The Shadow Brokers: Lifting the Shadows of the NSA’s Equation Group?

The Beginning (August 15)
The Dust Has Settled, Or Has It? (August 16)
Vulnerability Details, Attribution, and Bitcoin Goals (August 17)
Analysis, Trolling, and Attribution (August 18)
Vulnerability Analysis, Government Claims, and the Ex-NSA Conundrum (August 19)
Auction File: Only Worth What Someone Is Willing To Pay (August 22)
General Follow-up, Vuln Updates, RedSeal Connection (August 24)
Shadow Brokers Back From The Shadows (December 19)
Auction Ends: Shadow Brokers Release Key In Retaliatory Strike (April 8)

 


 

This week a hacker group going by the name The Shadow Brokers has surfaced and appears to be auctioning off computer exploits it claims are stolen from the Equation Group. The Equation Group, a group of hackers believed to be operated by the National Security Agency, was named by Kaspersky after their analysis of “APT” activity leading up to 2015According to Wikipedia:

“The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world and “the most advanced … we have seen”, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame”

The group that leaked the new exploit files goes by the name The Shadow Brokers and operates the Twitter account @theshadowbrokerss. Based on their Tweets, it appears that they have been preparing for this release since at least the start of August. It started with the creation of a Reddit account on the 1st of August and then over the next 13 days it appears they created accounts at GitHub, Twitter, and Imgur.

ShadowBrokersTweet

On the 13th of August they they announced the leak of this data, which stands out from other leaks because it appears to be a teaser and advertisement to promote the online auction of a larger portion of the data they got a hold of. The leak and auction announcement has been posted to various sites, including Twitter, GitHub, Tumblr, Reddit, Imgur, and Pastebin:

How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.

The data was uploaded to several sites including MEGA, which shows that it was last modified on their system on the 1st of August further suggesting they have had it for some time.

The Auction

While we have increasingly seen the data from hacked companies be put up for auction, it is rare to see this big of a teaser posted publicly. Many breaches only end up publicly disclosing a very small sample of data to show their authenticity, but the Equation Group teaser data includes a significant trove of exploits designed to compromise firewalls. This data alone has incredible value to a wide variety of companies, both offensive and defensive. The hacked data release came with a FAQ and a set of instructions for the auction:

We auction best files to highest bidder. Auction files better than stuxnet. Auction files better than free files we already give you. The party which sends most bitcoins to address: 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK before bidding stops is winner, we tell how to decrypt. Very important!!! When you send bitcoin you add additional output to transaction. You add OP_Return output. In Op_Return output you put your (bidder) contact info. We suggest use bitmessage or I2P-bote email address. No other information will be disclosed by us publicly. Do not believe unsigned messages. We will contact winner with decryption instructions. Winner can do with files as they please, we not release files to public.

The FAQ has several interesting points:

Q: Why I want auction files, why send bitcoin? A: If you like free files (proof), you send bitcoin. If you want know your networks hacked, you send bitcoin. If you want hack networks as like equation group, you send bitcoin. If you want reverse, write many words, make big name for self, get many customers, you send bitcoin. If want to know what we take, you send bitcoin.

Q: What is in auction files? A: Is secret. Equation Group not know what lost. We want Equation Group to bid so we keep secret. You bid against Equation Group, win and find out or bid pump price up, piss them off, everyone wins.

Q: What if bid and no win, get bitcoins back? A: Sorry lose bidding war lose bitcoin and files. Lose Lose. Bid to win! But maybe not total loss. Instead to losers we give consolation prize. If our auction raises 1,000,000 (million) btc total, then we dump more Equation Group files, same quality, unencrypted, for free, to everyone.

Q: When does auction end? A: Unknown. When we feel is time to end. Keep bidding until we announce winner.

Q: Why I trust you? A: No trust, risk. You like reward, you take risk, maybe win, maybe not, no guarantees. There could be hack, steal, jail, dead, or war tomorrow. You worry more, protect self from other bidders, trolls, and haters.

