Details continue to emerge in the wake of the Shadow Brokers' dump of more than 300 Mb of cyberweapons, hacking...
tools and exploits that have been attributed to the National Security Agency, or NSA. As more affected vendors respond to the leak, more speculation emerges about the identity and motives of the Shadow Brokers, and other actors are reportedly starting to use the toolkit for new attacks. And for those seeking clues in the Shadow Brokers' bitcoin payment address set up for the auction of further tools: No, the FBI is not paying out of its cache of bitcoin seized from the Silk Road black market -- but there was a surprise in the blockchain.
Vendor responses vary
While Cisco and Fortinet responded shortly after the news of the leak, other network vendors have been slower.
Chinese networking and telecommunications firm Huawei Technologies Co. Ltd. took more than a week to respond publicly to the leak, issuing a security notice that stated it was aware of the Shadow Brokers' leak on the day the news broke -- Aug. 15 -- at which point the Huawei Product Security Incident Response Team (PSIRT) immediately started an investigation. "Initial analysis shows that toolkit provides no information about Huawei product vulnerabilities and exploits," the notice read.
Although the Huawei PSIRT found mention of "version information about Huawei Eudemon300/500/1000 and some description about how to modify firewall configuration, memory and firmware after login using an admin account and password," it stated: "Up to now, Huawei has not received any report about tool/script implantation in Huawei firewall products."
Juniper Networks Inc. acknowledged its products were targeted by the cyberweapon dump, and the Sunnyvale, Calif., network equipment vendor "is investigating the recent release of files reported to have been taken from the so-called Equation Group," according to its advisory written by Derrick Scholl, director of Juniper's Security Incident Response Team. "As part of our analysis of these files, we identified an attack against NetScreen devices running ScreenOS. We are examining the extent of the attack, but initial analysis indicates it targets the boot loader and does not exploit a vulnerability on ScreenOS devices."
Meanwhile, F5 Networks Inc. researchers have not found any evidence its products are affected by the leaked exploits, according to Maxim Zavodchik, security research group manager for the Seattle-based vendor. Although the leaked BANANAGLEE implant for Cisco and Juniper devices includes a file mentioning vendors associated with Media Access Control addresses, including F5 Networks, Zavodchik wrote, "It is not used in a way that relates to F5 products." F5 said it will continue to monitor any leaks by the Shadow Brokers to assess potential risks for its customers.
Speculation: Threat actor identity, motives?
Although early speculation on the identity of the Shadow Brokers initially asserted that Russian-backed hackers were behind the leak, investigative journalist James Bamford suggested the leaker was an insider at the NSA. "It seems more likely that an employee stole them," he wrote. "If Russia had stolen the hacking tools, it would be senseless to publicize the theft, let alone put them up for sale. It would be like a safecracker stealing the combination to a bank vault and putting it on Facebook."
The Shadow Brokers' initial message indicated it was going to run an auction for a further set of tools similar to those in the initial dump; if the total amount submitted in bitcoin bids totaled 1 million bitcoins -- approximately $581 million at the time -- or more, the Shadow Brokers claimed it would release the additional tools publicly. However, according to Risk Based Security, based in Richmond, Va., if the Shadow Brokers were to have sold the exploits, the total street value of the cache of exploits could have been substantial. "It's reasonable to the think that the defensive market street value of these exploits is somewhere between $200,000 and a cool million. That said, given the capabilities of the targets, in the hands of the right buyer, these exploits could be worth a lot more."
And, to further muddy the waters, a hacker known as @1x0123 on Twitter claimed to have the rest of the NSA/Equation Group dump and offered it for sale at a bargain price on Twitter, tweeting: "We are selling NSA/Equation Group Dump For 8000$ [sic]."
For everyone not currently being targeted specifically by the NSA, it's time to worry: Researchers have been observing attacks using the dumped tools.
Brendan Dolan-Gavitt, assistant professor at New York University's Tandon School of Engineering, set up a honeypot that appeared to be a vulnerable device shortly after news of the leak broke, and within 24 hours, he got his first hit.
People watching the bitcoin payment address set up by the Shadow Brokers for its auction of the rest of the Equation Group files reported what appeared to be monkey business: a payment sent to the Shadow Brokers auction address from an address linked to bitcoin seized by the FBI from the Silk Road black marketplace. However, as explained by MalwareTech, a U.K. researcher, the blockchain entry merely shows someone sent 0.001 bitcoin to both the Shadow Brokers' address and to the "Silkroad Seized Coins" address -- making it look, at a glance, as if the payment was sent from one to the other.
That doesn't mean there weren't further bitcoin monkeyshines. Independent journalist Joseph Cox tweeted:
Find out more about how the Equation Group leak will change defenses against advanced attack strategies.
Learn more about how the NSA's Tailored Access Operations unit operates.