Leaked Exploits are Legit and Belong to NSA: Cisco, Fortinet and Snowden Docs Confirm

 

Last week, a group calling itself "The Shadow Brokers" published what it said was a set of NSA "cyber weapons," including some working exploits for the Internet's most crucial network..

 infrastructure, apparently stolen from the agency's Equation Group in 2013.

Well, talking about the authenticity of those exploits, The Intercept published Friday a new set of documents from the Edward Snowden archive, which confirms that the files leaked by the Shadow Brokers contain authentic NSA software and hacking tools used to secretly infect computers worldwide.

As I previously mentioned, the leaked documents revealed how the NSA was systematically spying on customers of big technology companies like Cisco, Fortinet, and Juniper for at least a decade.

Hacking tools from The Shadow Brokers leak named ExtraBacon, EpicBanana, and JetPlow, contain exploits that can compromise Cisco firewall products including devices from the Adaptive Security Appliance (ASA) line, PIX firewalls, and Cisco Firewall Services Modules (FWSM).

After a thorough investigation, Cisco confirmed the authenticity of these exploits, saying that these hacking tools contain exploits that leverage two security vulnerabilities affecting Cisco ASA software designed to protect corporate and government networks and data centers.

ExtraBacon Zero-Day Cisco Exploit

A zero-day vulnerability (CVE-2016-6366) leveraged by ExtraBacon Exploit resides in the Simple Network Management Protocol (SNMP) code of Cisco ASA software that could allow "an unauthenticated, remote attacker to cause a reload of the affected system," Cisco explained in its advisory.

This leads to remote code execution (RCE) vulnerability, enabling a remote attacker to take complete control over the device.

ExtraBacon was a zero-day exploit that was unknown to Cisco that left customers open to attack by hackers, in this case, NSA as well, who possessed the right hacking tools.

Besides ExtraBacon zero-day exploit, Cisco researchers also found a piece of code that tried to exploit an older Cisco bug (CVE-2016-6367) that was patched in 2011.

Also Read: How NSA successfully Broke Trillions of Encrypted Connections.

The flaw resided in the command-line interface (CLI) parser of Cisco ASA software that allowed "an authenticated, local attacker to create a denial of service (DoS) condition or potentially execute arbitrary code [on the vulnerable device]," Cisco explained.

This flaw was included inside two NSA exploits, dubbed EPICBANANA as well as JETPLOW, which is an enhanced version of EPICBANANA, but with better persistence capabilities, Cisco's Omar Santos said in a blog post.

In addition, the leaked data contains files for decrypting Cisco PIX Virtual Private Network (VPN) traffic, and implanting malware in computer motherboard firmware in such a way that it's almost impossible to detect or delete.

The multi-billion dollar tech firm has provided workarounds that addressed the vulnerabilities, though planned to release software updates to address the issues completely as soon as possible.

Fortinet says, Exploits Disclosed in 'NSA hack' are Legit

Meanwhile, another firewall equipment vendor, Fortinet, also warned of a high-risk vulnerability included in the EGREGIOUSBLUNDER exploit leaked by The Shadow Brokers, which affects older versions of its FortiGate firewalls.

The flaw resides in the onboard cookie parser buffer that could allow an attacker to take over an affected device by sending a specially crafted HTTP request.

Fortinet recommended its customers and businesses to upgrade to FortiGuard versions 5.x. However, Juniper has yet to issue security advisories based on the leaked files in the data dump.

Who is the 'The Shadow Brokers'? Russia? An Insider?

How the files containing exploits were leaked, and who exactly leaked it, are still unclear, but the recent developments made it very much clear that these exploits belong to the NSA and the agency was using them to target customers worldwide.

The Shadow Brokers' identity is still a mystery: As for now, multiple theories have been proposed.

Some are pointing their fingers towards Russia; some are saying it's an insider's job; while some say the NSA hacker using the hacking tools failed to clean up after an operation that allowed someone to grab them without compromising or hacking the agency.