The Exploits

The compressed data is a little over 256MB and contains both the teaser data (eqgrp-free-file.tar.xz.gpg) as well as the data being auctioned (eqgrp-auction-file.tar.xz.gpg). While both are encrypted, the Shadow Brokers only provided the password for the teaser data, and only the auction winners presumably receive the password for the rest. Highlights:

  • Free data file extracts to a folder named “Firewall”
  • The date stamps on the encrypted files are July 25, 2016.
  • The decrypted “free file” has file dated as far back as 2013.
  • Directories are dated back to 2010.
  • The data structure is same as shown in Imgur preview.

auctionfile

While many companies and analysts rush to figure out what exploits were released, with some already publishing their initial analysis, a few of the highlights based on our cursory examination are below. The directory structure uses four letter code names for specific exploits. Some of the codes, exploit names, and relevant details:

EGBL: EGREGIOUSBLUNDER version 3.0.0.1 – A web-based exploit that targets Fortigate firewalls (various builds of firmware FGT_60-v300) including models 60, 60M, 80C, 200A, 300A, 400A, 500A, 620B, 800, 5000, 1000A, 3600, and 3600A. One researcher notes that Avast calls it CVE-2006-6493, which is a vulnerability in OpenLDAP.

ELBA: ELIGIBLEBACHELOR – An exploit against an unspecified vendor, affecting versions 3.2.100.010, 3.3.001.050, 3.3.002.021 and 3.3.002.030. This exploit uses the third-party library from Keld Simonsen called ISO/IEC 14652 i18n FDCC-set.

ELBO: ELIGIBLEBOMBSHELL version 1.2.0.1 – A web-based exploit reported to be against the Chinese made TOPSEC firewall and affects versions 3.3.005.057.1 to 3.3.010.024.1. Some payloads are noted as having been added as far back as 2009 and have their own code name designations, including WOBBLYLLAMA, FLOCKFORWARD, HIDDENTEMPLE, CONTAINMENTGRID, and GOTHAMKNIGHT. Notes in the exploit include information “FOR DEVELOPERS ONLY”.

ELCA: ELIGIBLECANDIDATE version 1.1.0.1 – A line in the exploit describes itself as “What is the sound of a single thread blocking?” This web-based exploit targets the /cgi/maincgi.cgi script of Chinese made TOPSEC firewalls version 3.3.005.057.1 to 3.3.010.024.1.

ELCO: ELIGIBLECONTESTANT version 1.1.0.1 – A line in the exploit describes itself as “A packet drops in a router. Does anyone hear it?” This web-based exploit targets the /cgi/maincgi.cgi script of Chinese made TOPSEC firewalls before version 3.3. The exploit also has warnings for the user that the “User may be logged in. PLEASE REVIEW SYSTEM INFO“.

EPBA: EPICBANANA version 2.1.0.1 – This exploit targets several models of Cisco PIX Firewalls and Cisco Adaptive Security Appliance (ASA) devices. It uses the pexpect.py Python module written by Noah Spurrier and includes an extensive list of credits for helping develop the module. The affected ASA device images include 711, 712, 721, 722, 723, 724, 80432, 804, 805, 822, 823, 824, 825, 831, and 832. The affected PIX device images include 711, 712, 721, 722, 723, 724, and 804.

ESPL: ESCALATEPLOWMAN version 1.1.0.1 – A local exploit against an unknown vendor, with one very interesting line in the params.py file. One of the configurable parameters is “callback” and the example in the header of the file says “callback       (“30.40.50.60:9342”)  parse to: callback_ip, callback_port”. That IP address is registered to the DoD Network Information Center located in Columbus, Ohio that is part of the Defense Logistics Agency. This may be a telling piece of information, or an unfortunate sample IP address as we see it used in at least one book on administering data centers. One researcher notes that it appears to be unroutable and potentially just a placeholder.

EXBA: EXTRABACON version 1.1.0.1 – An exploit against the SNMP service of Cisco Adaptive Security Appliance (ASA) devices that affects version 8.0(2) to 8.4(4).

The exploit dump contains many other tools and scripts, along with other wonderful codenames such as BANANAGLEE (impacting Juniper devices), BARGLEE, BLATSTING, BUZZDIRECTION, SCREAMPLOW, and BANANADAIQUIRI.

