Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.
posted by n1 on Monday August 15 2016, @11:55PM   Printer-friendly
from the all-the-hats dept.

A group is claiming that they hacked the NSA and obtained advanced malware and hacking tools (such as Stuxnet):

A mysterious hacker or hackers going by the name "The Shadow Brokers" claims to have hacked a group linked to the NSA and dumped a bunch of its hacking tools. In a bizarre twist, the hackers are also asking for 1 million bitcoin (around $568 million) in an auction to release more files.

"Attention government sponsors of cyber warfare and those who profit from it!!!!" the hackers wrote in a manifesto posted on Pastebin, on GitHub, and on a dedicated Tumblr. "How much you pay for enemies cyber weapons? [...] We find cyber weapons made by creators of stuxnet, duqu, flame."

The hackers referred to their victims as the Equation Group, a codename for a government hacking group widely believed to be the NSA.

Also at Computerworld:

The whole episode screams elaborate SCAM, but maybe it is legit as Twitter chatter by some security experts seem to lean toward believing it. On the flipside, it doesn't appear as if many trust it enough yet to have coughed up bitcoins. Other hackers are suggesting the auction is made up of really old vulnerabilities; this is partially based on the "free" files being offered by Shadow Broker as proof of hacking the Equation Group. Or it could be a mix, old and new, to keep everyone off-balance. Another oddity, pointed out in a Pwn All The Things tweet, is that the "free sample" file size is actually larger than the auction file size.

Yet security pro Matt Suiche dived into the free files offered by Shadow Broker, then took to Medium to say, "Most of the code appears to be batch scripts and poorly coded Python scripts. Nonetheless, this appears to be legitimate code." Suiche said the main targets in the dump he reviewed "appeared to be Fortigate, TopSec, Cisco and Juniper firewalls." He described some of the codenamed-exploits such as Eligible Bachelor, Extra Bacon and Banana Glee. The latter, he pointed out, is "particularly interesting because it allows references to the JETPLOW explanation from the 2014 NSA's Tailored Access Operations (TAO) catalog."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Yog-Yogguth on Thursday August 18 2016, @11:09PM

    by Yog-Yogguth (1862) Subscriber Badge on Thursday August 18 2016, @11:09PM (#389781) Journal

    Эпический банан! ЭПИЧЕСКИЙБАНАН! EPITCHESKIJBANAN! XD *imagine dancing banana gif here*

    Whoever it was, even if it was the NSA themselves: thank you for the code release! We need more :)

    A page I found interesting is this Cisco blog post [cisco.com] about some of the exploits. They seem very limited in their nature and they're not persistent. EXTRABACON at least seems to be primarily for inside jobs (but I'm old and outdated and might be wrong).

    The only other page I've found interesting so far (I was planning to actually get stuff done today, now it's already tomorrow) is the already linked Medium article [medium.com] written by Matt Suiche, but (and no offense I guess because thanks for writing something) he veers off into Schneier nonsense (are their brains rotting because they're MS guys?). Sorry...:3 (btw there's a bug right there, in preview it's "..." + space + ":3" but it is displayed without a space, will try to remember it for (much) later if no one reads this and takes it further).

    Anyway there is still some interesting stuff there. I've recently abandoned "Schneierville" in disgust (not because of the Five Eyes trollbots but because Schneier started behaving like one, finally tipping the noise scale into unacceptable) and I'm looking for somewhere more sensible so suggestions are welcome :)

    The link to the archived "manifesto" was very informative. There's a lot of activity (or denial) still right now as I write this days later, many of the links have reached maximums and their Dropbox account entertains with an "Error (429) This account's links are generating too much traffic and have been temporarily disabled!" :D (I guess I could make Mega work, would need to do more stuff first).

    So anyway I haven't downloaded the files (at least not yet) but from what's available second-hand there's something I haven't seen pointed out yet!

    The(ir) version of EXTRABACON is old, both the version itself and the core exploit!

