Exploits supposedly stolen from an elite team of NSA-affiliated hackers appear both legitimate and functional, cybersecurity experts and affected technology vendors tell FedScoop.
A group calling themselves the Shadow Brokers posted a trove of what appears to be old exploits over the weekend, claiming they were stolen from the NSA-linked Equation Group.
A portion of this code was uploaded as a “free [and viewable] sample” to several websites, while the clandestine group also advertised yet another reservoir of “stolen” cyberweapons to the highest bidder. Several of the websites hosting this material have since removed it.
Security researchers subsequently analyzed the evidence, largely taking to twitter Monday when news broke, but opinions remain divided concerning the legitimacy of the data dump.
Further independent analysis revealed on Tuesday is slowly lending greater credibility to the theory that these exploits were once used by American spies.
“While we cannot surmise the attacker’s identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation Group,” Kaspersky Lab researchers, many of whom originally helped identify Equation Group’s existence in 2015, wrote in a company blog post.
Several of the newly publicized exploits do not appear in popular software vulnerability databases and could be considered zero-day exploits, said Brian Martin, Director of Vulnerability Intelligence for Richmond, Va.-based security consultancy Risk Based Security.
“I know of at least two exploits here that look like zero-days,” Martin told FedScoop during a phone interview. The term zero-day refers to a specific type of exploit that targets an unknown vulnerability that has never been patched by the vendor. Simply put, the ownership of multiple zero-day level exploits suggests the involvement of a well-funded nation state actor, experts say.
Cisco, one of the technology vendors whose products were the apparent target of a secret exploit shared by the Shadow Brokers, acknowledged the existence of the actual firewall exploit and said they are “investigating all aspects of [it]” in an email to FedScoop.
An independent security researcher, writing under the moniker Xorcat, also ran script of the Cisco Adaptive Security Appliances, or ASA, exploit — codenamed ExtraBacon in the original code log — in a controlled environment. The researcher allegedly found that the cyberweapon could penetrate an older version of the firm’s firewall without the need for scrapping valid login details.
“So far, we have not found any new vulnerabilities related to this incident, though our Cisco PSIRT team will continue a thorough investigation,” a Cisco spokesperson said.
It is possible, however, that the old Cisco exploit will work on newer systems, according to Martin.
“Unless Cisco specifically figured this out, it was reported to them by a different party, or they significantly changed the SNMP [simple network management protocol] functionality… it likely works on subsequent versions,” Martin said.
Some of the other exploits posted by Shadow Brokers also appear to target firewall software developed by network technology maker Juniper Networks and cybersecurity giant Fortinet.
A Fortinet spokesperson said in a statement: “Fortinet is currently investigating this exploit. If we identify any issues that could have impacted our customers, we will share it through our responsible disclosure policy.”
Independent cybersecurity researcher Kevin Beaumont shared on Twitter that the aforementioned Fortinet firewall exploit codenamed “EGREGIOUSBLUNDER,” which targets a program called Fortigate, still works.