Bidding and Bitcoin

Several researchers have taken to monitoring the BTC (bitcoin) transactions associated with the auction of the leaked data, and have pointed out it can be monitored on the blockchain. At the time of publishing, the auction currently has two transactions worth a total 0.0424 BTC ($23.56US). The first transaction bid was 0.0355 BTC and the second one was 0.0069 BTC. The current high bid comes from Mike Damm, who has announced it on twitter.

shadowbrokersauction

Final Thoughts

As we wrap up this initial blog post, the amount of attention and analysis this leak is receiving is considerable. The ShadowBrokers GitHub page has been suspended already, but copies of the leaked data are already spread far and wide. In the coming days and weeks, we expect to see a variety of blogs further analyzing the exploits as well as the affected vendors scrambling to evaluate the information to provide patches.

While this leak seems extremely damaging to the NSA on the surface, we caution readers to remember that false flag operations are a critical part of high-level hacking activity. As one analyst notes, this leaked information likely comes from a compromised system hosting the exploits rather than the NSA getting hacked directly.


 

The Dust Has Settled, Or Has It? (August 16)

After a furious first day with many researchers analyzing the published data, there seem to be as many questions as answers. However, a fair amount of points and facets of the dump have been discussed and discovered. With so many disjointed analyses taking place, we have attempted to recap the highlights in this update.

We start first with some other recaps and pieces worthy of a read:

Published Leak

As originally mentioned, the leak and auction announcement were posted to various sites, including:

  • Twitter – The original Twitter account is still up and running, despite claims otherwise.
  • GitHub – Some level of censoring and data removed ~ 5:30P EST – August 15th.
  • Tumblr – theshadowbrokers.tumblr.com is no longer available as of ~ 5:50P EST – August 15th.
  • Imgur – The picture posted is still up.
  • Pastebin – The content is still up.
  • MEGA – The content is still up.

When looking at the leak and public event on Github, one can see the original leaker used a @TutanotaTeam email. We took note of it in our analysis, and it was later pointed out by Twitter user @iamdeveloper.

EG 1

You can also see a list of ‘file by modified time’ on Github from the archive. When reviewing, it is evident they are older files from approximately September 2013 and directories listed are from 2010. According to @pwnallthethings, “The most recent “last modified” timestamp in the EQUATION GROUP hacking tool set is 2013:10:18 14:48:09+02:00 – i.e. October 18, 2013.” This suggests it is very questionable to think that the NSA was actually hacked directly or recently. It is much more likely given the file dates and content that this is a quite old compromise, or – as many would believe – the hackers compromised a launch box used for attacks that wasn’t cleaned up.

Furthermore, as Twitter user @creative83 points out, it would be far too valuable to give up access to the NSA if the attackers actually had it:

EG 2

So far, most coverage is pointing to the NSA being compromised either directly, or indirectly via misleading headlines. As mentioned earlier, it’s very likely the NSA was not hacked, but it does look more and more like the exposed data is from the NSA.

Twitter user @RidT points out JETPLOW and BANANAGLEE appear in only one file in the Snowden leaks.

EG 3

NSA Website Down

EG 4

For those readers who have never been to the NSA’s website, there is a screen shot above. It is quite extensive and appears to have a lot of references and content. However, Twitter user @ericgeller pointed out something very interesting about the NSA’s website yesterday:

EG 5

It seems too crazy to be true, so we did personally verify that the main page of the NSA is loading, all other pages are not loading and returning a “Service Unavailable” message.

It got us questioning when the website was last working properly and whether this is connected to the leak. Looking at the Way Back Machine, between August 1st and 16th  we can see that the site appears to have been properly serving content:

EG 6

Just now a Twitter account @zipadux (registered since November 2005, but inactive until just now) stated that “ShadowBrokers is an insider who grabbed the data via USB and is trying to pass himself off as a foreign group.

EG 7

And then a bit more conversation about the naming structure of the leak:

EG 8

Data being removed from the NSA on a USB, sounds familiar right? It’s difficult to tell if @zipadux is speaking from authority or an educated guess, but the lack of Twitter activity until now is certainly interesting.

Snowden

There has been quite a bit of speculation on whether Edward Snowden is involved with this leak or had knowledge of it as Wikileaks claims. Based on recent behavior from his Twitter account, while there is no evidence at all, it is easy to see why many are asking the question. It is also worth noting that Snowden’s original leak happened in June, 2013, and most of the files in the newly leaked archive are dated 2013. While the archive has files dated up to October, 2013 and Snowden had already left the NSA and flew to Russia by June, 2013, it still makes some wonder if he was involved.

