Cisco is releasing patches for an exploit disclosed by an entity calling itself the Shadow Brokers:
Cisco Systems has started releasing security patches for a critical flaw in Adaptive Security Appliance (ASA) firewalls targeted by an exploit linked to the U.S. National Security Agency. The exploit, dubbed ExtraBacon, is one of the tools used by a group that the security industry calls the Equation, believed to be a cyberespionage team tied to the NSA.
ExtraBacon was released earlier this month together with other exploits by one or more individuals who use the name Shadow Brokers. The files were provided as a sample of a larger Equation group toolset the Shadow Brokers outfit has put up for auction.
[...] There is a second Equation exploit in the Shadow Brokers leak that targets ASA software. It is called EpicBanana and exploits a vulnerability that Cisco claims was patched back in 2011 in version 8.4(3). Nevertheless, the company published a new advisory for the flaw in order to increase its visibility. A third exploit, BenignCertain, affects legacy Cisco PIX firewalls that are no longer supported. Cisco investigated the exploit and said only versions 6.x and earlier of the PIX software are affected. Users who still have such devices on their networks should make sure they're running software versions 7.0 and later, which are not affected.
There is speculation that the hacks are actually leaks from a "second (third?) Snowden". A linguistic analysis of the "broken English" used by the Shadow Brokers determined that the text was written by someone pretending to not know English.
Previously:
"The Shadow Brokers" Claim to Have Hacked NSA
NSA 'Shadow Brokers' Hack Shows SpyWar With Kremlin is Turning Hot
Related Stories
The fifth NSA whistleblower, or the second Snowden if you prefer, has disappeared without trace as far as my limited Google-fu can tell. The raid reported in the link was conducted by the FBI in late October, but there has been no reporting since of what they found or any subsequent arrests. Is anyone in Soylent-world more aware of what's going on in this case?
A group is claiming that they hacked the NSA and obtained advanced malware and hacking tools (such as Stuxnet):
A mysterious hacker or hackers going by the name "The Shadow Brokers" claims to have hacked a group linked to the NSA and dumped a bunch of its hacking tools. In a bizarre twist, the hackers are also asking for 1 million bitcoin (around $568 million) in an auction to release more files.
"Attention government sponsors of cyber warfare and those who profit from it!!!!" the hackers wrote in a manifesto posted on Pastebin, on GitHub, and on a dedicated Tumblr. "How much you pay for enemies cyber weapons? [...] We find cyber weapons made by creators of stuxnet, duqu, flame."
The hackers referred to their victims as the Equation Group, a codename for a government hacking group widely believed to be the NSA.
Also at Computerworld:
The whole episode screams elaborate SCAM, but maybe it is legit as Twitter chatter by some security experts seem to lean toward believing it. On the flipside, it doesn't appear as if many trust it enough yet to have coughed up bitcoins. Other hackers are suggesting the auction is made up of really old vulnerabilities; this is partially based on the "free" files being offered by Shadow Broker as proof of hacking the Equation Group. Or it could be a mix, old and new, to keep everyone off-balance. Another oddity, pointed out in a Pwn All The Things tweet, is that the "free sample" file size is actually larger than the auction file size.
Yet security pro Matt Suiche dived into the free files offered by Shadow Broker, then took to Medium to say, "Most of the code appears to be batch scripts and poorly coded Python scripts. Nonetheless, this appears to be legitimate code." Suiche said the main targets in the dump he reviewed "appeared to be Fortigate, TopSec, Cisco and Juniper firewalls." He described some of the codenamed-exploits such as Eligible Bachelor, Extra Bacon and Banana Glee. The latter, he pointed out, is "particularly interesting because it allows references to the JETPLOW explanation from the 2014 NSA's Tailored Access Operations (TAO) catalog."
Excerpt:
"It's certainly possible that an NSA [National Security Agency] hacker goofed massively and left files in the wrong place at the wrong time. Human error can never be ruled out. Russian cybersleuths carefully watch for possible NSA operations online—just as we look for theirs—and even a single slip-up with Top Secret hacking tools could invite a disastrous compromise.
