) are told not to leave their hack tools (“binaries”) on the server after an op. But people get lazy.
TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.
Sure, it’s speculation, but it’s pretty informed speculation and it makes a lot of sense. There’s still plenty of talk about what to do about the DNC hack, and we’ve talked about “cybersecurity firms” (who profit from FUD and scare stories) arguing that we should “declare cyberwar” on Russia based on loose attribution.
Tomi Engdahl says:
The hack of an NSA malware staging server is not unprecedented, but the publication of the take is. Here’s what you need to know: (1/x)
Source: https://twitter.com/Snowden/status/765513662597623808
Tomi Engdahl says:
Snowden: NSA hack is likely a warning from Russia
http://thenextweb.com/insider/2016/08/16/snowden-nsa-hack-is-likely-a-warning-from-russia/#gref
The collected data is reported to be a cache of hack tools, known as binaries. According to Snowden, these tools are uploaded onto an NSA staging server as part of on-going operations to target and trace rival malware servers. The practice is known as Counter Computer Network Exploitation, or CCNE — a process that allows NSA hackers to steal tools used by foreign (or domestic rival) hackers in order to fingerprint them.
Once fingerprinted, we can identify tools that were used in other attacks and begin to trace their origin.
After initializing the operation, NSA hackers are instructed to remove the binaries from the server. But according to Snowden, sometimes people get lazy. This leads to the tools being stolen and fingerprinted by our rivals instead — the most likely scenario in the Equation Group hack.
Snowden believes the hack is likely of Russian origin and intended to be a warning
Tomi Engdahl says:
A Hacker’s Guide for the NSA: Why you can never be safe from spies
http://www.thereligionvirus.com/essays/nsa-hackers-guide.htm
Tomi Engdahl says:
Snowden explains the Shadow Brokers/Equation Group/NSA hack
https://boingboing.net/2016/08/16/snowden-explains-the-shadow-br.html
The news that a group of anonymous hackers claimed to have stolen some of the NSA’s most secret, valuable weaponized vulnerabilities and were auctioning them off for bitcoin triggered an epic tweetstorm from Edward Snowden, who sets out his hypothesis for how the exploits were captured and what relation that has to the revelations he made when he blew the whistle on illegal NSA spying in 2013.
Techdirt has assembled Snowden’s tweets in handy form
Tomi Engdahl says:
Edward Snowden: Russia Is Chief Suspect In NSA Hack
http://www.forbes.com/sites/thomasbrewster/2016/08/16/edward-snowden-russia-nsa-hacked/#77cfe0666a4c
If there’s anyone who knows how and why anyone would hack the NSA, and can talk about it openly, it’s former contractor Edward Snowden. After all, the exile-in-Russia siphoned off masses of information from the intelligence agency before helping journalists publish the documents, which together have exposed mass surveillance by US and international snoops.
In a stream of tweets today, Snowden laid out his theory on why the NSA was breached by a hacker crew called The Shadow Brokers.
The leaks included exploits and malware for a range of widely-used firewalls, from US manufacturers Cisco, Juniper and Fortinet , and Chinese supplier TopSec. The NSA has not yet commented on whether the breach is real, though most experts believe it to be.
Most intriguingly, Snowden thinks Russia is the most likely suspect. He believes, as do others, that the timing of the leak is interesting.
As many of the leaked files were dated mid-2013, the hackers have been sitting on the data for at least three years. It’s only now the materials are being released, a matter of months after US intelligence sources and American security companies claimed the Democratic National Committee (DNC) had been hacked by Russia. Snowden believes Russia is sending a warning on the dangers of attributing cyberattacks.
“Circumstantial evidence and conventional wisdom indicates Russian responsibility,” he wrote in one tweet
He noted that the hack of an NSA command and control server for one of its surveillance missions was not unprecedented, but it was unheard of for the information to be openly published.
More security industry sources who’ve analysed the files, speaking on the condition of anonymity, today said the leak was real. “It looks legitimate in terms the vulnerabilities being actual vulnerabilities. Whether they’re fresh or not is another question. And it’s possible that this dump is old,” said one source.
That followed yesterday’s analyses that concluded much the same. Indeed, there are few dissenting voices claiming the leak is a fake. Kaspersky Lab, which originally uncovered the Equation Group last year, said there were strong similarities between the tools in the leak and the sophisticated digital arsenal it found in 2015.
The NSA has not yet responded to enquiries from FORBES.
Who are the Shadow Brokers?
Very little is known about the Shadow Brokers. They used Github, Tumblr and Mega to disseminate their files.
Cisco: No new vulnerabilities leaked
Cisco is the only company who responded to FORBES’ enquiries. “So far, we have not found any new vulnerabilities related to this incident, though our Cisco PSIRT team will continue a thorough investigation,” a spokesperson said. “Cisco follows a well-established process to investigate and disclose vulnerabilities.”
That’s despite claims from one researcher that they used the leaked vulnerabilities in Cisco’s Adaptive Security Appliance to turn off the need for passwords to access the device.
Tomi Engdahl says:
EquationGroup Tool Leak – ExtraBacon Demo
https://xorcatt.wordpress.com/2016/08/16/equationgroup-tool-leak-extrabacon-demo/
You may have heard that recently (15/08/2016) a group known as Shadow Brokers released what are said to be a bunch of exploits and tools written and used by the NSA.
Two tar were released, one with the password of “theequationgroup”, named “eqgrp-free-file.tar.xz.gpg”. The other is named “eqgrp-auction-file.tar.xz.gpg”
The files are currently still available for download from this MEGA link, although I don’t know how long it will stay alive, as it was also hosted on GitHub, who tore it down shortly after it being posted.
The exploits appear to be targeting firewalls, particularly Cisco PIX/ASA, Juniper Netscreen, Fortigate, and more.
Seeing that there is an exploit for the Cisco ASA, I thought I would give it a shot in my CCNA Security ASA lab!
The requirements for the ExtraBacon exploit are that you have SNMP read access to the firewall, as well as access to either telnet or SSH. The ASA must be running 8.x, up to 8.4(4), and is said to have the possibility to crash the firewall if something goes wrong.
Once the exploit is successful, the attacker will be able to SSH to or telnet to (depending on what protocol is setup on the FW) without needing to enter credentials.
You can get on the ASA without entering a valid username or password!
