Last week, a group called Shadow Brokers released a cache of hacking tools and vulnerabilities that can be used to compromise several different vendors’ firewall and routing hardware. A few of those vendors include Cisco, Fortinet, WatchGuard and (most recently announced) Juniper.
The tools are at least three years old, dating back to 2009-2013. They’re the handiwork of an Advanced Persistent Threat (APT) group referred to as the Equation Group, which some speculate is the National Security Agency (NSA) by some industry experts.
The Shadow Brokers have released some Equation Group malware and hacking tools for free (as a show of good faith), while putting the rest up for bid at a price of 1 million Bitcoin, according to Kaspersky Lab. Researchers are analyzing the free tools, and yet others have tested them to see if they work, claiming that the “NSA-built firewall exploits” are, in fact, easy to use - exemplifying a working exploit against Cisco ASA (which I won’t link here).
The Attribution Game
The Intercept has confirmed that these files do contain authentic NSA software, citing a match with the names of NSA malware servers as described in Snowden documents. Likewise, Kaspersky Lab has stated that “several hundred tools from the leak share a strong connection” with their previous findings from the Equation group. Their research found matching encryption algorithm patterns seen previously only in the Equation group malware.
In a series of tweets, Snowden himself suggested that just one of the computers that the NSA uses to plan and execute attacks was compromised, not the entire headquarters.
I could go on and on about that, but instead of leaning on speculation, I'd rather provide some useful information for those using products that are affected by the hacking tools. According to Softpedia.com, Cisco has provided mitigation steps in two security alerts.
As our Duo Labs team released in a threat notification last week, there are three code samples which cover two vulnerabilities that affect Cisco devices:
EXTRABACON. This is a new exploit assigned CVE-2016-6366 , and is a remote code execution vulnerability involving SNMP. This is the most serious of the two as it affects a large number of Cisco products.
EPICBANANA. This is a vulnerability corrected in a defect fix in 2011, and not originally considered to be a security issue. However, the defect did allow for arbitrary code execution, and was assigned CVE-2016-6367. The issue only affects versions of ASA before 8.4.1. Recent versions are not affected. Additionally, this vulnerability required knowledge of an account name and password (accessible via SSH or Telnet) for the exploit to work.
JETPLOW. This is not an exploit, but allows for a persistent instance of EPICBANANA on a Cisco device, targeting a computer’s firmware, the BIOS.
Fortinet advises that customers upgrade to the latest Fortiguard versions 5.x, and also lists a number of workarounds. Finally, WatchGuard stated that current device modules are affected and that the exploits also affect a line of discontinued products called RapidStream.
Most recently, Juniper Networks announced on Friday that their products are affected by the Shadow Brokers data dump. Juniper identified an attack against NetScreen devices running ScreenOS, according to Threatpost.
Our Security Recommendations
Duo Labs recommends applying the patches and remediations recommended by Cisco. As a part of best practices, Duo always recommends running the latest versions of software available; disabling services such as SNMP, SSH or Telnet on public-facing interfaces; and, in fact, disable SNMP entirely if it is not being used.
In addition, ensure that privileged EXEC mode (accessed by typing enable from the console), is protected by a password and that the password is not in clear-text. Always use strong passwords and turn on any additional security features that will help protect” your systems.
As for the other vulnerabilities, we recommend the same type of best practices - disable any unused services, minimize exposure to the Internet of any interface that could potentially allow for remote access, and update all systems with the latest versions and patches.
Taking a Holistic Approach to Security
As Cisco stated in a blog on the exploits:
Just as technology advances, so too do the nature and sophistication of attacks. Prolonging the use of older technology exponentially increases risk.
Here at Duo, we agree - and that’s why we recommend a new approach to security that takes a holistic view of protecting your users, devices and access to your apps by ensuring they’re using the latest software versions patched for the newest exploits.
Our approach combines deep data insights and access policies and controls to protect against an attack against multiple areas of your organization. Duo’s Trusted Access platform verifies the identity of your users and checks the health of their devices before they connect to your organization’s applications.
Download our 2016 Duo Trusted Access Report to see our data on the current security health of enterprise devices, and get our recommendations on how to protect against risky devices accessing your company’s apps and data.