Here is the timeline of events of now mostly removed Tweets:

August 3rd, 2016: Snowden says “It’s time.”

August 5th, 2016: Snowden tweeted a “dead man switch” key, or so people thought. “ffdae96f8dd292374a966ec8b57d9cc680ce1d23cb7072c522efe32a1a7e34b0”

No Tweets for 10 days from Snowden.

August 13, 2016:  The ShadowBrokers release the NSA tool archive .

August 15, 2016: “The Reports of my death are greatly exaggerated.” (Mark Twain picture)

Today, Snowden is back with some thoughts on this leak, confirming that he believes this is a compromise of an NSA malware staging server.

EG 9

He goes on to tweet quite a bit more adding more context and sharing his thoughts that include:

  • NSA is often lurking undetected for years on the C2 and ORBs (proxy hops) of state hackers. This is how we follow their operations.
  • This is how we steal rivals’ hacking tools and reverse-engineer them to create “fingerprints” to help us detect them in the future.
  • Here’s where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us — and occasionally succeed.
  • Knowing this, NSA’s hackers (TAO) are told not to leave their hack tools (“binaries”) on the server after an op. But people get lazy.
  • What’s new? NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is.
  • Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack.
  • Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here’s why that is significant:
  • This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server.
  • That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies.
  • Particularly if any of those operations targeted elections.
  • Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.
  • TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.
  • Bonus: When I came forward, NSA would have migrated offensive operations to new servers as a precaution – it’s cheap and easy. So? So…
  • The undetected hacker squatting on this NSA server lost access in June 2013. Rare public data point on the positive results of the leak.

He ends with one last tweet aimed at the NSA.

EQ 10
Now he will most likely go back to focusing on where he can speak next!


Vulnerability Details, Attribution, and Bitcoin Goals (August 17)

Day three of the Shadow Brokers dump of the purported Equation Group exploits, and as expected, technical analysis and wild speculation are prevalent. In this update we cover the attribution angle in more detail below, but one point that is square in many minds is how this auction quickly removed the recent George Soros / Open Society Foundations leak from the news. In the rapidly evolving face of American politics, with several political leaks at play, the notion of a new breach or leak stealing news cycles is certainly feasible. Either to bury a previous story, or to add more weight to a string of stories that may embarrass a political party.  Regardless, the timing of the Shadow Brokers couldn’t have been any better for George Soros and the Open Society Foundations.

As a quick follow-up to our previous update, Vice published an article detailing why Github removed the links to the Shadow Brokers’ data dump, citing that it violated the user-agreement. Per GitHub’s agreement, that certainly seems like grounds for shutting down the account and falls well outside of conspiracy theory:

“Per our Terms of Service (section A8), we do not allow the auction or sale of stolen property on GitHub. As such, we have removed the repository in question,” Kate Guarente, from Github’s communications team, told Motherboard in a statement.

Sometime today, the NSA has restored their website content and you can navigate the site to learn more about what they do, and what they consider the threat to be. As we continue to digest the leaked data and understand the implications, one question that will remain front and center is, “what is going to happen next”?

Bitcoin Update

Two days later, the auction for the rest of the exploit archive is still a bit short of their one million BTC goal (a total, not single bidder) and the promise of releasing them to everyone. Fifteen transactions later and the highest bid is 1.5 BTC, a majority of the balance, with a final balance at 1.629 BTC or US$947.41.

bitcoin-update1

Dee Kay notes that one of the Bitcoin addresses bidding on the archive has also sent Bitcoins to an address that was part of the Silk Road seizure:

bitcoin-fbi

As Wired notes, no one is really bidding on the stolen NSA “cyberweapons”.

Vulnerability Analysis

With several days to analyze the leaked data, more details are emerging about each of the codenamed exploits. One of the more important things to note is that with every released exploit, it requires access to an interface that is typically restricted to privileged networks or the internal network in general. These exploits would only be valuable against a remote target over the Internet if the firewall was severely misconfigured, making the vulnerable services Internet addressable. While certainly valuable, the initial impression that these exploits were for remotely compromising firewalls is now drastically overstated. Despite that, some are offering absurd “expert advice” or masterful trolls.