Nothing crashed, traffic kept flowing, everything was happy.
There you go, NSA built firewall exploits that are easy to use!
Tomi Engdahl says:
John Biggs / TechCrunch:
Hackers post malware allegedly from NSA-linked Equation Group in online auction; Wikileaks says it will publish the tools; Snowden tweets likely explanations — In what Edward Snowden deems “not unprecedented,” hackers calling themselves the Shadow Brokers have collected NSA-created malware from a staging server run by the
Everything you need to know about the NSA hack (but were afraid to Google)
https://techcrunch.com/2016/08/16/everything-you-need-to-know-about-the-nsa-hack-but-were-afraid-to-google/
Tomi Engdahl says:
Snowden Speculates Leak of NSA Spying Tools Is Tied To Russian DNC Hack
https://news.slashdot.org/story/16/08/16/2050222/snowden-speculates-leak-of-nsa-spying-tools-is-tied-to-russian-dnc-hack
Two former employees of the National Security Agency — including exiled whistleblower Edward Snowden — are speculating that Monday’s leak of what are now confirmed to be advanced hacking tools belonging to the U.S. government is connected to the separate high-profile hacks and subsequent leaks of two Democratic groups. Private security firms brought in to investigate the breach of the Democratic National Committee and a separate hack of the Democratic Congressional Campaign Committee have said that the software left behind implicates hackers tied to the Russian government. U.S. intelligence officials have privately said they, too, have high confidence of Russian government involvement.
Tomi Engdahl says:
Thomas Fox-Brewster / Forbes:
Cisco And Fortinet Confirm Flaws Exposed By Self-Proclaimed NSA Hackers — American firewall companies Cisco and Fortinet have issued warnings and fixes for bugs exposed by the Shadow Brokers, who claimed this weekend to have breached the Equation Group, believed to be an NSA operation.
Cisco And Fortinet Confirm Flaws Exposed By Self-Proclaimed NSA Hackers
http://www.forbes.com/sites/thomasbrewster/2016/08/17/cisco-fortinet-nsa-hackers-shadow-brokers/#76a288031106
American firewall providers Cisco and Fortinet have issued warnings and fixes for bugs exposed by the Shadow Brokers, who claimed this weekend to have breached the Equation Group, believed to be an NSA operation.
Cisco and Fortinet had initially determined there was little of concern in the leak, but after researchers showed how the respective technologies could be exploited, the tech firms have taken action to protect customers. That both have come forward adds further weight to the claims the Shadow Brokers’ leak really does contain information stolen from an NSA server, indicating the US intelligence agency was attacking American manufacturers’ security products without telling the companies. And, as the files were dated between 2010 and 2013, the affected firewalls have been hackable for at least three years.
Cisco confirmed it had found two vulnerabilities in the leak, both affecting its Adaptive Security Appliance. Both were remote code execution flaws
One was a newly-discovered buffer overflow issue, an exploit for which was listed in the Equation leak as EXTRABACON. A buffer overflow bug
A hacker would have to create specially-crafted data, known as Simple Network Management Protocol (SNMP) traffic, to write malware on the target device. One researcher had shown they could turn off the need for a password by using the EXTRABACON techniques.
The second leaked exploit was known as EPICBANANA. The flaw was fixed in 2011, but Cisco decided to include it in its advisory anyway.
Fortinet, meanwhile, said firmware for its FortiGate firewall released before August 2012 contained a “cookie parser buffer overflow vulnerability.”
“This vulnerability, when exploited by a crafted HTTP request, can result in execution control being taken over.”
“Customers running FortiGate firmware 5.0 and above, released in August 2012 are not impacted.”
Tomi Engdahl says:
Cisco confirms two of the Shadow Brokers’ ‘NSA’ vulns are real
Tech giant rushes to fix firewall remote code execution flaw
http://www.theregister.co.uk/2016/08/17/cisco_two_shadow_brokers_vulnerabilities_real/
It’s looking increasingly likely that the hacking tools put up for auction by the Shadow Brokers group are real – after Cisco confirmed two exploits in the leaked archive are legit.
The two exploits, listed in the archive directory as EPICBANANA and EXTRABACON, can be used to achieve remote code execution on Cisco firewall products. A vulnerability exploited by one of the tools was patched in 2011 but the other exploit’s vulnerability is entirely new – and there is no fix available at the moment.
What’s worse is that the unpatched programming blunder has been lingering in Cisco hardware for years, since at least 2013. Whoever knew about the hole obviously didn’t tell the manufacturer of the vulnerable gear.
“The Cisco ASA SNMP Remote Code Execution vulnerability is a newly found defect, and TALOS and Cisco IPS have both produced signatures to detect this issue,” said Omar Santos, principal engineer for the Cisco Product Security Incident Response Team (PSIRT).
Tomi Engdahl says:
The Shadow Brokers EPICBANANAS and EXTRABACON Exploits
http://blogs.cisco.com/security/shadow-brokers
On August 15th, 2016, Cisco was alerted to information posted online by the “Shadow Brokers”, which claimed to possess disclosures from the Equation Group. The files included exploit code that can be used against multi-vendor devices, including the Cisco ASA and legacy Cisco PIX firewalls.
The Cisco Product Security Incident Response Team (PSIRT) has published an event response page (ERP) and the following security advisories addressing the vulnerabilities that could be exploited by the code released by the “Shadow Brokers
The Cisco ASA SNMP Remote Code Execution vulnerability is a newly found defect, and TALOS and Cisco IPS have both produced signatures to detect this issue:
Snort Rule ID: 3:39885
Legacy Cisco IPS Signature ID: 7655-0
The Cisco ASA CLI Remote Code Execution Vulnerability was addressed in a defect fixed in 2011.
A small sample of the allegedly stolen files were released and are dated around 2013 or older.
EXTRABACON
The EXTRABACON exploit targets a buffer overflow vulnerability in the SNMP code of the Cisco ASA, Cisco PIX, and Cisco Firewall Services Module. Please refer to the Cisco Security Advisory documenting CVE-2016-6366 for a complete list of affected products. An attacker could exploit this vulnerability by sending crafted SNMP packets to an affected Cisco product.
A few facts about the EXTRABACON exploit and vulnerability:
SNMP must be configured and enabled in the interface which is receiving the the SNMP packets. In the example above SNMP is only enabled in the management interface of the Cisco ASA. Subsequently, the attacker must launch the attack from a network residing on that interface. Crafted SNMP traffic coming from any other interface (outside or inside) cannot trigger this vulnerability.