    Old exploit: it stretches back through many versions of Cisco software so whoever wrote it (NSA or not) has likely been doing it for a good while. Newer versions of EXTRABACON are highly likely to exist.
    Old version: it doesn't include new Cisco stuff since 2012.

    By looking at a screenshot from the Medium article we see a bunch of if-branching selecting depending on Cisco ASA (Adaptive Security Appliance) version number and we can look up the release dates for those over at Cisco.

    The last version in the screenshot (and likely the latest for this leaked version of the exploit since the branching ends with anything else being unsupported right afterwards) is version 8.4(4) which might not actually match anything (any more) since there's no such simple/straight 8.4(4) listed over at Cisco! Release dates according to https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html [cisco.com]:
    - ASA 8.4(4.1)/ASDM 6.4(9) released on June 18 2012
    - ASA 8.4(4.5)/ASDM 6.4(9.103) released: August 13 2012
    After that the next one is certainly not in the exploit that was released (newer versions surely exist) and is:
    - ASA 8.4(5)/ASDM 7.0(2) released October 31 2012

    Currently Cisco is pushing:
    - ASA 9.6(1)/ASDM 7.6(1) released March 21 2016.

    The branching in the exploit is tidy and looks ordered chronologically from earliest to latest. This kind of branching is probably part of what is referenced to when Suiche says the exploit Python code is "badly written" and he might well be right however: what happens behind the code? Alternatives might not actually be simpler or better. Either way simpler is better and too many "experts" in general flaunt idiotic "clever" complexity which might often be easier to subvert. As those amazing $50SAT guys [hobbyspace.com] said it "you can't add simplicity" and if anyone doubts the intelligence of that then they need look no further than the mess my comments end up as :D

    The oldest ASA version shown in the screenshot is:
    - ASA 8.0(2)/ASDM 6.0(2) released June 18 2007
    but that's on line 109 so there's probably stuff before that.

    The oldest ASA on the linked Cisco page is:
    - ASA 7.0(1)/ASDM 5.0(1) released May 31 2005

    Didn't find any ASA 1.0 but I'm guessing that it would be from the nineties.

    The file dates (which are editable) say 6/11/2013 which is either about 5 months [wikipedia.org] or about 5 days [wikipedia.org] (D-Day btw) after Snowden got media coverage on PRISM in 2013. There might be some significance to it (and it might not have anything to do with Snowden) or maybe it's just random.

    Either way this shit is old cruft! So they give away an "example exploit" which is not the latest or greatest but "ancient". Fair guess that the auction stuff is also ancient right? Sorry about "complaining" (I'm not really complaining) but it sticks out like a sore thumb to me :3 Still better than nothing and it was still a valid exploit that has been exposed.

    Either A. Why wouldn't they give away the newest version unless they don't have it? Your guess is as good as mine.
    Or B. Why would they wait 3 years before sharing it? Okay that might make superficial sense as a measure against the super-serious whole network analysis the NSA ought to be routinely capable of according to the Snowden files but there are cumbersome (but not that cumbersome, not "3 years" cumbersome) ways around that so it's not too convincing.

    I'm not sure what to make of the fact that the Python command has help displays which is funny/odd and might indicate quite a few things (like internal "style" requirements for all written code: very bureaucratic, very USGOV) considering the easiest way to actually use some of these exploits is from the inside or with very temporary physical access (after the boxes are in normal use, not in transit) or that some of it (Cisco) requires the use of the management interface (physically marked MGNT if I remember correctly, maybe Cisco doesn't do that any more) or an equivalent if allowed (which probably is much less rare than it ought to be).

    P.s. If write this like Russian me? Way no too stupid and qualified automagically intelligence job for :) Pot smoke not do either and Hillary dead wish so job no lol

    P.p.s. A million bitcoin? I laughed so hard on Monday XD (but it was wrongly reported; they're not actually straight up asking for that; instead it's a "bonus level" :) ).

    Эпический банан! ЭПИЧЕСКИЙБАНАН! EPITCHESKIJBANAN! XD *imagine dancing banana gif here* (yeah, AGAIN) :)

    --
    Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2