However, it's far more likely that this information was stolen by an insider. There's something fishy about the official story here. It's far-fetched to think a small group of unknown hackers could infiltrate NSA. Furthermore, explained a former agency scientist, the set-up implied in the account given by The Shadow Brokers makes little sense: "No one puts their exploits on a [command-and-control] server...That's not a thing." In other words, there was no "hack" here at all.
It's much more plausible that NSA has a Kremlin mole (or moles) lurking in its ranks who stole this information and passed it to Russian intelligence for later use. This isn't surprising, since NSA has known since at least 2010 of one or more Russian moles in its ranks and agency counterintelligence has yet to expose them."
The Shadow Brokers are back, and they have a treat for you:
"TheShadowBrokers is having special trick or treat for Amerikanskis tonight," said the Monday morning post, which was signed by the same encryption key used in the August posts. "Many missions into your networks is/was coming from these ip addresses." Monday's leak came as former NSA contractor Harold Thomas Martin III remains in federal custody on charges that he hoarded an astounding 50 terabytes of data in his suburban Maryland home. Much of the data included highly classified information such as the names of US intelligence officers and highly sensitive methods behind intelligence operations. Martin came to the attention of investigators looking into the Shadow Brokers' August leak. Anonymous people with knowledge of the investigation say they don't know what connection, if any, Martin has to the group or the leaks.
[...] According to analyses from researchers here and here, Monday's dump contains 352 distinct IP addresses and 306 domain names that purportedly have been hacked by the NSA. The timestamps included in the leak indicate that the servers were targeted between August 22, 2000 and August 18, 2010. The addresses include 32 .edu domains and nine .gov domains. In all, the targets were located in 49 countries, with the top 10 being China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy, and Russia. Vitali Kremez, a senior intelligence analyst at security firm Flashpoint, also provides useful analysis here. [...] Other purported NSA tools discussed in Monday's dump have names including DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK, AND STOCSURGEON. Little is immediately known about the tools, but the specter that they may be implants or exploits belonging to the NSA is understandably generating intrigue in both security and intelligence circles.
Previously:
"The Shadow Brokers" Claim to Have Hacked NSA
NSA 'Shadow Brokers' Hack Shows SpyWar With Kremlin is Turning Hot
Cisco Begins Patching an NSA Exploit Released by the Shadow Brokers
Probe of Leaked U.S. NSA Hacking Tools Examines Operative's 'Mistake'
NSA Contractor Harold Martin III Arrested
NSA Contractor Accused of "Stealing" Terabytes of Information, Charged Under Espionage Act
NSA-created cyber tool spawns global ransomware attacks
From Politico via Edward Snowden via Vinay Gupta:
Leaked alleged NSA hacking tools appear to be behind a massive cyberattack disrupting hospitals and companies across Europe, Asia and the U.S., with Russia among the hardest-hit countries.
The unique malware causing the attacks - which has spread to tens of thousands of companies in 99 countries, according to the cyber firm Avast - have forced some hospitals to stop admitting new patients with serious medical conditions and driven other companies to shut down their networks, leaving valuable files unavailable.
The source of the world-wide digital assault seems to be a version of an apparent NSA-created hacking tool that was dumped online in April by a group calling itself the Shadow Brokers. The tool, a type of ransomware, locks up a company's networks and holds files and data hostage until a fee is paid. Researchers said the malware is exploiting a Microsoft software flaw.
One or more anti-virus companies may have been hacked prior to WannaCrypt infecting 75000 Microsoft Windows computers in 99 countries. First, anti-virus software like Avast fails to make HTTP connections. Second, five million of ransomware emails are rapidly sent. Although many centralized email servers were able to stem the onslaught, many instances of anti-virus software had outdated virus definitions and were defenseless against the attack. Indeed, successful attacks were above 1%. Of these, more than 1% have already paid the ransom. Although various governments have rules (or laws) against paying ransom, it is possible that ransoms have been paid to regain access to some systems.
Also, file scrambling ransomware has similarities to REAMDE by Neal Stephenson. Although the book is extremely badly written, its scenarios (offline and online) seem to come true with forceful regularity.
Further sources: BBC (and here), Russia Today, DailyFail, Telegraph, Guardian.