The SNMP community string needs to be known by the attacker in order to exploit this vulnerability.
Only traffic directed to the affected system can be used to exploit this vulnerability.
This vulnerability affects systems configured in routed and transparent firewall mode only and in single or multiple context mode.
This vulnerability can be triggered by IPv4 traffic only.
All supported versions of SNMP (v1, v2c, and 3) are affected by this vulnerability.
This exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system.
All Cisco ASA Software releases are affected.
As mentioned earlier, in order for this exploit to be successful the affected device must be configured for SNMP with the snmp-server enable command.
Tomi Engdahl says:
Cisco And Fortinet Confirm Flaws Exposed By Self-Proclaimed NSA Hackers
http://www.forbes.com/sites/thomasbrewster/2016/08/17/cisco-fortinet-nsa-hackers-shadow-brokers/#79539d7d1106
American firewall providers Cisco and Fortinet have issued warnings and fixes for bugs exposed by the Shadow Brokers, who claimed this weekend to have breached the Equation Group, believed to be an NSA operation.
Cisco and Fortinet had initially determined there was little of concern in the leak, but after researchers showed how the respective technologies could be exploited, the tech firms have taken action to protect customers. That both have come forward adds further weight to the claims the Shadow Brokers’ leak really does contain information stolen from an NSA server, indicating the US intelligence agency was attacking American manufacturers’ security products without telling the companies. And, as the files were dated between 2010 and 2013, the affected firewalls have been hackable for at least three years.
Tomi Engdahl says:
Cisco Patches ‘ExtraBacon’ Zero-day Exploit Leaked By NSA Hackers
https://yro.slashdot.org/story/16/08/17/232256/cisco-patches-extrabacon-zero-day-exploit-leaked-by-nsa-hackers
ExtraBacon was a zero-day exploit, Cisco confirmed. That means it was unknown to Cisco or its customers, leaving them open to attack by anyone who possessed the right tools.”
Tomi Engdahl says:
Firewall Vendors Analyze Exploits Leaked by “Shadow Brokers”
http://www.securityweek.com/firewall-vendors-analyze-exploits-leaked-shadow-brokers
Cisco, Fortinet and WatchGuard have analyzed the exploits leaked recently by a threat group calling itself Shadow Brokers. While Fortinet and WatchGuard determined that the vulnerabilities were patched several years ago, Cisco did find a zero-day in its products.
The mysterious Shadow Brokers group claims to have hacked The Equation Group, a threat actor believed to be associated with the U.S. National Security Agency (NSA). Shadow Brokers, which some speculate might be sponsored by Russia, has released 300Mb of firewall exploits, implants and tools, and is offering to sell even more information for 1 million Bitcoin (valued at more than $500 million).
Kaspersky Lab, which has conducted an extensive analysis of Equation Group tools, has confirmed that the leaked files appear to come from the NSA-linked actor, but pointed out that the files date back to 2010-2013. Nevertheless, this is still a significant leak.
Shadow Brokers has published exploits and implants for hacking firewalls made by Fortinet, Chinese company TOPSEC, Cisco, Juniper Networks, WatchGuard and several unknown vendors.
Tomi Engdahl says:
Hacking the Hackers? US Spy Agency at Center of Apparent Breach
http://www.securityweek.com/hacking-hackers-us-spy-agency-center-apparent-breach
The US National Security Agency, which gained international notoriety in 2013 after Edward Snowden revealed its data snooping techniques, has itself become the target of an apparent data breach.
Mysterious hackers calling themselves the “Shadow Brokers” leaked online what appears to be classified NSA computer code.
Several security experts told US media the code appears genuine, and Snowden said “circumstantial evidence” pointed to Russian involvement.
As of Wednesday, the NSA still had not responded to multiple requests for comment. The hackers over the weekend posted two sets of files, one that is freely accessible and another that remains encrypted.
Tomi Engdahl says:
The Shadow Brokers EPICBANANAS and EXTRABACON Exploits
https://blogs.cisco.com/security/shadow-brokers
Tomi Engdahl says:
Kurkistus verkkovakoilun työkaluihin
https://www.viestintavirasto.fi/kyberturvallisuus/tietoturvanyt/2016/08/ttn201608181341.html
Tomi Engdahl says:
Sam Biddle / The Intercept:
Previously unreleased Snowden documents confirm ShadowBrokers leak contains authentic NSA software that was used to attack systems in Pakistan and Lebanon — On Monday, a hacking group calling itself the “ShadowBrokers” announced an auction for what it claimed were “cyber weapons” made by the NSA.
The NSA Leak Is Real, Snowden Documents Confirm
https://theintercept.com/2016/08/19/the-nsa-was-hacked-snowden-documents-confirm/
On Monday, a hacking group calling itself the “ShadowBrokers” announced an auction for what it claimed were “cyber weapons” made by the NSA. Based on never-before-published documents provided by the whistleblower Edward Snowden, The Intercept can confirm that the arsenal contains authentic NSA software, part of a powerful constellation of tools used to covertly infect computers worldwide.
one thing is now beyond speculation: The malware is covered with the NSA’s virtual fingerprints and clearly originates from the agency.
The evidence that ties the ShadowBrokers dump to the NSA comes in an agency manual for implanting malware, classified top secret, provided by Snowden, and not previously available to the public.
The draft manual instructs NSA operators to track their use of one malware program using a specific 16-character string, “ace02468bdf13579.” That exact same string appears throughout the ShadowBrokers leak in code associated with the same program, SECONDDATE.
SECONDDATE plays a specialized role inside a complex global system built by the U.S. government to infect and monitor what one document estimated to be millions of computers around the world. Its release by ShadowBrokers, alongside dozens of other malicious tools, marks the first time any full copies of the NSA’s offensive software have been available to the public
SECONDDATE is a tool designed to intercept web requests and redirect browsers on target computers to an NSA web server. That server, in turn, is designed to infect them with malware. SECONDDATE’s existence was first reported by The Intercept in 2014
SECONDDATE is a component of BADDECISION, a broader NSA infiltration tool. SECONDDATE helps the NSA pull off a “man in the middle” attack against users on a wireless network, tricking them into thinking they’re talking to a safe website when in reality they’ve been sent a malicious payload from an NSA server.
