Slash Boxes

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.
posted by n1 on Monday August 15 2016, @11:55PM   Printer-friendly
from the all-the-hats dept.

A group is claiming that they hacked the NSA and obtained advanced malware and hacking tools (such as Stuxnet):

A mysterious hacker or hackers going by the name "The Shadow Brokers" claims to have hacked a group linked to the NSA and dumped a bunch of its hacking tools. In a bizarre twist, the hackers are also asking for 1 million bitcoin (around $568 million) in an auction to release more files.

"Attention government sponsors of cyber warfare and those who profit from it!!!!" the hackers wrote in a manifesto posted on Pastebin, on GitHub, and on a dedicated Tumblr. "How much you pay for enemies cyber weapons? [...] We find cyber weapons made by creators of stuxnet, duqu, flame."

The hackers referred to their victims as the Equation Group, a codename for a government hacking group widely believed to be the NSA.

Also at Computerworld:

The whole episode screams elaborate SCAM, but maybe it is legit as Twitter chatter by some security experts seem to lean toward believing it. On the flipside, it doesn't appear as if many trust it enough yet to have coughed up bitcoins. Other hackers are suggesting the auction is made up of really old vulnerabilities; this is partially based on the "free" files being offered by Shadow Broker as proof of hacking the Equation Group. Or it could be a mix, old and new, to keep everyone off-balance. Another oddity, pointed out in a Pwn All The Things tweet, is that the "free sample" file size is actually larger than the auction file size.

Yet security pro Matt Suiche dived into the free files offered by Shadow Broker, then took to Medium to say, "Most of the code appears to be batch scripts and poorly coded Python scripts. Nonetheless, this appears to be legitimate code." Suiche said the main targets in the dump he reviewed "appeared to be Fortigate, TopSec, Cisco and Juniper firewalls." He described some of the codenamed-exploits such as Eligible Bachelor, Extra Bacon and Banana Glee. The latter, he pointed out, is "particularly interesting because it allows references to the JETPLOW explanation from the 2014 NSA's Tailored Access Operations (TAO) catalog."

Original Submission

Related Stories

Cisco Begins Patching an NSA Exploit Released by the Shadow Brokers 15 comments

Cisco is releasing patches for an exploit disclosed by an entity calling itself the Shadow Brokers:

Cisco Systems has started releasing security patches for a critical flaw in Adaptive Security Appliance (ASA) firewalls targeted by an exploit linked to the U.S. National Security Agency. The exploit, dubbed ExtraBacon, is one of the tools used by a group that the security industry calls the Equation, believed to be a cyberespionage team tied to the NSA.

ExtraBacon was released earlier this month together with other exploits by one or more individuals who use the name Shadow Brokers. The files were provided as a sample of a larger Equation group toolset the Shadow Brokers outfit has put up for auction.

[...] There is a second Equation exploit in the Shadow Brokers leak that targets ASA software. It is called EpicBanana and exploits a vulnerability that Cisco claims was patched back in 2011 in version 8.4(3). Nevertheless, the company published a new advisory for the flaw in order to increase its visibility. A third exploit, BenignCertain, affects legacy Cisco PIX firewalls that are no longer supported. Cisco investigated the exploit and said only versions 6.x and earlier of the PIX software are affected. Users who still have such devices on their networks should make sure they're running software versions 7.0 and later, which are not affected.

There is speculation that the hacks are actually leaks from a "second (third?) Snowden". A linguistic analysis of the "broken English" used by the Shadow Brokers determined that the text was written by someone pretending to not know English.

"The Shadow Brokers" Claim to Have Hacked NSA
NSA 'Shadow Brokers' Hack Shows SpyWar With Kremlin is Turning Hot

Original Submission

The Shadow Brokers Identify Hundreds of Targets Allegedly Hacked by the NSA 5 comments

The Shadow Brokers are back, and they have a treat for you:

"TheShadowBrokers is having special trick or treat for Amerikanskis tonight," said the Monday morning post, which was signed by the same encryption key used in the August posts. "Many missions into your networks is/was coming from these ip addresses." Monday's leak came as former NSA contractor Harold Thomas Martin III remains in federal custody on charges that he hoarded an astounding 50 terabytes of data in his suburban Maryland home. Much of the data included highly classified information such as the names of US intelligence officers and highly sensitive methods behind intelligence operations. Martin came to the attention of investigators looking into the Shadow Brokers' August leak. Anonymous people with knowledge of the investigation say they don't know what connection, if any, Martin has to the group or the leaks.