The current tally of vulnerabilities, many of which appear to be 0days stands at:

1 Fortigate: EGREGIOUSBLUNDER

1 WatchGuard: ESCALATEPLOWMAN

2 Cisco ASA / PIX: EXTRABACON, EPICBANANA

4 TOPSEC: ELIGIBLECANDIDATE, ELIGIBLEBOMBSHELL, ELIGIBLECONTESTANT, ELIGIBLEBACHELOR

So far, according to Chris Bing, Cisco is the only vendor that has made a public statement acknowledging the vulnerabilities included in the leak.

EXBA: EXTRABACON version 1.1.0.1 – An exploit against the SNMP service of Cisco Adaptive Security Appliance (ASA) devices that affects version 8.0(2) to 8.4(4). XORcat has done a great analysis of this exploit and reports that the exploit requires read access to SNMP as well as access to telnet or SSH to access the resulting shell. If the exploit fails to gain a shell, it may crash the device. The resulting shell grants user privileges, so the ‘enable’ password or a separate privilege escalation vulnerability is required for privilege escalation afterwards. According to Hector Martin, he believes the exploit may be related to the “cufwUrlfServerStatus OID or just general SNMP parsing”.  XORcat does not believe this is CVE-2015-4238 based on the information available, meaning this is very likely a 0day. According to Mustafa Al-Bassam, it relies on knowing the target machine’s uptime and software version.

ELCA: ELIGIBLECANDIDATE version 1.1.0.1 – A line in the exploit describes itself as “What is the sound of a single thread blocking?” This web-based exploit targets the /cgi/maincgi.cgi script of Chinese made TOPSEC firewalls version 3.3.005.057.1 to 3.3.010.024.1. Mustafa Al-Bassam adds that the vulnerability more specifically resides in HTTP cookie handling.

ELBO: ELIGIBLEBOMBSHELL version 1.2.0.1 – A web-based exploit reported to be against the Chinese made TOPSEC firewall and affects versions 3.3.005.057.1 to 3.3.010.024.1. Some payloads are noted as having been added as far back as 2009 and have their own code name designations, including WOBBLYLLAMA, FLOCKFORWARD, HIDDENTEMPLE, CONTAINMENTGRID, and GOTHAMKNIGHT. Notes in the exploit include information “FOR DEVELOPERS ONLY”. Mustafa Al-Bassam adds that like ELCA, this injects code via cookies into the web interface and detects the version based on the E-Tag header.

ELCO: ELIGIBLECONTESTANT version 1.1.0.1 – A line in the exploit describes itself as “A packet drops in a router. Does anyone hear it?” This web-based exploit targets the /cgi/maincgi.cgi script of Chinese made TOPSEC firewalls before version 3.3 via a POST parameter. The exploit also has warnings for the user that the “User may be logged in. PLEASE REVIEW SYSTEM INFO“. Mustafa Al-Bassam says this exploit can be tried after ELIGIBLECANDIDATE.

ELBA: ELIGIBLEBACHELOR – An exploit against TOPSEC Firewall running the TOS operating system, based on a version included in the script and/or “tos_configd” in the script. The exploit works against versions 3.2.100.010, 3.3.001.050, 3.3.002.021 and 3.3.002.030. This exploit uses the third-party library from Keld Simonsen called ISO/IEC 14652 i18n FDCC-set. Mustafa Al-Bassam adds that the exploit is designed to install an implant called BLATSTING, which uses a custom-made tool dubbed NOPEN for opening a shell on the victim machine. While the attack vector is unknown, he says it has an XML-like payload that starts with <?tos length=”001e:%8.8x”?> and is sent to the custom protocol operating on TCP port 4000. Al-Bassam goes on to note that the exploit author included some humor in the NOPEN payload shell/tunnel.

EGBL: EGREGIOUSBLUNDER version 3.0.0.1 – A web-based authentication cookie overflow leading to remote code execution exploit that targets Fortigate firewalls (various builds of firmware FGT_60-v300) including models 60, 60M, 80C, 200A, 300A, 400A, 500A, 620B, 800, 5000, 1000A, 3600, and 3600A. One researcher notes that Avast calls it CVE-2006-6493, which is a vulnerability in OpenLDAP, and others are fairly sure it is not. One researcher has independently confirmed the exploit works, but requires access to the web management interface.