The sheer number of interlocking tools available to crack a computer is dizzying.
Snowden, who worked for NSA contractors Dell and Booz Allen Hamilton, has offered some context and a relatively mundane possible explanation for the leak: that the NSA headquarters was not hacked, but rather one of the computers the agency uses to plan and execute attacks was compromised.
Tomi Engdahl says:
Researcher Grabs VPN Password With Tool From NSA Dump
http://motherboard.vice.com/read/researcher-grabs-cisco-vpn-password-with-tool-from-nsa-dump
Cisco has already warned customers about two exploits found in the NSA-linked data recently dumped by hackers calling themselves The Shadow Brokers. Now, researchers have uncovered another attack included in the cache, which they claim allows the extraction of VPN passwords from certain Cisco products—meaning hackers could snoop on encrypted traffic.
Security researcher Mustafa Al-Bassam first documented the hacking tool, which uses the codename BENIGNCERTAIN, in a blog post published Thursday. He coined the attack “PixPocket” after the hardware the tool targets: Cisco PIX, a popular, albeit now outdated, firewall and VPN appliance. Corporations or government departments might use these devices to allow only authorised users onto their network.
According to Al-Bassam, the tool references PIX versions 5.2(9) up to 6.3(4). However, Brian Waters said he carried out his test on hardware running the 6.3(5) version, implying that the attack may work on other versions of PIX than those listed in the tool’s code.
Cisco officially stopped selling PIX products back in 2009. it is unclear if anyone has used this attack in the wild, or who still uses PIX products today. Kevin Beaumont, another researcher who has been digging through The Shadow Brokers dump, claimed that one of the UK government’s biggest IT contractors still uses a PIX VPN.
Tomi Engdahl says:
The NSA Hack — What, When, Where, How, Who & Why?
Wednesday, August 17, 2016 Swati Khandelwal
http://thehackernews.com/2016/08/nsa-hack-russia-leak.html?m=1
You might have heard about the recent ongoing drama of NSA hack that has sparked a larger debate on the Internet concerning abilities of US intelligence agencies as well as their own security.
The Shadow Brokers hacking group has published the leaked data in two parts; one includes many hacking tools designed to inject malware into various servers and another encrypted file containing the “best files” that they made available for sale for 1 Million Bitcoins.
NSA Hack Raises a Few Important Question? The leak of advanced hacking tools allegedly stolen from the Equation Group has raised few questions in everyone’s mind:
Is Equation Group an elite cyber attack unit linked to the NSA?
Are the Equation Group Hack and leaked exploits legitimate?
If Legit, Do the advanced hacking tools actually belong to Equation Group?
Who is behind the hack? Russia?
“While we cannot surmise the attacker’s identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group,” Kaspersky researchers said in a blog post.
Tomi Engdahl says:
#Shadowbrokers hack could be Russia’s DNC counter-threat to NSA
Claimed NSA hacker outfit Equation group confirmed to be breach victim.
http://www.theregister.co.uk/2016/08/17/equation_group_5675676/
One of the most interesting hacks in recent memory is almost certain to be a compromise of infrastructure operated by an ultra-elite hacking group thought to be the United States’ National Security Agency.
The breach involves the public release of more than 300 files that showcase a host of exploits against companies including Cisco and Fortinet, plus tools known to be part of the National Security Agency’s arsenal.
Initial analysis by the likes of Kaspersky Labs, NSA whistleblower Edward Snowden, and a host of independent security researchers shore up claims by a hacking group calling itself Shadow Brokers that the exploits and toolsets it hopes to auction for millions of dollars in Bitcoins are legitimate Equation group weaponry.
Tomi Engdahl says:
Veiled threat
Snowden suggests the auction is a ruse, and attackers are using the dump as a warning shot to the NSA.
Any compromise of civilian or military infrastructure that is subsequently linked to the breached command and control server will be tied to the NSA, the theory goes.
This could be a veiled threat by Russia to the NSA should it retaliate for the Democratic National Committee attacks, Snowden suggests.
Source: http://www.theregister.co.uk/2016/08/17/equation_group_5675676/
Tomi Engdahl says:
Security Experts Agree: The NSA Was Hacked
https://www.technologyreview.com/s/602201/security-experts-agree-the-nsa-was-hacked/
Analysis of the software tools made available by the Shadow Brokers suggests that they’re the real deal.
It looks as if the NSA has indeed been hacked.
The Shadow Brokers claimed that their initial public release of the software included tools that could be used to break into firewall systems from companies like Cisco Systems and Juniper Networks. Just days later, Cisco has urgently announced that it’s going to patch two vulnerabilities in its firewall systems, which may have been exploited since as early as 2013. Security experts had claimed that the espionage tools appeared to be old, but Cisco appears to be seeing some of them for the first time.
Meanwhile, Russian security firm Kaspersky has also been interrogating the software. It’s discovered unusual math in the code that’s been published so far, which it believes ties the software to the so-called Equation Group.
Ex-NSA employees have also told the Wall Street Journal that they believe the code published by the Shadow Brokers to be “authentic.”
These scraps of information raise the question of why the NSA had for years been sitting on vulnerabilities that affect widely used networking gear. They also suggest that the agency may have gone against White House policy on when it is reasonable to keep flaws secret.
The Cisco bugs were zero-day vulnerabilities, so called because they give the author of a piece of software zero days to identify and distribute a solution. Zero-days are valuable to criminals and spies because they can be used to break into systems undetected.
In 2013, the Obama administration quietly created a new process that all government departments must follow to decide whether it was reasonable to keep a zero-day vulnerability secret.
Tomi Engdahl says:
This is an old article, but gives some background on the hackign group that got now hacked:
How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last
“Equation Group” ran the most advanced hacking operation ever uncovered.
http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/
Tomi Engdahl says:
After Shadow Brokers, should the NSA still be hoarding vulnerabilities?
Companies had to scramble to patch bugs from the latest leak
http://www.theverge.com/2016/8/19/12548462/shadow-brokers-nsa-vulnerability-disclosure-zero-day
This weekend’s Shadow Brokers leak dropped 300MB of stolen data onto the open web, including live exploits for some of the web’s most crucial network infrastructure, apparently stolen from the NSA in 2013. But while experts are still sorting out who stole the data and how, the new exploits have also left companies like Cisco, Fortinet, and Juniper scrambling to fix the newly published attacks against their systems. Suddenly, there was a new way into products that had been considered secure for years — and anyone who downloaded the data knew exactly how to get in.
