Random hackers are taking NSA-linked cyber weapons for a test drive
Opportunistic hackers are copying code from a trove of leaked cyber weapons and testing them on a variety of targets across the globe, security companies and researchers tell Cyberscoop.
The chief of Cisco’s product security incident response team, or PSIRT, is currently working with the company’s customers to reconfigure their firewall defenses after it was determined one of the leaked exploits targeted the company’s products. Additionally, the team is involved in an intelligence gathering campaign, using honeypots to measure the exploit’s prevalence and spread.
“Right now, as you can imagine, we have all hands on deck for this,” Omar Santos, Cisco’s PSIRT chief, told Cyberscoop.
One of the leaked exploits — codenamed “ExtraBacon” in the original code log — is engineered to breach a popular Cisco firewall product. By targeting the software’s simple network management protocol, or SNMP, the exploit can potentially penetrate a Cisco firewall without the need for login details. Experts say such a firewall breach offers hackers notable surveillance and other data exfiltration capabilities.
Cisco reacted to the news by sending customers an updated security advisory, offering an avenue to help mitigate some risks associated with the aforementioned software flaws. But because ExtraBacon’s blueprints are now public, copycat hackers are cloning the cyber weapons’ code to launch their own attacks, said Christopher Porter, chief of FireEye’s iSIGHT Intelligence team.
“Most of these exploits, I mean, just about anyone with a college computer science degree can run them,” Porter, a former CIA intelligence officer, told Cyberscoop.
Since establishing the ExtraBacon honeypot, Santos said Cisco has observed a string of copycat attacks effectively based on code published in the leak. Santos, however, described the quantity of cloned cyber attacks as “insignificant.” He declined to discuss attribution or to provide a total figure for cyber attacks aimed at the honeypots, citing company disclosure policy.
Another similar honeypot operation — also focused on the SNMP vulnerability — conducted separately by non-Cisco researcher Brendan Dolan-Gavitt produced comparable results. Once again, random hackers were able to find the server online and then used tools laced with Equation Group code to break into the databases.
These unnamed, unidentified hackers showed a clear motivation to find systems running the Cisco SNMP vulnerability, evident in versions 2.0 and 3.0, said Dolan-Gavitt, an assistant professor of computer science at New York University. He used Shodan, a search engine for Internet-connected devices, to find his fake server and to locate others that appeared to also carry the defunct firewall protection system.
A cohort of American technology companies — including Cisco, Juniper Networks and Fortinet — admitted last week that network hardware and firewall software they developed is vulnerable to newly discovered exploits published by a mysterious, self-named group known as the Shadow Brokers. Days prior, the group had uploaded a free, public sample of cyber weapons it claims were stolen directly from an elite team of NSA-affiliated hackers, codenamed the Equation Group.
In the days proceeding the high profile data dump, independent analysts confirmed to Cyberscoop the cyber weapons classify as legitimate zero-days — a rare type of computer code exploit underscored by its absence in all known code vulnerabilities databases. Zero-day exploits are typically understood to be the work of a nation-state actor equipped with considerable resources and talent.
[Read more: Tech vendors admit stolen NSA cyber weapons are effective, warn customers]
Although some of the Equation Group’s exploits are nearly four years old, several of the known vulnerabilities remain exposed simply because either the customer never downloaded subsequent software updates or due to configuration issues, Porter said.
“APT28 had its operations, tools, tactics, and infrastructure exposed publicly over 20 times from October 2014 to October 2015 by a variety of cybersecurity vendors,” Porter, referencing an infamous Russian cyber espionage group, told Cyberscoop. “Yet these exposures did little to impact the pace or success of APT28’s operations, contrary to the thinking in Western cybersecurity circles that such exposures are an automatic remedy.”
It is unclear just how many organizations, globally, still run vulnerable versions of Cisco’s PIX/ASA firewall. Santos said that even if he knew, he could not comment on any customers’ security systems. But based on research conducted by cybersecurity consultants Kevin Beaumont and Mustafa Al-Bassam, there are at least several hundred organizations who do so.
Security firms and independent researchers who spoke with Cyberscoop said they had never observed ExtraBacon “in the wild.” And yet, in just one week following the Shadow Brokers’ leak, a myriad of nondescript, fake servers became the target of this complex exploit, which many believe was once highly-classified and exclusively used so as to hide its original author.
“I think that, in itself, is really significant,” said Dolan-Gavitt.