[...] According to analyses from researchers here and here, Monday's dump contains 352 distinct IP addresses and 306 domain names that purportedly have been hacked by the NSA. The timestamps included in the leak indicate that the servers were targeted between August 22, 2000 and August 18, 2010. The addresses include 32 .edu domains and nine .gov domains. In all, the targets were located in 49 countries, with the top 10 being China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy, and Russia. Vitali Kremez, a senior intelligence analyst at security firm Flashpoint, also provides useful analysis here. [...] Other purported NSA tools discussed in Monday's dump have names including DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK, AND STOCSURGEON. Little is immediately known about the tools, but the specter that they may be implants or exploits belonging to the NSA is understandably generating intrigue in both security and intelligence circles.


"The Shadow Brokers" Claim to Have Hacked NSA
NSA 'Shadow Brokers' Hack Shows SpyWar With Kremlin is Turning Hot
Cisco Begins Patching an NSA Exploit Released by the Shadow Brokers
Probe of Leaked U.S. NSA Hacking Tools Examines Operative's 'Mistake'
NSA Contractor Harold Martin III Arrested
NSA Contractor Accused of "Stealing" Terabytes of Information, Charged Under Espionage Act

Original Submission

"Biggest Ransomware Attack in History" Hits Around 100 Countries, Disrupts UK's NHS 88 comments

NSA-created cyber tool spawns global ransomware attacks

From Politico via Edward Snowden via Vinay Gupta:

Leaked alleged NSA hacking tools appear to be behind a massive cyberattack disrupting hospitals and companies across Europe, Asia and the U.S., with Russia among the hardest-hit countries.

The unique malware causing the attacks - which has spread to tens of thousands of companies in 99 countries, according to the cyber firm Avast - have forced some hospitals to stop admitting new patients with serious medical conditions and driven other companies to shut down their networks, leaving valuable files unavailable.

The source of the world-wide digital assault seems to be a version of an apparent NSA-created hacking tool that was dumped online in April by a group calling itself the Shadow Brokers. The tool, a type of ransomware, locks up a company's networks and holds files and data hostage until a fee is paid. Researchers said the malware is exploiting a Microsoft software flaw.

Thoughts on a similar scenario were published by the Harvard Business Review two days before this incident.

One or more anti-virus companies may have been hacked prior to WannaCrypt infecting 75000 Microsoft Windows computers in 99 countries. First, anti-virus software like Avast fails to make HTTP connections. Second, five million of ransomware emails are rapidly sent. Although many centralized email servers were able to stem the onslaught, many instances of anti-virus software had outdated virus definitions and were defenseless against the attack. Indeed, successful attacks were above 1%. Of these, more than 1% have already paid the ransom. Although various governments have rules (or laws) against paying ransom, it is possible that ransoms have been paid to regain access to some systems.

Also, file scrambling ransomware has similarities to REAMDE by Neal Stephenson. Although the book is extremely badly written, its scenarios (offline and online) seem to come true with forceful regularity.

Further sources: BBC (and here), Russia Today, DailyFail, Telegraph, Guardian.

Telefónica reportedly affected. NHS failed to patch computers which affected US hospitals in 2016. 16 divisions of the UK's NHS taken offline with aid of NSA Fuzzbunch exploit. The fun of a public blockchain is that ransom payments of £415,000 have been confirmed. Cancellation of heart surgery confirmed. Doctors unable to check allergies or prescribe medication. Patient access to emergency treatment denied in part due to hospital telephone exchange being offline.

It also appears that one of the affected parties refused to answer a Freedom of Information request in Nov 2016 about cyber-security due to impact on crime detection. Similar parties provided responses to the same request.

Former NSA Employee Nghia Pho Pleads Guilty to Willful Retention of National Defense Information 11 comments

A former National Security Agency employee who worked at Tailored Access Operations has pleaded guilty to willful retention of national defense information, the same charge Harold T. Martin III faces:

A former National Security Agency employee admitted on Friday that he had illegally taken from the agency classified documents believed to have subsequently been stolen from his home computer by hackers working for Russian intelligence.

Nghia H. Pho, 67, of Ellicott City, Md., pleaded guilty to one count of willful retention of national defense information, an offense that carries a possible 10-year sentence. Prosecutors agreed not to seek more than eight years, however, and Mr. Pho's attorney, Robert C. Bonsib, will be free to ask for a more lenient sentence. He remains free while awaiting sentencing on April 6.

