Site icon Sophos News

Cisco vuln shows up in attack tools leaked by “NSA hackers”

The Shadow Brokers are a self-styled hacker group that recently kicked off a tongue-in-cheek media campaign claiming that they’d penetrated the NSA (or someone like that – they’re referring to the victim as the Equation Group).

Shadow Brokers say they’ve made off with a virtual warehouse of tip-top “cyberweapons” that they plan to auction off.

To help you believe they have some good stuff in the auction files, they’ve released a bunch of hacked data for free, including documents, programs, scripts, exploit code and so on.

Interestingly, there’s more free stuff (191MB compressed) than there is data up for auction (134MB compressed):

-rw-rw-r--  1 bloke staff  134289064 25 Jul 10:49 eqgrp-auction-file.tar.xz.gpg
-rw-rw-r--  1 bloke staff  191282372 25 Jul 10:50 eqgrp-free-file.tar.xz.gpg

We can only assume that the “auction” is supposed to be interpreted as a giant lampoon of the buying-and-selling-of-exploits scene, because the terms of the auction are absurd:

Actually, for all the tongue-in-cheek here, the Shadow Brokers crew make an excellent point when they explain why they aren’t giving away the list of cybermaterial:

Q. What is in auction files? A: Is secret. Equation Group not know what lost. We want Equation Group to bid so we keep secret. You bid against Equation Group, win and find out or bid pump price up, piss them off, everyone wins.

That’s a common problem after a data breach: not knowing quite how bad it really was, with the result that in your official breach disclosure you have to assume and describe the worst that could have happened.

When a crook breaks into your flat and steals your widescreen TV, you can tell, because there’s a huge area of blank wall where the TV used to be.

But when a crook wanders into your network and steals your data, it’s a different sort of theft: all your data’s still there, as well as being in any number of other places as well.

What we know

What we do know from the Shadow Brokers eqgrp-free-file.tar archive is that something was stolen or leaked by someone, at some unknown earlier time.

Whether it’s only being leaked now by the original thieves, or whether it’s been re-stolen by a new lot of crooks, we don’t know.

But at least one of the exploitable vulnerabilities amongst the free files, found in the Firewall/EXPLOITS/EXBA/ directory, not only works, but also turns out to have been a zero-day bug.

EXBA is short for EXTRABACON, and the EXBA script is documented like this:

#CISCO ASA SNMP exploit script
#Works on most 8.x(y) versions through 8.4(4). 
#Do not use against unknown or unsupported versions

The files in the archive are timestamped June 2013, for what that’s worth, and the affected Cisco ASA versions listed date from 2007 to the start of 2012.

ASA is short for Adaptive Security Appliance, one of Cisco’s firewall products.

The bug was obviously news to Cisco, who quickly and creditably responded with a detailed analysis of the flaw.

What to do?

As far as we can see, the exploit and shellcode that Shadow Brokers published for this vulnerability almost certainly won’t work as they stand against any recent version of the Cisco ASA product.

Nevertheless, because the bug was never disclosed, it remained in Cisco’s code.

That means a determined attacker has a huge head start at finding an exploit for recent Cisco ASA products, even if both the EXTRABACON script and its associated attack code needs work.

In other words, check out Cisco’s writeup to check if you’re at risk and, if so, what to do about it.


Exit mobile version