The scramble to protect those devices is already underway, but it has raised new questions about how the NSA discovers and develops methods for breaking security products. Whoever was behind the Shadow Brokers leak had access to these exploits for three years before publishing them, allowing them to completely subvert some of the most popular network protection devices available. That’s a threat to users, companies, and anyone caught on the protected network — and whether intentional or not, it appears to be a direct result of work done by the NSA. It raises an uncomfortable question: should the NSA have told the companies about the weaknesses in their software three years ago?
The vulnerabilities involved are serious ones. One group of vulnerabilities targets Cisco’s Adaptive Security Appliances, a network firewall appliance often used to protect large data centers. The exploits allow attackers to break through the firewall without a username and password, masquerading as SNMP data. Another attack triggered remote code execution in Fortinet’s FortiGate firewalls by exploiting a flaw in the onboard cookie parser buffer.
Tomi Engdahl says:
Leaked Exploits are Legit and Belong to NSA: Cisco, Fortinet and Snowden Docs Confirm
Friday, August 19, 2016 Mohit Kumar
http://thehackernews.com/2016/08/nsa-hack-exploit.html?m=1
Last week, a group calling itself “The Shadow Brokers” published what it said was a set of NSA “cyber weapons,” including some working exploits for the Internet’s most crucial network infrastructure, apparently stolen from the agency’s Equation Group in 2013.
Well, talking about the authenticity of those exploits, The Intercept published Friday a new set of documents from the Edward Snowden archive, which confirms that the files leaked by the Shadow Brokers contain authentic NSA software and hacking tools used to secretly infect computers worldwide.
Hacking tools from The Shadow Brokers leak named ExtraBacon, EpicBanana, and JetPlow, contain exploits that can compromise Cisco firewall products including devices from the Adaptive Security Appliance (ASA) line, PIX firewalls, and Cisco Firewall Services Modules (FWSM).
Who is the ‘The Shadow Brokers’? Russia? An Insider?
How the files containing exploits were leaked, and who exactly leaked it, are still unclear, but the recent developments made it very much clear that these exploits belong to the NSA and the agency was using them to target customers worldwide.
The Shadow Brokers’ identity is still a mystery: As for now, multiple theories have been proposed.
Some are pointing their fingers towards Russia; some are saying it’s an insider’s job; while some say the NSA hacker using the hacking tools failed to clean up after an operation that allowed someone to grab them without compromising or hacking the agency.
Tomi Engdahl says:
How the NSA snooped on encrypted Internet traffic for a decade
Exploit against Cisco’s PIX line of firewalls remotely extracted crypto keys.
http://arstechnica.com/security/2016/08/cisco-firewall-exploit-shows-how-nsa-decrypted-vpn-traffic/
In a revelation that shows how the National Security Agency was able to systematically spy on many Cisco Systems customers for the better part of a decade, researchers have uncovered an attack that remotely extracts decryption keys from the company’s now-decommissioned line of PIX firewalls.
The discovery is significant because the attack code, dubbed BenignCertain, worked on PIX versions Cisco released in 2002 and supported through 2009. Even after Cisco stopped providing PIX bug fixes in July 2009, the company continued offering limited service and support for the product for an additional four years. Unless PIX customers took special precautions, virtually all of them were vulnerable to attacks that surreptitiously eavesdropped on their VPN traffic. Beyond allowing attackers to snoop on encrypted VPN traffic, the key extraction also makes it possible to gain full access to a vulnerable network by posing as a remote user.
Tomi Engdahl says:
ShadowBrokers Bitcoin Transactions: Now There’s Some Taint For You!
https://krypt3ia.wordpress.com/2016/08/19/shadowbrokers-bitcoin-transactions-now-theres-some-taint-for-you/
So I was looking at the bitcoin status of the #ShadowBrokers account and something interesting began to take shape. What I noticed, with the help of my trusty Maltego (@paterva) was that some transactions with “tainted” bitcoins was happening.
Tomi Engdahl says:
Computer Science Professor Gives Failing Grade to Newly Leaked NSA Hacking Tool
http://news.softpedia.com/news/computer-science-professor-gives-failing-grade-to-newly-leaked-nsa-hacking-tool-507482.shtml
Stephen Checkoway, an Assistant Professor at the Department of Computer Science at the University of Illinois at Chicago, has analyzed some of the exploit code included in the recent Equation Group leak, and his verdict is “not impressed.”
Prof. Checkoway put some hours aside to look at the source code of the BANANAGLEE exploit, which targets Juniper firewalls. The reason he analyzed this exploit is that he’s familiar with Juniper devices, being the lead researcher for “A Systematic Analysis of the Juniper Dual EC Incident,” a research paper set to be presented in October 2016, at the ACM Conference on Computer and Communications Security.
“Checkoway: This is ridiculous!”
The professor didn’t look at the entire codebase, but only at the key generation system and the process of redirecting IP packets.
“This is ridiculous,” Checkoway writes regarding the random key generation system.
“But worst of all, rather than having 2128 possible 128-bit keys, this procedure can only produce 264 distinct keys!” which means the key generation system was yielding a much smaller number of options to choose a random key, and all of it was the result of bad coding.
“There are some good parts, but the cryptography is really bad”
Prof. Checkoway was a little bit more impressed with the process of hiding the attack source through multiple IP redirections, which he called “kinda neat.” But the praises stopped there. “[B]oth the code and the crypto are bad. Very bad,” he says.
The professor adds the code has some “boring memory leaks,” but the part that really ticked him off resided in the mechanism that encrypts IP packets sent via this redirection process.
Tomi Engdahl says:
Computer Science Professor Mocks The NSA’s Buggy Code – Slashdot
https://it.slashdot.org/story/16/08/20/0526234/computer-science-professor-mocks-the-nsas-buggy-code
f these were cyberweapons, “I’m pretty underwhelmed by their quality,” professor Checkoway writes on his blog, adding that he found “sloppy and buggy code,” no authentication of the encrypted communication channel, 128-bit keys generated using 64 bits of entropy, and cypher initialization vectors that leaked bits of the hash of the plain text…
Tomi Engdahl says:
Insiders have 2 competing theories over NSA hacks
http://www.businessinsider.com/nsa-hacking-theories-2016-8?r=US&IR=T&IR=T
experts are offering two competing theories on how it happened — and they’re equally disturbing.