Mr. Pho had been charged in secret, though some news reports had given a limited description of the case. Officials unsealed the charges on Friday, resolving the long-running mystery of the defendant's identity.

Mr. Pho, who worked as a software developer for the N.S.A., was born in Vietnam but is a naturalized United States citizen. Prosecutors withheld from the public many details of his government work and of the criminal case against him, which is linked to a continuing investigation of Russian hacking.

Related: "The Shadow Brokers" Claim to Have Hacked NSA
The Shadow Brokers Identify Hundreds of Targets Allegedly Hacked by the NSA
Former NSA Contractor May Have Stolen 75% of TAO's Elite Hacking Tools
NSA Had NFI About Opsec: 2016 Audit Found Laughably Bad Security
Reality Winner NSA Leak Details Revealed by Court Transcript

Original Submission

Former NSA Employee Nghia Pho Sentenced to 66 Months in Prison for Retention of Documents and Code 28 comments

NSA employee who brought hacking tools home sentenced to 66 months in prison

Nghia Hoang Pho, a 68-year-old former National Security Agency employee who worked in the NSA's Tailored Access Operations (TAO) division, was sentenced today to 66 months in prison for willful, unauthorized removal and retention of classified documents and material from his workplace—material that included hacking tools that were likely part of the code dumped by the individual or group known as Shadowbrokers in the summer of 2016.

Pho, a naturalized US citizen from Vietnam and a resident of Ellicott City, Maryland, had pleaded guilty to bringing home materials after being caught in a sweep by the NSA following the Shadowbrokers leaks. He will face three years of supervised release after serving his sentence. His attorney had requested home detention.

In a letter sent to the court in March, former NSA Director Admiral Mike Rogers told Judge George Russell that the materials removed from the NSA by Pho "had significant negative impacts on the NSA mission, the NSA workforce, and the Intelligence Community as a whole." The materials Pho removed, Rogers wrote, included:

[S]ome of NSA's most sophisticated, hard-to-achieve, and important techniques of collecting [signals intelligence] from sophisticated targets of the NSA, including collection that is crucial to decision makers when answering some of the Nation's highest-priority questions... Techniques of the kind Mr. Pho was entrusted to protect, yet removed from secure space, are force multipliers, allowing for intelligence collection in a multitude of environments around the globe and spanning a wide range of security topics. Compromise of one technique can place many opportunities for intelligence collection and national security insight at risk.

Previously: Former NSA Employee Nghia Pho Pleads Guilty to Willful Retention of National Defense Information

Related: "The Shadow Brokers" Claim to Have Hacked NSA
The Shadow Brokers Identify Hundreds of Targets Allegedly Hacked by the NSA
Former NSA Contractor May Have Stolen 75% of TAO's Elite Hacking Tools
Former NSA Contractor Harold Martin Indicted

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Funny) by Anonymous Coward on Tuesday August 16 2016, @12:57AM

    by Anonymous Coward on Tuesday August 16 2016, @12:57AM (#388491)

    you hacker people confuse us. someone in your ranks shits on everybody, steals IP, steals research, and they're lauded as luminaries. []

    • (Score: 2) by https on Tuesday August 16 2016, @03:01AM

      by https (5248) on Tuesday August 16 2016, @03:01AM (#388520) Journal

      They really should avoid talking about themselves in the third person - it looks like delusional behaviour.

      Offended and laughing about it.
    • (Score: 0) by Anonymous Coward on Tuesday August 16 2016, @03:02AM

      by Anonymous Coward on Tuesday August 16 2016, @03:02AM (#388521)

      Says the Twitter account of the One. Oh come on, you all know that Smith was the One.

    • (Score: 1, Insightful) by Anonymous Coward on Tuesday August 16 2016, @04:57AM

      by Anonymous Coward on Tuesday August 16 2016, @04:57AM (#388569)

      The problem with people is they can't hack being hacked by people.

  • (Score: 0) by Anonymous Coward on Tuesday August 16 2016, @01:43AM

    by Anonymous Coward on Tuesday August 16 2016, @01:43AM (#388499)

    Reminds me of stories I heard in the mid-1970s at MIT...about student lock hackers (self taught lock pickers). By and large this was recreational with minimal damage done and some very creative key making to boot. Then the story goes that the best ones picked their way into the shop of the campus locksmith, which had multiple hard locks on the door. They left a friendly note. And, according to some versions of the story they also boosted a key cutting machine.

