The Shadow Brokers are a self-styled hacker group that recently kicked off a tongue-in-cheek media campaign claiming that they’d penetrated the NSA (or someone like that – they’re referring to the victim as the Equation Group).
Shadow Brokers say they’ve made off with a virtual warehouse of tip-top “cyberweapons” that they plan to auction off.
To help you believe they have some good stuff in the auction files, they’ve released a bunch of hacked data for free, including documents, programs, scripts, exploit code and so on.
Interestingly, there’s more free stuff (191MB compressed) than there is data up for auction (134MB compressed)
We can only assume that the “auction” is supposed to be interpreted as a giant lampoon of the buying-and-selling-of-exploits scene, because the terms of the auction are absurd:
You’re not allowed to know what you’re buying. It’s a secret.
The crooks keep every bid you submit, whether you end up winning or not.
There’s no cutoff time for bidding. The crooks will stop collecting bitcoins and pick a winner if and when they choose, which could be any time (or never).
Once the total of all bids gets to BTC 1M (over $0.5B), everyone in the world gets everything for free.
Actually, for all the tongue-in-cheek here, the Shadow Brokers crew make an excellent point when they explain why they aren’t giving away the list of cybermateriel:
That’s a common problem after a data breach: not knowing quite how bad it really was, with the result that in your official breach disclosure you have to assume and describe the worst that could have happened.
When a crook breaks into your flat and steals your widescreen TV, you can tell, because there’s a huge area of blank wall where the TV used to be.
But when a crook wanders into your network and steals your data, it’s a different sort of theft: all your data’s still there, as well as being in any number of other places as well.
What we know
What we do know from the Shadow Brokers eqgrp-free-file.tar archive is that something was stolen or leaked by someone, at some unknown earlier time.
Whether it’s only being leaked now by the original thieves, or whether it’s been re-stolen by a new lot of crooks, we don’t know.
But at least one of the exploitable vulnerabilities amongst the free files, found in the Firewall/EXPLOITS/EXBA/ directory, not only works, but also turns out to have been a zero-day bug.
EXBA is short for EXTRABACON, and the EXBA script is documented like this:
#CISCO ASA SNMP exploit script
#Works on most 8.x(y) versions through 8.4(4).
#Do not use against unknown or unsupported versions
The files in the archive are timestamped June 2013, for what that’s worth, and the affected Cisco ASA versions listed date from 2007 to the start of 2012.
ASA is short for Adaptive Security Appliance, one of Cisco’s firewall products.
The bug was obviously news to Cisco, who quickly and creditably responded with an analysis and a patch.
What to do?
As far as we can see, the exploit and shellcode that Shadow Brokers published for this vulnerability almost certainly won’t work as they stand against any recent version of the Cisco ASA product.
Nevertheless, because the bug was never disclosed, it remained in Cisco’s code until this latest patch.
That means a determined attacker has a huge head start at finding an exploit for recent Cisco ASA products, even if both the EXTRABACON script and its associated attack code needs work.
In other words, and as always, patch early, patch often!