ESPL: ESCALATEPLOWMAN version 1.1.0.1 – A local privilege escalation exploit against WatchGuard firewalls, with one very interesting line in the params.py file. One of the configurable parameters is “callback” and the example in the header of the file says “callback       (“30.40.50.60:9342”)  parse to: callback_ip, callback_port”. That IP address is registered to the DoD Network Information Center located in Columbus, Ohio that is part of the Defense Logistics Agency. This may be a telling piece of information, or an unfortunate sample IP address as we see it used in at least one book on administering data centers. One researcher notes that it appears to be unroutable and potentially just a placeholder.

EPBA: EPICBANANA version 2.1.0.1 – This exploits a buffer overflow in line editing functionality in several models of Cisco PIX Firewalls and Cisco Adaptive Security Appliance (ASA) devices. It uses the pexpect.py Python module written by Noah Spurrier and includes an extensive list of credits for helping develop the module. The affected ASA device images include 711, 712, 721, 722, 723, 724, 80432, 804, 805, 822, 823, 824, 825, 831, and 832. The affected PIX device images include 711, 712, 721, 722, 723, 724, and 804.

The exploit dump contains many other tools and scripts, along with other wonderful codenames such as BANANAGLEE (impacting Juniper devices), BARGLEE, BLATSTING, BUZZDIRECTION, DurableNapkin (post-firewall injection packet injection tool), SCREAMPLOW, Teflon Door (self-destructing exploitation payload), FalseMorel (tool to bypass Cisco enable password), BANANAUSURPER, BUZZDIRECTION, and BANANADAIQUIRI. The NOPEN tool referenced earlier, appears to be a tunnel to hide the source of attacks via TCP port 32754 by default, according to one researcher.

According to another researcher, among the tools is a script named stager.sh that includes code showing the Equation Group masquerades as Chinese actors by default, query Chinese domains. As with everything else in this leak, it has to be questioned if this is really a sign the scripts were authored by Western powers versus any other nation-state. After all, if the tools are lost, as these were, wouldn’t it make sense to plant false-flags?

Attribution

There are three facets of attribution facing this leak. First, is the leaked data truly from the Equation Group, second, who leaked the data, and third, is the Equation Group is really part of the National Security Agency (NSA). While most people interested in attribution are focusing on who leaked the data, Kaspersky Lab’s Global Research & Analysis Team has posted convincing evidence that the leaked data directly correlates to the Equation Group’s tools analyzed in February of 2015. One of the more unique aspects of the Equation Group’s arsenal is the use of the RC5 and RC6 algorithms, which also appears in the new dump. Kaspersky’s team breaks down several uses of the same algorithms and code bits that make a compelling argument that the newly released files are indeed from the same group. It is interesting to note that in all of this time, Kaspersky has never officially said that the Equation Group was the NSA. Strong implications and third-party articles making that conclusion (some with ex-NSA sources) are prevalent, but Kaspersky has never publicly stated that connection.

Like last year’s analysis and conclusions, the Washington Post has gone on the record to say the leaked Equation Group files are directly tied to the NSA:

wapo-quote

The more popular attribution argument centers around who leaked the data. The last few years have demonstrated that a few obvious culprits will be named in any ‘cyber’ incident; China and Russia. It’s only a matter of time before these names are bantered about, and this time is no exception. Edward Snowden said Russia is the primary suspect in this leak in a series of Tweets covered yesterday, and further covered in a Forbes article today. CTO of Immunity Inc, Dave Aitel, who is a former NSA employee, makes an argument that the leak can be attributed to Russia too, but many have already responded that it is not a compelling argument at all.

