pixel_dreams - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Fallout from Equation Group cyberweapons leak continues to mount

Mystery continues to surround the Shadow Brokers' release of Equation Group vulnerability exploits and hacking tools, as vendors scramble to patch zero days.

The story behind the Shadow Brokers leak of hacking tools and exploits continues to unfold, as more details -- and theories -- emerge, while affected vendors Cisco and Fortinet respond to the zero-day vulnerabilities exposed by the group.

Experts and insiders are still untangling the threads -- and threats -- involved with the leak to understand who is behind the Shadow Brokers group, as well as the source of the leaked files. Evidence suggests the leaked material came from the advanced persistent threat group known as the Equation Group, which itself has been associated with the National Security Agency (NSA) -- and the leaked files include usable exploits of zero-day vulnerabilities.

Former operatives from the NSA's Tailored Access Operations group told The Washington Post that the tools released in the leak appeared to be hacking tools developed by the agency. And a previously unpublished NSA manual for using the tools, leaked by whistleblower Edward Snowden, was reported by The Verge to confirm the NSA was the source of the newly leaked files.

Paul Vixie, CEO of Farsight Security Inc., based in San Mateo, Calif., said on PBS NewsHour, "Anywhere between one-tenth and one-half of the customer bases for the largest firewall vendors should really be worried right now."

Kaspersky Lab's global research and analysis team wrote, "While we cannot surmise the attacker's identity or motivation, nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation Group."

Cisco and Fortinet respond to Shadow Brokers leak

Cisco and Fortinet are the first to respond among the vendors of products affected by the Shadow Brokers' leak. "The EXTRABACON exploit targets a buffer overflow vulnerability in the SNMP [Simple Network Management Protocol] code of the Cisco ASA, Cisco PIX and Cisco Firewall Services Module," wrote Omar Santos, principal engineer at Cisco's Product Security Incident Response Team, in a blog post. "An attacker could exploit this vulnerability by sending crafted SNMP packets to an affected Cisco product."

Santos noted that the exploit even comes with its own help menu. The EPICBANANA exploit, which was fixed in Cisco ASA version 8.4(3), released early in 2012, would let authenticated attackers run a denial-of-service attack or, potentially, remotely execute arbitrary code. "An attacker could exploit this vulnerability by invoking certain invalid commands in an affected device. The attacker must know the telnet or SSH password in order to successfully exploit an affected device."

Fortinet issued an advisory for a cookie parser buffer overflow vulnerability as a result of the leak. "FortiGate firmware (FOS) released before Aug. 2012 has a cookie parser buffer overflow vulnerability," the advisory read. "This vulnerability, when exploited by a crafted HTTP request, can result in execution control being taken over." According to the advisory, FortiGate FOS 5.x firmware releases are not affected by the vulnerability, which gives an attacker remote administrative access to systems that are affected.

Who are the Shadow Brokers?

The identity, as well as motivation, of the Shadow Brokers is still being debated. NSA-leaker Edward Snowden suggested Russia was behind the leak:

Attribution of attacks is notoriously difficult. And while the Russian hypothesis has received significant attention, without proof, other theories have emerged.

Matt Suiche, founder and managing director of cybersecurity firm MoonSols Ltd., reported that he was contacted by a former NSA analyst, who suggested the data could have been leaked purposely by a disgruntled insider, or uncovered as a result of a procedural error that exposed the files. Motherboard also reported being contacted by an anonymous insider who claimed that Shadow Brokers is a rogue insider at NSA.

Muddying the waters further, Seattle-based cybersecurity firm Taia Global Inc., reported results of a preliminary linguistic analysis of the Shadow Broker messages initially posted on Tumblr. "Evidence that the author is a native speaker trying to appear non-native," included complete lack of spelling errors, inconsistent -- sometimes mutually inconsistent -- errors in grammar and grammatical errors in idioms.