Some former agency employees believe that the alleged group behind the leak, the “Shadow Brokers,” may have hacked an NSA server that had a top-secret hacker toolkit left there by mistake.
Others believe that the Brokers may be just a smokescreen for another possibility: an agency mole.
In the post about this “insider theory,” Suiche’s source said that the supposed NSA toolkit usually sits on a physically segregated network that never goes near the internet. And even more interesting, the source says, is that when an NSA hacker — an operator working in what is called Tailored Access Operations (TAO) — is going to carry out a cyberattack on a target, he or she would grab the files from this offline repository and then change many of their file names before they start.
“The file hierarchy and the unchanged file naming convention tends to say that the files were directly copied from its source,” Suiche writes.
Aitel, the ex-NSA research scientist, agreed with that assessment as a valid possibility.
“It’s not from a [command-and-control] server,” he said. “It’s just not C2 server stuff. It’s operational machine stuff. No one puts their exploits on a C2 server. That’s not a thing.”
If the leaked files didn’t actually get hacked from a server on the internet, then it’s possible that the NSA has another “insider threat” problem
“There’s all kinds of ugly here,” John Schindler, a former NSA analyst and counterintelligence officer, told Business Insider, speculating that “there’s fear now that this will bring on a serious mole hunt”
It released a 234-megabyte archive on various file-sharing sites with half being free to view and use — which numerous experts say is legitimate — while the other half was encrypted. The winner of the auction, the group said, would get the decryption key.
But an auction for hacking tools and exploits is not something that ever happens, experts say. Instead, exploits are bought and sold on the black market for hundreds of thousands and sometimes millions of dollars in private.
But at this point, the way they ended up getting out of the NSA’s grasp is not clear, and that’s a big problem.
“If you don’t know how it was lost, there’s then a lot of panic in terms of what else is out there, particularly from a counterintelligence perspective,”
Here’s why the supposed NSA ‘hack’ is unlike anything we’ve ever seen before
http://nordic.businessinsider.com/nsa-shadow-brokers-hack-weird-2016-8?r=US&IR=T
Tomi Engdahl says:
The NSA cyber-weapon auction is a total smokescreen — here’s what’s really going on
http://www.techinsider.io/nsa-cyberweapon-auction-shadow-brokers-2016-8
A group calling itself the “Shadow Brokers” claimed earlier this week that it hacked into the US National Security Agency and stole an apparent treasure trove of exploits and hacking tools that it is now trying to auction off.
But experts say that this is all a smokescreen for a not-so-subtle message from Moscow to Washington: Don’t mess with us.
“It’s a smokescreen, there’s nothing real about this,” John Schindler, a former NSA analyst and counterintelligence officer, told Business Insider. “This is Moscow’s way of upping the ante in the spy war, and sending a message no one can miss [which is] ‘we have you penetrated, we’ve got you by the balls, don’t push us.’”
He added: “The Russians are making a power play because they think they can right now.” ,”
In the announcement of its auction, Shadow Brokers seemed to ensure that no one would seriously consider bidding on the other half of its treasure trove
Its FAQ tells bidders that they are going to lose their Bitcoin, no matter what they do. If you win the auction, you’ll get the files, but if you lose the auction, you don’t get the files — and you don’t get your Bitcoin back.
“Sorry lose bidding war lose bitcoin and files,” the group wrote.
That’s probably why the so-called auction hasn’t moved anywhere close to the group’s goal of 1 million Bitcoin, or roughly $575 million.
“This auction is one of the more bizarre things that I’ve ever seen in this space. People who buy and sell exploits would not just dump money into an auction,”
Tomi Engdahl says:
‘NSA’ hack okshun woz writ by Inglish speeker trieing to hyde
Linguist says perps of zero day dump wanted to pose as gramatically-incorrect aliens
http://www.theregister.co.uk/2016/08/23/nsa_hack_auction_looks_written_by_an_english_speaker_linguist/
The perpetrator behind the dumping of tools penned by the probably-the-NSA hacking squad called”Equation Group” appears to be a native English speaker, according to linguistic data researcher Shlomo Argamon.
Earlier this month some 300 files were circulated online purporting to be stolen from the Equation Group, which is thought to be an offensive Tailored Access Operations wing of the NSA given similarities in tools and techniques.
Tomi Engdahl says:
Equation Group Firewall Operations Catalogue
https://musalbas.com/2016/08/16/equation-group-firewall-operations-catalogue.html
released a dump of around 250 megabytes of “free” files for proof alongside the auction.
The dump contains a set of exploits, implants and tools for hacking firewalls (“Firewall Operations”). This post aims to be a comprehensive list of all the tools contained or referenced in the dump.
Exploits
Tools
Tomi Engdahl says:
The Real Russian Mole Inside NSA | | Observer
http://observer.com/2016/08/the-real-russian-mole-inside-nsa/
The media has finally noticed that the National Security Agency has a problem with Kremlin penetration
Moles—that is, long-term penetration agents—are every intelligence service’s worst nightmare. Though rarer in reality than in spy movies and novels, moles exist and can do enormous damage to a country’s secrets and espionage capabilities. They’re what keep counterintelligence experts awake at night.
The recent appearance on the Internet of top secret hacking tools from the National Security Agency has shined yet another unwanted spotlight on that hard-luck agency, which has been reeling for three years from Edward Snowden’s defection to Moscow after stealing more than a million classified documents from NSA. As I explained, this latest debacle was not a “hack”—rather, it’s a clear sign that the agency has a mole.
Of course, I’ve been saying that for years. It’s not exactly a secret that NSA has one or more Russian moles in its ranks—not counting Snowden. Now the mainstream media has taken notice and we have the “another Snowden” meme upon us.
This shouldn’t be shocking news since the agency has suffered from moles since its birth in 1952. While many intelligence services have tried to steal secrets from NSA, only the Russians have been able to do so consistently. Kremlin penetration of NSA has been a constant. A brief historical sketch outlines the problem.
The record of our Intelligence Community, indeed our whole government, in counterintelligence is nothing less than dismal.