Telefónica reportedly affected. NHS failed to patch computers which affected US hospitals in 2016. 16 divisions of the UK's NHS taken offline with aid of NSA Fuzzbunch exploit. The fun of a public blockchain is that ransom payments of £415,000 have been confirmed. Cancellation of heart surgery confirmed. Doctors unable to check allergies or prescribe medication. Patient access to emergency treatment denied in part due to hospital telephone exchange being offline.
It also appears that one of the affected parties refused to answer a Freedom of Information request in Nov 2016 about cyber-security due to impact on crime detection. Similar parties provided responses to the same request.
(Score: 4, Interesting) by frojack on Friday August 26 2016, @07:40PM
I suspect CISCO knew about this issue all along, and failed to fix it out of some backroom deal with the NSA.
Now that its an open secret business reasons force them to (pretend to) fix it.
CISCO frequently alerted the NSA to shipments of equipment to certain governments which magically got intercepted and reprogrammed before delivery. They pretended they knew nothing about those as well, until it was pointed out that they knew all along.
No, you are mistaken. I've always had this sig.
(Score: 3, Interesting) by bob_super on Friday August 26 2016, @08:09PM
> CISCO frequently alerted the NSA to shipments of equipment to certain governments
Note that Cisco doesn't have to actively do that. I'm pretty sure the US Customs is already tasked with reporting and inspecting international shipments to various "interesting" actors.
While Cisco may or may not have known about the vulnerabilities (it's hard to keep disgruntled people from talking when you fire them a lot), the whole shipping-intercept is more likely to have been done behind their backs to limit the risk of leaks.
(Score: 2) by Hyperturtle on Friday August 26 2016, @08:24PM
I couldn't agree with you more.
(Score: 0) by Anonymous Coward on Friday August 26 2016, @09:01PM
That sounds like a really backhanded way of saying you disagree with him.
As in "Its impossible for me to agree any more than 0%."
Frojo is prone to making up conspiracies that don't pass the laugh test. This one doesn't pass either because newer versions of the cisco boxes are (a) not vulnerable but (b) do do crash when poked in the same way. If they were collobrating with the NSA, then why "fix" it but still leave it broken enough to crash the system? Either leave it open or fix it completely and put a new vulnerability in place.
(Score: 3, Interesting) by Hyperturtle on Friday August 26 2016, @10:43PM
I think that Cisco probably was aware of the problem, seeing as how it goes back to products that... well. They bought the PIX platform from another company way back when. The problem in question seems to have turned up shortly after they started releasing their own Cisco stamped code for it.
Frojack and I may disagree on things, but I have to agree that this is too large of a bug to have gone unnoticed.
The fact it merely crashes newer platforms could suggest that they left it in place without doing testing against it when implementing new hardware or software functionality, since they probably haven't had the same QA team testing the NSA tools for the past 15+ years for various reasons. The rank and file would not even know to seek this out since it would be a secret--and the exploit is sort of specific in that a permitted SNMP server has to act as the host to launch the problem in question.
Some future interim version and then production release would have likely fixed the problems you referenced, based on whatever feedback, or perhaps contributed code that got compiled in with little question, but we'll never know for sure.
I just know that it is a good idea to patch the hole now that a fix is available, since anyone can find and download the tools. The attack vector is narrow, but there are plenty of misconfigured firewalls and unsecured administrative workstations to be found.
(Score: 0) by Anonymous Coward on Friday August 26 2016, @11:25PM
I find it hard to reconcile these two statements:
> this is too large of a bug to have gone unnoticed.
> the rank and file would not even know to seek this out since it would be a secret
Also this is a statement that reveals ignorance:
> the exploit is sort of specific in that a permitted SNMP server has to act as the host to launch the problem in question.
There is nothing "specific" to the fact that a whitelisted snmp client must launch the exploit. If they weren't white-listed they couldn't talk to the snmp server at all.
(Score: 2) by Hyperturtle on Saturday August 27 2016, @12:12AM
Ok, well I guess you disagree. I was referring to the snmp-server command necessary required to include the IP address used as a source host. Perhaps you believed I meant something different. I'm going off what's been posted, and how one would actually go about permitting the connection on the firewall itself. I am not sure how a whitelisted connection is not specific, whether its a client or a server. The command is snmp-server, so ok i guess the server is a client to the ASA's data. However you want to phrase it, it doesn't matter. Maybe it says client in the gui or something? I don't know what you're referencing that gave me the power to upset you like that.