  • (Score: 5, Interesting) by FatPhil on Tuesday August 16 2016, @08:25AM

    by FatPhil (863) <> on Tuesday August 16 2016, @08:25AM (#388615) Homepage
    All the words are correct, all the grammar's messed up - and looks Slavglish to me.

    Sure, there are spelling checkers to fix words, but with the level of English demonstrated by the grammar you almost always end up with homonym (specifically heterograph) issues which are seemingly absent, and the vocabulary wouldn't necessary be so extensive. So I hypothesise that the grammar of the text was deliberately worsenned before release in order to give it a more exotic, and sinister, character.

    However, the things that will determine how fake they are are the answers to "how much of this stuff is new?" - are they just rebundling old stuff - and "how much of this is useful?" which will require the insights of those who know about the targets of the hacks. However, bundling CVEs from 2006 doesn't sound particularly groundbreaking.
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
  • (Score: 2) by Kilo110 on Tuesday August 16 2016, @11:34AM

    by Kilo110 (2853) Subscriber Badge on Tuesday August 16 2016, @11:34AM (#388639)

    Is that the Mass Effect reference?

    • (Score: 2) by Yog-Yogguth on Thursday August 18 2016, @09:08PM

      by Yog-Yogguth (1862) Subscriber Badge on Thursday August 18 2016, @09:08PM (#389744) Journal

      I've seen people say so but it's generic enough that it could be accidental. Just my take on that since I've never played the game and hadn't heard of that Shadow Broker (singular, although I guess there are many in the game).

      Bite harder Ouroboros, bite! linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
  • (Score: 0) by Anonymous Coward on Tuesday August 16 2016, @03:03PM

    by Anonymous Coward on Tuesday August 16 2016, @03:03PM (#388689)
    1 million bitcoin (around $568 billion)
    • (Score: 0) by Anonymous Coward on Tuesday August 16 2016, @04:57PM

      by Anonymous Coward on Tuesday August 16 2016, @04:57PM (#388727)

      Nope, 1 bitcoin = 576.99 USD
      so 1,000,000 bitcoin is 576,990,000 USD

  • (Score: 3, Interesting) by Geezer on Tuesday August 16 2016, @04:37PM

    by Geezer (511) on Tuesday August 16 2016, @04:37PM (#388715)

    AP is quoting Snowden's opinion that this is a little "message from Moscow". []

  • (Score: 3, Funny) by gidds on Wednesday August 17 2016, @09:40AM

    by gidds (589) on Wednesday August 17 2016, @09:40AM (#389057)

    The whole episode screams elaborate SCAM, but maybe it is legit as Twitter chatter

    Can we start using the expression "legit as Twitter chatter"?!

    Linking in with the previous story [], maybe that establishes a new standard of proof?  So there'd be:

    • beyond reasonable doubt
    • clear and convincing evidence
    • balance of probabilities
    • circumstantial evidence
    • reasonable suspicion
    • air of reality
    • a vague idea
    • extremely unlikely
    • not actually impossible
    • legit as Twitter chatter
    [sig redacted]
  • (Score: 2) by Yog-Yogguth on Thursday August 18 2016, @11:09PM

    by Yog-Yogguth (1862) Subscriber Badge on Thursday August 18 2016, @11:09PM (#389781) Journal

    Эпический банан! ЭПИЧЕСКИЙБАНАН! EPITCHESKIJBANAN! XD *imagine dancing banana gif here*

    Whoever it was, even if it was the NSA themselves: thank you for the code release! We need more :)

    A page I found interesting is this Cisco blog post [] about some of the exploits. They seem very limited in their nature and they're not persistent. EXTRABACON at least seems to be primarily for inside jobs (but I'm old and outdated and might be wrong).

    The only other page I've found interesting so far (I was planning to actually get stuff done today, now it's already tomorrow) is the already linked Medium article [] written by Matt Suiche, but (and no offense I guess because thanks for writing something) he veers off into Schneier nonsense (are their brains rotting because they're MS guys?). Sorry...:3 (btw there's a bug right there, in preview it's "..." + space + ":3" but it is displayed without a space, will try to remember it for (much) later if no one reads this and takes it further).

    Anyway there is still some interesting stuff there. I've recently abandoned "Schneierville" in disgust (not because of the Five Eyes trollbots but because Schneier started behaving like one, finally tipping the noise scale into unacceptable) and I'm looking for somewhere more sensible so suggestions are welcome :)

    The link to the archived "manifesto" was very informative. There's a lot of activity (or denial) still right now as I write this days later, many of the links have reached maximums and their Dropbox account entertains with an "Error (429) This account's links are generating too much traffic and have been temporarily disabled!" :D (I guess I could make Mega work, would need to do more stuff first).