"There are a number of idioms that would be surprising for a low-skilled, non-native speaker to use, and some of them are used with grammatical errors that a skilled English speaker would be unlikely to make," Taia Global wrote. "The most reasonable explanation, then, is that the errors were inserted by a native speaker after writing the idioms."

In other news:

  • Microsoft announced it would move to a monthly rollup patch model for Windows 7 and 8.1 instead of releasing individual patches for those versions of Windows. Microsoft explained the individual patches resulted in fragmentation, "where different PCs could have a different set of updates installed, leading to multiple potential problems," including synchronization and dependency errors, increased testing complexity for enterprises, increased scan times, and issues related to finding and applying patches. "By moving to a rollup model, we bring a more consistent and simplified servicing experience to Windows 7 SP1 and 8.1, so that all supported versions of Windows follow a similar update servicing model," wrote Nathan Mercer, senior product marketing manager at Microsoft. "The new rollup model gives you fewer updates to manage, greater predictability and higher-quality updates."
  • An exploit of a serious Transmission Control Protocol (TCP) flaw has left 1.4 billion Android devices vulnerable to hijacking attacks, according to Andrew Blaich, security researcher at San Francisco-based cybersecurity firm Lookout. "The vulnerability lets attackers obtain unencrypted traffic and degrade encrypted traffic to spy on victims," Blaich wrote. "The issue should be concerning to Android users, as attackers are able to execute this spying without traditional man-in-the-middle attacks through which they must compromise the network in order to intercept the traffic." The TCP vulnerability was presented earlier this month at the 25th USENIX Security Symposium by a team of researchers led by Yue Cao, graduate student at the University of California, Riverside.
  • Malicious actors are increasingly embracing ransomware-as-a-service (RaaS) malware. Check Point Software Technologies reported on a new version of Cerber ransomware being offered by an RaaS ring that generates an estimated $2.5 million annually. "Perhaps the most intriguing aspect of the Cerber RaaS is its money flow," wrote the Check Point Threat Intelligence Research Team. "Upon paying the ransom (usually 1 Bitcoin, which is currently worth approximately $590), the victim receives the decryption key. The payment is transferred to the malware developer through a mixing service, which involves tens of thousands of Bitcoin wallets, making it almost impossible to track the transactions individually. At the end of the mixing process, the money reaches the developer and the affiliates receive their percentage."
  • Meanwhile, Symantec uncovered another RaaS ring, which they dubbed Shark, whose authors are "freely distributing the ransomware builder to aspiring attackers, but requiring a 20% cut of any ransom payments it generates," according to the report. "Shark is distributed through a professional-looking website that features information about the ransomware and instructions on how to download and configure it. Its authors boast that it is fully customizable, uses a fast encryption algorithm, supports multiple languages and is 'undetectable' by antivirus software."
  • Secretary of Homeland Security Jeh Johnson offered assistance from the Department of Homeland Security to help state voting officials manage risks to voting systems. Johnson announced DHS would convene a Voting Infrastructure Cybersecurity Action Plan Campaign, with participation from government and private sector experts "to raise awareness of cybersecurity risks potentially affecting voting infrastructure and promote the security and resilience of the electoral process." According to the official report of the conference call, while DHS "is not aware of any specific or credible cybersecurity threats relating to the upcoming general election systems," Johnson reiterated that help in protecting against cyberattacks would be available to state officials from the DHS, as well as the Election Assistance Commission (EAC), National Institute of Standards and Technology (NIST)  and the Department of Justice. Johnson also suggested state officials should focus on securing the election infrastructure with existing recommendations from NIST and the EAC, as well as disconnecting electronic voting machines from the internet while voting is taking place.

Next Steps

Find out more about the NSA's Tailored Access Operations unit tactics and strategies

Read about defending against and preventing data leaks

Learn more about reducing and preventing whistleblower incidents

Dig Deeper on Hacker tools and techniques: Underground hacking sites