Others are approaching the leaker attribution question from a more analytical standpoint, looking at the text accompanying the leak. Anup Ghosh says he is looking forward to “linguistic analysis of the Shadow Broker’s broken English.” User ‘kafkaesq’ on the Hacker News Y Combinator makes observations about the language used, and others chime in with their knowledge of speaking multiple languages. While such analysis is very interesting, it has to be taken with a grain of salt. Advanced adversaries that perform such a leak should be assumed to be wise enough to use various techniques to throw off would-be detectives and may use such language purposefully. As Nick Galbreath points out, “spelling is opsec”. Even in the actual code, as mentioned with the stager.sh script above, it is important to note that attribution proof must be solid as Greg Barnes notes.

While technical evidence may be completely lacking and speculation ruling the day, it cannot be ignored that the timing of this leak in the current U.S. political climate is suspect. With the last few weeks of U.S. news dominated by Donald Trump and questionable ties to Russia and Vladimir Putin, as well as Trump’s speeches calling for Russia to hack U.S. government resources (in jest or not), it begs the question if the Equation Group leaks are part of a political agenda. The Register is one of many news outlets to put that theory forward, in addition to hundreds of Twitter denizens. This is the type of speculation that is important to discuss, but prudence demands that it remain part of the discussion until evidence surfaces.



Analysis, Trolling, and Attribution (August 18)

Miscellaneous Updates:

Four days after the leak, the news and analysis is flowing steadily. Some continue to work through the technical details of the leaked tools and exploits while others continue to debate and put forth theories about the facets of attribution. Regardless of who ends up catching the blame, Christopher Soghoian reminds us that it’s only a matter of time before a Congressional investigation is started. Two days after the NSA’s web site stopped delivering content, the agency Tweeted that “Monday’s storm related tech issue is resolved.” While there were heavy storms in the area of the agency’s Maryland headquarters, as ZDNet notes, they also remind us that the timing “couldn’t have been worse”.

Since the leak hit the news, some were speculating on the origin of the name “Shadow Brokers”. Some early pondering suggested the name came from the popular game Mass Effect 2. In the game, “the Shadow Broker is an individual at the head of an expansive organization which trades in information, always selling to the highest bidder” according to the Mass Effect Wikia. Today, Matt Suiche tweeted that a source of his confirms that the NSA TAO team members are “massive players of it”. While an interesting tidbit, it ultimately does not help with the attribution of the party that leaked the data.

With so many news outlets and security companies providing some level of coverage of this ordeal, there are bound to be a few that stick out for the wrong reasons. One of the most discouraging things we keep encountering are large news outlets using sensational headlines that are entirely misleading. For example, the New York Times is one of many asking in big bold letters, “was the NSA hacked?” This was never really a serious question, even in the first hours after the leak surfaced. Regardless of how it happened, suggesting the agency “got hacked” in a headline is irresponsible. And it isn’t just the mainstream news outlets; security bloggers that should know better are falling into the same trap. “The NSA was badly hacked in 2013, and we’re just now learning about it.” No, this is wrong on several levels. Even worse, some headlines are suggesting this leak “signals a Cyber Cold War”. If anyone is under a notion that we haven’t been in a virtual cold war scenario for the better part of the last decade, it might be prudent to read more about nation-state actors and their history of hacking.

One thing is certain to us: Examining the leaked data can only help. Validating the vulnerabilities leaked, determining if they are newly disclosed, and knowing the severity of the vulnerabilities is part of risk management and protecting your network. We’ve seen the benefit already as two vendors have confirmed at least three of the vulnerabilities were previously undisclosed 0-days and are already working on fixes. If your security provider’s solution to such a leak is to not even download the files and to stay away from it and calling it a “scam”, strongly consider if keeping your head in the sand is the right approach to security.

Bitcoin Update:

Watching the bids on the remaining leaked data has not been exciting, given the dismal history. Since the auction is designed so that losing bids are not recovered, it is understandable that most would not bid. However, if the remaining data is as good, or better, than the public data, it is still a tempting target. While some may doubt that most people have $850 to just throw away, that price is a fraction of the bar tab some security companies pay at their annual Las Vegas parties. Even if the winning bid ends up being $5,000 for example, that is more than a bargain for multiple 0-day vulnerabilities, especially if in security software.

Today did bring a good dose of humor to the bidding war, as a string of bids came in with clever BTC addresses, effectively Rickrolling those watching.

