Skip to content
Naked Security Naked Security

Cisco vuln shows up in attack tools leaked by “NSA hackers”

The security bugs up for auction by Shadow Brokers may be illusory, but the bugs in the free files they gave away "as proof" aren't...

The Shadow Brokers are a self-styled hacker group that recently kicked off a tongue-in-cheek media campaign claiming that they’d penetrated the NSA (or someone like that – they’re referring to the victim as the Equation Group).

Shadow Brokers say they’ve made off with a virtual warehouse of tip-top “cyberweapons” that they plan to auction off.

To help you believe they have some good stuff in the auction files, they’ve released a bunch of hacked data for free, including documents, programs, scripts, exploit code and so on.

Interestingly, there’s more free stuff (191MB compressed) than there is data up for auction (134MB compressed):

-rw-rw-r--  1 bloke staff  134289064 25 Jul 10:49 eqgrp-auction-file.tar.xz.gpg
-rw-rw-r--  1 bloke staff  191282372 25 Jul 10:50 eqgrp-free-file.tar.xz.gpg

We can only assume that the “auction” is supposed to be interpreted as a giant lampoon of the buying-and-selling-of-exploits scene, because the terms of the auction are absurd:

  • You’re not allowed to know what you’re buying. It’s a secret.
  • The crooks keep every bid you submit, whether you end up winning or not.
  • There’s no cutoff time for bidding. The crooks will stop collecting bitcoins and pick a winner if and when they choose, which could be any time (or never).
  • Once the total of all bids gets to BTC 1M (over $0.5B), everyone in the world gets everything for free.

Actually, for all the tongue-in-cheek here, the Shadow Brokers crew make an excellent point when they explain why they aren’t giving away the list of cybermaterial:

Q. What is in auction files? A: Is secret. Equation Group not know what lost. We want Equation Group to bid so we keep secret. You bid against Equation Group, win and find out or bid pump price up, piss them off, everyone wins.

That’s a common problem after a data breach: not knowing quite how bad it really was, with the result that in your official breach disclosure you have to assume and describe the worst that could have happened.

When a crook breaks into your flat and steals your widescreen TV, you can tell, because there’s a huge area of blank wall where the TV used to be.

But when a crook wanders into your network and steals your data, it’s a different sort of theft: all your data’s still there, as well as being in any number of other places as well.

What we know

What we do know from the Shadow Brokers eqgrp-free-file.tar archive is that something was stolen or leaked by someone, at some unknown earlier time.

Whether it’s only being leaked now by the original thieves, or whether it’s been re-stolen by a new lot of crooks, we don’t know.

But at least one of the exploitable vulnerabilities amongst the free files, found in the Firewall/EXPLOITS/EXBA/ directory, not only works, but also turns out to have been a zero-day bug.

EXBA is short for EXTRABACON, and the EXBA script is documented like this:

#CISCO ASA SNMP exploit script
#Works on most 8.x(y) versions through 8.4(4). 
#Do not use against unknown or unsupported versions

The files in the archive are timestamped June 2013, for what that’s worth, and the affected Cisco ASA versions listed date from 2007 to the start of 2012.

ASA is short for Adaptive Security Appliance, one of Cisco’s firewall products.

The bug was obviously news to Cisco, who quickly and creditably responded with a detailed analysis of the flaw.

What to do?

As far as we can see, the exploit and shellcode that Shadow Brokers published for this vulnerability almost certainly won’t work as they stand against any recent version of the Cisco ASA product.

Nevertheless, because the bug was never disclosed, it remained in Cisco’s code.

That means a determined attacker has a huge head start at finding an exploit for recent Cisco ASA products, even if both the EXTRABACON script and its associated attack code needs work.

In other words, check out Cisco’s writeup to check if you’re at risk and, if so, what to do about it.


6 Comments

This isn’t patched, dummy.

Hmmm. I rewrote the needed bits to fix that.

BTW, it costs nothing to be polite, even when you’re right.

There’s a deli near my house I wish I frequented a bit more. In addition to the D4 and Andrew’s Hot Gobbler, I really like their sign near the register:

It doesn’t cost a dime to be nice.

“What we do know from the Shadow Brokers tar archive is that something was stolen or leaked by someone, at some unknown earlier time.”

Given the farcical nature of the remainder of the auction, do we even know that much? I expect they might find it rather hilarious to release a list of IT Crowd or SpongeBob quotes if their BTC donation fund reaches a mil.

Because there are actual exploits in the freebie file, including exploita not previously seen by the affected vendors. Therefore someone had this stuff in secret, but now it’s become public…thus, leaked or stolen.

In other words, the leak/theft is real but the auction file are, well, who can say?

Ah, I see. Of course it’s possible that *was* the bounty, and this is a quasi-creative way to spin it further. Just enough mystery to “earn” them more BTC. Burgeoning business tycoons, as it were.

Reminiscent of No Country for Old Men, Dumb & Dumber, or Wargames where the near-accidental, amateur encounter presents opportunity to spin completely out of control.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?