Just after a cyber attack on U.S. Democratic National Committee by a
lone hacker named ‘Guccifer 2.0’, National Security Agency (NSA) became
the victim of cyber attack where the group named ‘The Shadow Broker's’
dumped more than 300 MB of Equation Group ‘Cyber Weapon’ which was
operated by Tailored Access Operations (TAO) team. The Shadow Broker is
currently running a Bitcoin auction for the hacking tools they have
acquired. As of 13th August 2016, they tweeted about the hack with a POC
and then released the dump with pgp encrypted files on different file
sharing sites. As per their words, they are inviting “Wealthy elites” to bid huge amount of cryptocurrency for the deadliest cyber weapons.
The archive contained scripts under cryptonyms like BANANAUSURPER,
BARGLEE, BLASTING, BUZZDIRECTION, exploits under cryptonyms like EGBL,
ELBA, ELBO, ELCA, ELCO, EPBA, ESPL, EXBA and many different tools. Some
of the cryptonyms were the same to that of Snowden’s leak. The exploit
appears to be targeting firewalls, particularly Cisco Adaptive Security
Appliance (ASA), Cisco Private Internet eXchange (PIX), Fortigate,
Juniper Netscreen, TopSec etc. The exploits took advantage of
undisclosed vulnerabilities aka 0’day exploits.
Mustafa Al-Bassam (Founder of LulzSec
aka Tflow) has a good write up about the comprehensive list of all the
tools and exploits that are contained or referenced in the dump. The
targeted products and the company have already started to issue patch
and publicly respond to the leaked exploits. “This is the first time
possible examples of those tools have been available for inspection. As
part of our analysis of these files, we identified an attack against
NetScreen devices running ScreenOS.” says Derrick Scholl from the Juniper Product Security Information Response Team. Cisco has also released software updates that address Cisco ASA’s SNMP Remote code execution (RCE) vulnerability (CVE-2016-6366).
Omar Santos, a Principal Engineer in the Cisco Product Security
Incident Response Team (PSIRT) within Cisco's Security Research and
Operations along his team has stated that “Cisco Firewall Service
Modules and Cisco PIX Firewalls have passed the last day of software
support milestone as stated in the published End of Life (EoL)
documents. Further investigations into these devices will not be
performed, and fixed software will not be made available.” Meanwhile,
Fortinet’s Threat Research and Response team has warned in an advisory
of a ‘high-risk’ vulnerability in its older version of FortiGate
firewalls, the statement states that, “FortiGate firmware (FortiOS)
released before Aug 2012 has a cookie parser buffer overflow
vulnerability, this vulnerability, when exploited by a crafted HTTP
request, can result in execution control being taken over.” FortiOS 4.x
firmware release and lower versions seem to be affected but FortiOS 5.x
firmware is not affected and in the meantime FortiSwitch firmware
versions 3.4.2 and below are affected.
Say what’s interesting in the bitcoin auction? Some of the geeks and
leets seems to be making fun of the auction call or maybe they are
enjoying the call. As of Wednesday, tiny payments (0.001337 BTC) of
bitcoin seemed like this:
1never9kNNkr27UseZSHnaEHg1z8v3Mbb
1gonnaV3MFNjymS4RGvUbHACstiS8aSYz
1giveGEk184Gwep2KT4UBPTcE9oqWzCVR
1youKBMLEohsexdZtkvnTzHnc4iU7Ffty
1upAbpBEWQ467QNT7i4vBMVPzSfQ3sqoQ
1never9kNNkr27UseZSHnaEHg1z8v3Mbb
1gonnaV3MFNjymS4RGvUbHACstiS8aSYz
11etAyypstpXLQpTgoYmYzT8M2foBSBe1
1youKBMLEohsexdZtkvnTzHnc4iU7Ffty
1downAsBbRQcBfUj8rgQomqhRsNFf1jMo
This reads as 'never gonna give you up, never gonna let you down', which is one of a famous song among the leet community by Rick Astley - Never Gonna Give You Up.
Anyway
this leak has awaken the top leading industries of networking and cyber
security as well as many security community around the globe. If the
victim organizations and industries do not patch their vulnerability
soon, we can easily predict more script kiddies or even pro black hat
communities exploiting the back doors for fun and for profits.