As to the bug being too large to go unnoticed, that's my stating it seems to be too big of a bug to not get notices was to lend credence to the conspiracy theory concept. Seems like its sort of a big deal to not have been noticed. Are you suggesting maybe it was too small of a bug to be noticed? Perhaps I misunderstood it to mean that it was a big obvious bug no one knew about at Cisco and yet QA missed it and all of these versions over time somehow never got fixed, either.
Perhaps, QA missed it for whatever reasons that one can generate. Maybe their scripts didn't include a check for this since the snmp server commands seemed to be doing what they claimed to do. Seems that code review at Juniper has had its lapses as well with their VPN issues. I'm not really even sure what you are trying to disagree with. Even if NSA wasn't to blame, they seem to have had enough time to put together some effective tools to exploit over a decade of releases of the same exploit.
If its a bug then that is bad. If it is complicit behaviors that introduced this feature, then that is bad. If they introduced it on purpose with an eye on helping gain valuable marketing material to provide personalized advertising, that's really bad. There's nothing good except they have finally patched it, but I don't actually have the tools in question to validate that. I am going to trust Cisco this time that it's fixed until I hear otherwise.
You seem pretty harsh and have moved on to dismissing me for my ignorance; you're welcome to continue educating me but I don't find this style of lecture as the best means of changing my mind.
In the spirit of cooperation, however, my response has hopefully provided some reconciliation of things for you. I am not sure what you are angry about, but if I am wrong, ok I guess. I still recommend considering to patch firewalls affected by this, and still recommend everyone makes the effort to do so if they have it within their capability and it won't harm their environments. If you're angry at Frojack, ok. If you're angry at me, ok. At least you posted your thoughts.
(Score: 5, Informative) by JNCF on Friday August 26 2016, @07:43PM
There is speculation that the hacks are actually leaks from a "second (third?) Snowden".
This is what the first Snowden had to tweet about the Shadow Brokers (emphasis his):
The hack of an NSA malware staging server is not unprecedented, but the publication of the take is. Here's what you need to know: (1/x)
1) NSA traces and targets malware C2 servers in a practice called Counter Computer Network Exploitation, or CCNE. So do our rivals.
2) NSA is often lurking undetected for years on the C2 and ORBs (proxy hops) of state hackers. This is how we follow their operations.
3) This is how we steal their rivals' hacking tools and reverse-engineer them to create "fingerprints" to help us detect them in the future.
4) Here's where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us -- and occasionally succeed.
5) Knowing this, NSA's hackers (TAO) are told not to leave their hack tools ("binaries") on the server after an op. But people get lazy.
6) What's new? NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is.
7) Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack.
8) Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here's why that is significant:
9) This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server.
10) That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies.
11) Particularly if any of those operations targeted elections.
12) Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.
13) TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.
(Score: 2) by Techwolf on Friday August 26 2016, @09:15PM
is use google translate and traslate the english to russion/japan/etc and thranslate that back and get badly broken english. :-)
(Score: 2) by deimtee on Friday August 26 2016, @09:32PM
At which point Google can report to the NSA exactly who was translating that text before it was public.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 0) by Anonymous Coward on Friday August 26 2016, @11:28PM
Eh, do it through tor or a botnet and you're golden.
(Score: 0) by Anonymous Coward on Friday August 26 2016, @09:43PM
!!! Attention government sponsors of cyber warfare and those who profit from it !!!!
How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.
(Score: 2) by Gravis on Friday August 26 2016, @11:17PM
this is how things should have happened from the very beginning!
(Score: 2) by takyon on Saturday August 27 2016, @07:25AM
You're 100% right about that.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by Geotti on Saturday August 27 2016, @03:31PM
"A linguistic analysis of the "broken English" used by the Shadow Brokers determined that the text was written by someone pretending to not know English."
Yeah, no shit, Sherlock! Like anyone, who knows computers good enough to be able to exploit them (and their users) doesn't speak (or at least, write) English.