Friday, August 26, 2016

Aftermath of ‘NSA Hack’ by ‘The Shadow Brokers’

Just after a cyber attack on U.S. Democratic National Committee by a lone hacker named ‘Guccifer 2.0’, National Security Agency (NSA) became the victim of cyber attack where the group named ‘The Shadow Broker's’ dumped more than 300 MB of Equation Group ‘Cyber Weapon’ which was operated by Tailored Access Operations (TAO) team. The Shadow Broker is currently running a Bitcoin auction for the hacking tools they have acquired. As of 13th August 2016, they tweeted about the hack with a POC and then released the dump with pgp encrypted files on different file sharing sites. As per their words, they are inviting “Wealthy elites” to bid huge amount of cryptocurrency for the deadliest cyber weapons.

The archive contained scripts under cryptonyms like BANANAUSURPER, BARGLEE, BLASTING, BUZZDIRECTION, exploits under cryptonyms like EGBL, ELBA, ELBO, ELCA, ELCO, EPBA, ESPL, EXBA and many different tools. Some of the cryptonyms were the same to that of Snowden’s leak. The exploit appears to be targeting firewalls, particularly Cisco Adaptive Security Appliance (ASA), Cisco Private Internet eXchange (PIX), Fortigate, Juniper Netscreen, TopSec etc. The exploits took advantage of undisclosed vulnerabilities aka 0’day exploits.

Mustafa Al-Bassam (Founder of LulzSec aka Tflow) has a good write up about the comprehensive list of all the tools and exploits that are contained or referenced in the dump. The targeted products and the company have already started to issue patch and publicly respond to the leaked exploits. “This is the first time possible examples of those tools have been available for inspection. As part of our analysis of these files, we identified an attack against NetScreen devices running ScreenOS.” says Derrick Scholl from the Juniper Product Security Information Response Team. Cisco has also released software updates that address Cisco ASA’s SNMP Remote code execution (RCE) vulnerability (CVE-2016-6366). Omar Santos, a Principal Engineer in the Cisco Product Security Incident Response Team (PSIRT) within Cisco's Security Research and Operations along his team has stated that “Cisco Firewall Service Modules and Cisco PIX Firewalls have passed the last day of software support milestone as stated in the published End of Life (EoL) documents. Further investigations into these devices will not be performed, and fixed software will not be made available.”  Meanwhile, Fortinet’s Threat Research and Response team has warned in an advisory of a ‘high-risk’ vulnerability in its older version of FortiGate firewalls, the statement states that, “FortiGate firmware (FortiOS) released before Aug 2012 has a cookie parser buffer overflow vulnerability, this vulnerability, when exploited by a crafted HTTP request, can result in execution control being taken over.” FortiOS 4.x firmware release and lower versions seem to be affected but FortiOS 5.x firmware is not affected and in the meantime FortiSwitch firmware versions 3.4.2 and below are affected.

Say what’s interesting in the bitcoin auction? Some of the geeks and leets seems to be making fun of the auction call or maybe they are enjoying the call. As of Wednesday, tiny payments (0.001337 BTC) of bitcoin seemed like this:
1never9kNNkr27UseZSHnaEHg1z8v3Mbb
1gonnaV3MFNjymS4RGvUbHACstiS8aSYz
1giveGEk184Gwep2KT4UBPTcE9oqWzCVR
1youKBMLEohsexdZtkvnTzHnc4iU7Ffty
1upAbpBEWQ467QNT7i4vBMVPzSfQ3sqoQ
1never9kNNkr27UseZSHnaEHg1z8v3Mbb
1gonnaV3MFNjymS4RGvUbHACstiS8aSYz
11etAyypstpXLQpTgoYmYzT8M2foBSBe1
1youKBMLEohsexdZtkvnTzHnc4iU7Ffty
1downAsBbRQcBfUj8rgQomqhRsNFf1jMo
This reads as 'never gonna give you up, never gonna let you down', which is one of a famous song among the leet community by Rick Astley - Never Gonna Give You Up.

Anyway this leak has awaken the top leading industries of networking and cyber security as well as many security community around the globe. If the victim organizations and industries do not patch their vulnerability soon, we can easily predict more script kiddies or even pro black hat communities exploiting the back doors for fun and for profits.