Sample code released by the Shadow Brokers group to demonstrate that it really did have Equation Group (NSA, Australia, Canada, New Zealand and UK) hacking tools for sale. It included critical flaws in some security software. See yesterday’s story NSA Toolkit For Sale.
The Cisco security patch is for Zero-Day hacks, that is, vulnerabilities discovered by hackers but which are unknown to the software vendor and therefore can be exploited to break into a network because it wont be patched until discovered.
The NSA has long been suspected of taking advantage of Zero-Day hacks instead of always reporting them to the vendor so they can patch the security holes. The theft of NSA hacking tools by the Shadow Brokers shows the incredible danger of collecting such vulnerabilities for their own use instead of notifying vendors.
Can NSA Statements Be Trusted?
This sort of activity is contrary to the statements made in the past by NSA officials who say they notify vendors of newly discovered vulnerabilities. Such a breach of national security by the country’s own security apparatus is unconscionable and will almost certainly lead to a Congressional investigation of some sort.
Of course others may also have discovered the same flaws and are also making use of them. The threat of releasing dozens or even hundreds of such flaws to whatever group, individual, or foreign government agency which wins the auction is enormous. The NSA should immediately inform all companies of any Zero-Day hacks they were aware of back in 2013, the probable age of the toolkit.
The anti-virus and security firm Kaspersky Labs reports finding what they term “unusual” math in some of the already published code. That code is what led them to suggest the code is authentic and from the Equation Group.
The Cisco Patch
The most critical Cisco patch is for ExtraBacon, a newly disclosed flaw in the Cisco Adaptive Security Appliance (ASA) software used by data centers. ExtraBacon targets a particular versions 8.x, up to 8.4.
According to some reports on the Internet, the released code was nearly 3 megabytes of plain text code (not encrypted). The Wall Street Journal reports that InQuest LLC chief Technology Officer Pedram Amini told them that the code released so far would be valued in the tens of thousands of dollars by potential buyers. Shadow Broker is asking millions of dollars for the rest of what it claims is a large additional cache of code and tools.
Another firm confirming a Zero-Day hack of its software in the released code was Fortinet Inc.
The Wall Street Journal, Wired, The MIT Technology Report newsletter, and Kasperski Labs have all confirmed portions of this report. @CiscoSecurity.