Tomi Engdahl says:
Experts have two theories for how top secret NSA data was stolen — and both are equally disturbing – Business Insider
http://www.businessinsider.my/nsa-hacking-theories-2016-8/
Tomi Engdahl says:
Commentary: Evidence points to another Snowden at the NSA | Reuters
http://mobile.reuters.com/article/idUSKCN10X01P
Tomi Engdahl says:
Leaked Cisco ASA Exploit Adapted for Newer Versions
http://www.securityweek.com/leaked-cisco-asa-exploit-adapted-newer-versions
Researchers have demonstrated that the Cisco ASA exploit leaked recently by a group called Shadow Brokers can be leveraged for remote code execution against newer versions of the software as well.
The leaked exploit for CVE-2016-6366, dubbed “EXTRABACON,” is several years old so it only works properly on older ASA versions. However, researchers from Hungary-based security firm Silent Signal managed to modify the leaked exploit for ASA 9.2(4), a version released in July 2015.
Moreover, Balint Varga-Perke, IT security expert and co-founder of Silent Signal, told SecurityWeek that the exploit can likely be adapted for even newer versions. The security firm is currently working on automatically generating exploit code for Cisco ASA versions that are currently not supported. Adapting the exploit for ASA 9.2(4) only took Silent Signal researchers a few hours.
“Unfortunately, some only realize the risk of a vulnerability if there is a practical demonstration of it,” Varga-Perke said in an email. “We hope that this development clarifies the risk for the skeptics too.”
According to Cisco’s security advisory for CVE-2016-6366, the vulnerability affects all ASA software releases and all supported versions of SNMP. When the vendor tested the leaked exploit against a Cisco ASA 5506 device running version 9.4(1), the software crashed.
Tomi Engdahl says:
Besides Cisco the following manufacturers have posted notices on NSA hack tool targeting their devices: FortiGuard, Juniper Networks, Huawei and Topsec.
Tomi Engdahl says:
Bruce Schneier / Vox:
Shadow Brokers leak shows how NSA’s tendency to hoard vulnerabilities instead of reporting them is putting our devices and networks at risk
New leaks prove it: the NSA is putting us all at risk to be hacked
Updated by Bruce Schneier on August 24, 2016, 7:10 a.m. ET
http://www.vox.com/2016/8/24/12615258/nsa-security-breach-hoard
The National Security Agency is lying to us. We know that because of data stolen from an NSA server was dumped on the internet. The agency is hoarding information about security vulnerabilities in the products you use, because it wants to use it to hack others’ computers. Those vulnerabilities aren’t being reported, and aren’t getting fixed, making your computers and networks unsafe.
On August 13, a group calling itself the Shadow Brokers released 300 megabytes of NSA cyberweapon code on the internet. Near as we experts can tell, the NSA network itself wasn’t hacked; what probably happened was that a “staging server” for NSA cyberweapons — that is, a server the NSA was making use of to mask its surveillance activities — was hacked in 2013.
The NSA inadvertently resecured itself in what was coincidentally the early weeks of the Snowden document release. The people behind the link used casual hacker lingo, and made a weird, implausible proposal involving holding a bitcoin auction for the rest of the data: “!!! Attention government sponsors of cyber warfare and those who profit from it !!!! How much you pay for enemies cyber weapons?”
Still, most people believe the hack was the work of the Russian government and the data release some sort of political message. Perhaps it was a warning that if the US government exposes the Russians as being behind the hack of the Democratic National Committee — or other high-profile data breaches — the Russians will expose NSA exploits in turn.
The Obama administration’s pledge to notify companies about flaws in common software
Over the past few years, different parts of the US government have repeatedly assured us that the NSA does not hoard “zero days” — the term used by security experts for vulnerabilities unknown to software venders. After we learned from the Snowden documents that the NSA purchases zero-day vulnerabilities from cyberweapons arms manufacturers, the Obama administration announced, in early 2014, that the NSA must disclose flaws in common software so they can be patched (unless there is “a clear national security or law enforcement” use).
Playing games with language
There are probably some overly pedantic word games going on. Last year, the NSA said that it discloses 91 percent of the vulnerabilities it finds. Leaving aside the question of whether that remaining 9 percent represents 1, 10, or 1,000 vulnerabilities, there’s the bigger question of what qualifies in the NSA’s eyes as a “vulnerability.”
The NSA’s hubris: the “nobody but us” standard
A phrase you often hear in any discussion of the Vulnerabilities Equities Process is NOBUS, which stands for “nobody but us.” Basically, when the NSA finds a vulnerability, it tries to figure out if it is unique in its ability to find it, or whether someone else could find it, too. If it believes no one else will find the problem, it may decline to make it public. It’s an evaluation prone to both hubris and optimism, and many security experts have cast doubt on the very notion that there is some unique American ability to conduct vulnerability research.
The vulnerabilities in the Shadow Brokers data dump are definitely not NOBUS-level. They are run-of-the-mill vulnerabilities that anyone — another government, cybercriminals, amateur hackers — could discover, as evidenced by the fact that many of them were discovered between 2013, when the data was stolen, and this summer, when it was published. They are vulnerabilities in common systems used by people and companies all over the world.
If there are any vulnerabilities that — according to the standards established by the White House and the NSA — should have been disclosed and fixed, it’s these.
We need to fix this. This is exactly the sort of thing a congressional investigation is for. This whole process needs a lot more transparency, oversight, and accountability. It needs guiding principles that prioritize security over surveillance.
And as long as I’m dreaming, we really need to separate our nation’s intelligence-gathering mission from our computer security mission: We should break up the NSA. The agency’s mission should be limited to nation state espionage. Individual investigation should be part of the FBI, cyber war capabilities should be within US Cyber Command, and critical infrastructure defense should be part of DHS’s mission.
Tomi Engdahl says:
Cisco Scrambles To Patch Second Shadow Brokers Bug In Firewalls
https://it.slashdot.org/story/16/09/19/1623233/cisco-scrambles-to-patch-second-shadow-brokers-bug-in-firewalls
Cisco is scrambling to patch another vulnerability in many of its products that was exposed as part of the Shadow Brokers dump last month. The latest vulnerability affects many different products, including all of the Cisco PIX firewalls. The latest weakness lies in the code that Cisco’s IOS operating system uses to process IKEv1 packets. IKE is used in the IPSec protocol to help set up security associations, and Cisco uses it in a number of its products.