    So anyway I haven't downloaded the files (at least not yet) but from what's available second-hand there's something I haven't seen pointed out yet!

    The(ir) version of EXTRABACON is old, both the version itself and the core exploit!

    Old exploit: it stretches back through many versions of Cisco software so whoever wrote it (NSA or not) has likely been doing it for a good while. Newer versions of EXTRABACON are highly likely to exist.
    Old version: it doesn't include new Cisco stuff since 2012.

    By looking at a screenshot from the Medium article we see a bunch of if-branching selecting depending on Cisco ASA (Adaptive Security Appliance) version number and we can look up the release dates for those over at Cisco.

    The last version in the screenshot (and likely the latest for this leaked version of the exploit since the branching ends with anything else being unsupported right afterwards) is version 8.4(4) which might not actually match anything (any more) since there's no such simple/straight 8.4(4) listed over at Cisco! Release dates according to []:
    - ASA 8.4(4.1)/ASDM 6.4(9) released on June 18 2012
    - ASA 8.4(4.5)/ASDM 6.4(9.103) released: August 13 2012
    After that the next one is certainly not in the exploit that was released (newer versions surely exist) and is:
    - ASA 8.4(5)/ASDM 7.0(2) released October 31 2012

    Currently Cisco is pushing:
    - ASA 9.6(1)/ASDM 7.6(1) released March 21 2016.

    The branching in the exploit is tidy and looks ordered chronologically from earliest to latest. This kind of branching is probably part of what is referenced to when Suiche says the exploit Python code is "badly written" and he might well be right however: what happens behind the code? Alternatives might not actually be simpler or better. Either way simpler is better and too many "experts" in general flaunt idiotic "clever" complexity which might often be easier to subvert. As those amazing $50SAT guys [] said it "you can't add simplicity" and if anyone doubts the intelligence of that then they need look no further than the mess my comments end up as :D

    The oldest ASA version shown in the screenshot is:
    - ASA 8.0(2)/ASDM 6.0(2) released June 18 2007
    but that's on line 109 so there's probably stuff before that.

    The oldest ASA on the linked Cisco page is:
    - ASA 7.0(1)/ASDM 5.0(1) released May 31 2005

    Didn't find any ASA 1.0 but I'm guessing that it would be from the nineties.

    The file dates (which are editable) say 6/11/2013 which is either about 5 months [] or about 5 days [] (D-Day btw) after Snowden got media coverage on PRISM in 2013. There might be some significance to it (and it might not have anything to do with Snowden) or maybe it's just random.

    Either way this shit is old cruft! So they give away an "example exploit" which is not the latest or greatest but "ancient". Fair guess that the auction stuff is also ancient right? Sorry about "complaining" (I'm not really complaining) but it sticks out like a sore thumb to me :3 Still better than nothing and it was still a valid exploit that has been exposed.

    Either A. Why wouldn't they give away the newest version unless they don't have it? Your guess is as good as mine.
    Or B. Why would they wait 3 years before sharing it? Okay that might make superficial sense as a measure against the super-serious whole network analysis the NSA ought to be routinely capable of according to the Snowden files but there are cumbersome (but not that cumbersome, not "3 years" cumbersome) ways around that so it's not too convincing.

    I'm not sure what to make of the fact that the Python command has help displays which is funny/odd and might indicate quite a few things (like internal "style" requirements for all written code: very bureaucratic, very USGOV) considering the easiest way to actually use some of these exploits is from the inside or with very temporary physical access (after the boxes are in normal use, not in transit) or that some of it (Cisco) requires the use of the management interface (physically marked MGNT if I remember correctly, maybe Cisco doesn't do that any more) or an equivalent if allowed (which probably is much less rare than it ought to be).

    P.s. If write this like Russian me? Way no too stupid and qualified automagically intelligence job for :) Pot smoke not do either and Hillary dead wish so job no lol

    P.p.s. A million bitcoin? I laughed so hard on Monday XD (but it was wrongly reported; they're not actually straight up asking for that; instead it's a "bonus level" :) ).

    Эпический банан! ЭПИЧЕСКИЙБАНАН! EPITCHESKIJBANAN! XD *imagine dancing banana gif here* (yeah, AGAIN) :)