Tech vendors admit stolen NSA cyber weapons are effective, warn customers
Cisco and Fortinet, two of the technology vendors whose products were the apparent target of secret software exploits supposedly developed by NSA hackers and subsequently shared publicly by the so-called Shadow Brokers, each disclosed to their customers, Wednesday, that the target vulnerabilities exist and are being dealt with accordingly.
In a statement provided to Cyberscoop, a Cisco spokesperson said: “the Cisco PSIRT [Product Security Incident Response Team] has investigated the information recently published by the alleged Shadow Brokers group, and has determined it provides exploits of two Cisco product vulnerabilities.”
One of these cyber weapons —codenamed “EXTRABACON” in the original code log — is effective at breaching a popular Cisco firewall product, the company said in a release. An independent security researcher, writing under the moniker Xorcat, previously ran script of the shared exploit and showed it could penetrate systems without needing to scrap valid login details.
The second Cisco exploit, a remote code execution, was fixed in 2011, the company says.
Brian Martin, a cybersecurity consultant with Richmond, Va.-based Risk Based Security, previously said ExtraBacon could likely be considered a zero-day exploit — since it was unaccounted for in every known software vulnerability database. Martin’s analysis was proven true by Cisco’s disclosure.
To mitigate potential cyber risks, Cisco is now offering “free software updates and workarounds where possible” to customers currently employing any of the products it now recognizes as vulnerable.
Separately — roughly 45 minutes before Cisco made its own announcement — Fortinet also released a security advisory to its customers regarding the legitimacy of another exploit revealed by the Shadow Brokers, a mysterious entity alleging to have stolen cyber weapons from an NSA-linked hacking team known as the Equation Group.
The Fortinet exploit, which targets a very specific firewall product called Fortigate, may affect customers running older versions of the software.
“We are actively working with customers and strongly recommend that all customers running 4.x versions update their systems with the highest priority. We continue to investigate this exploit and are conducting an additional review of all of our Fortinet products,” an official statement reads.
The link between the Equation Group and NSA was first uncovered by malware researchers employed by Kaspersky in 2015, a private cybersecurity firm based in Moscow, Russia.
On Tuesday, those same Kaspersky researchers published a new blog post confirming the apparent similarities shared by the Equation Group’s cyber weapons and the samples posted by the Shadow Brokers.
Publication of the actual exploits occurred on Saturday, though the story only caught wind Monday when various news outlets began investigating the legitimacy of claims made by the Shadow Brokers. Notably, all of the files stolen from the Equation Group date back to 2013.
In a 2014 letter addressed to U.S. President Barack Obama, Cisco CEO John Chambers criticized the NSA’s spying operations. Chambers’ letter to the White House followed reports suggesting the spy agency had installed spyware into company routers.
“We simply cannot operate this way, our customers trust us to be able to deliver to their doorsteps products that meet the highest standards of integrity and security,” Chambers wrote.