Cisco Warns of Second Firewall Bug Exposed by Shadow Brokers
https://www.onthewire.io/cisco-warns-of-second-firewall-bug-exposed-by-shadow-brokers/
Cisco is scrambling to patch another vulnerability in many of its products that was exposed as part of the Shadow Brokers dump last month. The latest vulnerability affects many different products, including all of the Cisco PIX firewalls.
Tomi Engdahl says:
An IOS software vulnerability identified recently by Cisco while analyzing the firewall exploits leaked by the group calling itself Shadow Brokers has been found to affect hundreds of thousands of devices located around the world.
The flaw, tracked as CVE-2016-6415, exists in the Internet Key Exchange version 1 (IKEv1) packet processing code of Cisco’s IOS, IOS XE and IOS XR software, and it can be exploited by a remote, unauthenticated attacker to access memory content that could contain sensitive information.
In order to determine how many devices are affected by this vulnerability, The Shadowserver Foundation has conducted an Internet scan for the Internet Security Association and Key Management Protocol (ISAKMP), which is part of IKE.
“We are querying all computers with routable IPv4 addresses that are not firewalled from the internet with a specifically crafted 64 byte ISAKMP packet and capturing the response,” the organization explained.
As of the last scan, conducted on Wednesday, more than 840,000 unique IP addresses responded as vulnerable to Shadowserver’s probe.
Tomi Engdahl says:
Over 840,000 Cisco Devices Affected by NSA-Linked Flaw
http://www.securityweek.com/over-840000-cisco-devices-affected-nsa-linked-flaw
An IOS software vulnerability identified recently by Cisco while analyzing the firewall exploits leaked by the group calling itself Shadow Brokers has been found to affect hundreds of thousands of devices located around the world.
The flaw, tracked as CVE-2016-6415, exists in the Internet Key Exchange version 1 (IKEv1) packet processing code of Cisco’s IOS, IOS XE and IOS XR software, and it can be exploited by a remote, unauthenticated attacker to access memory content that could contain sensitive information.
In order to determine how many devices are affected by this vulnerability, The Shadowserver Foundation has conducted an Internet scan for the Internet Security Association and Key Management Protocol (ISAKMP), which is part of IKE.
“We are querying all computers with routable IPv4 addresses that are not firewalled from the internet with a specifically crafted 64 byte ISAKMP packet and capturing the response,” the organization explained.
As of the last scan, conducted on Wednesday, more than 840,000 unique IP addresses responded as vulnerable to Shadowserver’s probe.
Tomi Engdahl says:
Security
Report: NSA hushed up zero-day spyware tool losses for three years
Investigation shows staffer screw-up over leak
http://www.theregister.co.uk/2016/09/23/report_nsa_covered_up_zeroday_losses_for_three_years/
Sources close to the investigation into how NSA surveillance tools and zero-day exploits ended up in the hands of hackers has found that the agency knew about the loss for three years but didn’t want anyone to know.
Multiple sources told Reuters last night that the investigation into the data dump released by a group calling itself the Shadow Brokers had determined that the NSA itself wasn’t directly hacked and the software didn’t come from exiled whistleblower Edward Snowden. Instead it appears one of the NSA staffers got sloppy.
It appears at this stage that the staffer, who has since left the NSA for other reasons, stashed the sensitive tools on an outside server – likely a bounce box – after an operation. Miscreants then found that machine, raided it and hit the jackpot. The staffer informed his bosses after the incident, but rather than warning companies like Cisco that their customers were at risk, the NSA kept quiet.
The reasoning for this secrecy seems to have been that the NSA wanted to see who was going to use them. It monitored the world’s internet traffic to try and catch sight of the tools or someone using the software or the holes it exploited. Since no signs appeared the agency didn’t tell anyone of the loss.
Tomi Engdahl says:
NSA contractor charged with stealing top secret data
https://www.washingtonpost.com/world/national-security/government-contractor-arrested-for-stealing-top-secret-data/2016/10/05/99eeb62a-8b19-11e6-875e-2c1bfe943b66_story.html
A federal contractor suspected in the leak of powerful National Security Agency hacking tools has been arrested and charged with stealing classified information from the U.S. government
Harold Thomas Martin III, 51, who did technology work for Booz Allen Hamilton, was charged with theft of government property and unauthorized removal and retention of classified materials, authorities said.
Tomi Engdahl says:
After Failed Auction, Shadow Brokers Opens NSA Hacking Tools for Direct Sales
Wednesday, December 14, 2016 Mohit Kumar
http://thehackernews.com/2016/12/nsa-hack-shadow-brokers.html
The hacker group that’s believed to be behind the high-profile cyber theft of NSA hacking tools and exploits that sparked a larger debate on the Internet concerning abilities of US intelligence agencies and their own security
The group put the stolen cyber weapons on auction but received not much response and gone quiet for some time.
However, The Shadow Brokers has now appeared to have put up the NSA’s hacking tools and exploits for direct sale on an underground website.
A newly uncovered site reportedly contains a file signed with the cryptographic key of The Shadow Brokers, suggesting the hacker group has now moved to sell NSA hacking tools directly to buyers one by one, Motherboard reports.
Newly Uncovered Site Suggests NSA Exploits for Direct Sale
http://motherboard.vice.com/read/newly-uncovered-site-suggests-nsa-exploits-for-direct-sale
On Wednesday, someone calling themselves Boceffus Cleetus published a Medium post called “Are the Shadow Brokers selling NSA tools on ZeroNet?” Cleetus, who has an American flag with swastikas as their profile picture, also tweeted the post from a Twitter account created this month.
“Those dastardly ole shadow brokers have themselves a zite on ZeroNet. Yep and fars as I can tell they appears to be sellin NSA tools individually now,” Cleetus continues.
The site includes a long list of supposed items for sale, with names like ENVOYTOMATO, EGGBASKET, and YELLOWSPIRIT. Each is sorted into a type, such as “implant,” “trojan,” and “exploit,” and comes with a price tag between 1 and 100 bitcoins ($780—$78,000). Customers can purchase the whole lot for 1000 bitcoins ($780,000).
The site also lets visitors download a selection of screenshots and files related to each item. Along with those is a file signed with a PGP key with an identical fingerprint to that linked to the original Shadow Brokers dump of exploits from August.
The Shadow Brokers did not respond to a request to clarify that the site did indeed belong to them.