1never9kNNkr27UseZSHnaEHg1z8v3Mbb
1gonnaV3MFNjymS4RGvUbHACstiS8aSYz
1giveGEk184Gwep2KT4UBPTcE9oqWzCVR
1youKBMLEohsexdZtkvnTzHnc4iU7Ffty
1upAbpBEWQ467QNT7i4vBMVPzSfQ3sqoQ
1never9kNNkr27UseZSHnaEHg1z8v3Mbb
1gonnaV3MFNjymS4RGvUbHACstiS8aSYz
11etAyypstpXLQpTgoYmYzT8M2foBSBe1
1youKBMLEohsexdZtkvnTzHnc4iU7Ffty
1downAsBbRQcBfUj8rgQomqhRsNFf1jMo

As of August 17, 10PM EST, there are 26 bids for the rest of the leaked data totaling 1.72303178 BTC, or US$990.73. Still a ways to go to reach one million BTC!

bitcoin-day4

Attribution Thoughts:

As the technical analysis of the leaked information slowly dwindles, the one aspect that will undoubtedly keep going is that of attribution. As previously noted, there are three facets of attribution facing this leak. First, is the leaked data truly from the Equation Group? Second, who leaked the data? And third, is the Equation Group is really part of the National Security Agency (NSA)? The growing consensus is that the information leaked is legitimate and belonged to the Equation Group. Most giving input to the topic over the last year have not disagreed with Kaspersky’s analysis that the group is in a “position of superiority” to the creators of Stuxnet and Flame, which have been directly attributed to the U.S. government. With that, the primary type of attribution that has everyone curious is who leaked the data.

After Snowden’s Twitter explanation of why he thought Russia was behind the leak, Thomas Rid gave his input on Snowden’s sentiments in the context of where Snowden is right now, and the likelihood of him being in contact with Russian intelligence officers. Quite simply, one cannot ignore the fact that Snowden is in Russia and essentially blaming Russians for this attack. To blame the country protecting him and giving him amnesty from the wrath of the United States might seem unwise. Jumping on the Russian theory, some news outlets like The Verge wrote about it while not really offering any additional evidence or compelling arguments. Other outlets like The Observer wrote about it, but offered perspective and history that offer a more convincing argument of Russian involvement. On the flip side, some are still maintaining the leak is the result of an insider that had privileged access at a NSA facility and walked out of the building with the information on a thumb drive (or similar manner). Several are disagreeing with this theory on many grounds, one being the principal of Occam’s razor. Other disagreements are more comprehensive and use anonymous ex-NSA sources, but have serious flaws or assumptions in their counter. More to the point, saying that the leak didn’t occur via a compromised NSA pivot box (i.e. one they used during an op) and that tools would not be left behind, counter the reminders you find in the exploit code (last line).

Any attempts to determine who is behind the Shadow Brokers by contacting the ISP they used to disclose the information will run into a dead end according to Vice, who contacted one of the ISP’s co-founders. In the meantime, others are doing a more detailed analysis of the language used in the leak announcement while others are analyzing the language in the leaked tools. Still others are approaching this from a different angle, taking note of the technology used by the leakers, while others are revisiting older bits and bringing new perspective.

Vulnerability Update:

The last 24 hours have been enlightening, as three of the vulnerabilities in the dump have been validated by the vendors and are now confirmed 0days. Earlier, Cisco released an advisory acknowledging EXTRABACON (now CVE-2016-6366) and EPICBANANA (now CVE-2016-6367) as valid, which indicated they are working on patches for affected devices, as well as a blog giving a high-level overview of the incident. Additionally, Fortiguard released their own advisory confirming that EGREGIOUSBLUNDER (no CVE yet) is valid, but only affects the 4.x line of devices and that the entire 5.x line is not vulnerable. The exploit known as FEEDTROUGH, affecting Juniper firewalls, is currently being reviewed by Juniper.

There have also been a variety of observations as analysts continue to sift through the leak. Some highlights:

Perhaps the most amusing discovery yet, is that the Equation Group’s “noclient” (version 3.0.5.3) is vulnerable to a pre-authentication buffer overflow. Apparently, ‘Rawsend’ mode trusts user input and it shouldn’t. We won’t hold our breaths for MITRE to assign a CVE identifier.

 


 


Vulnerability Analysis, Government Claims, and the Ex-NSA Conundrum (August 19)

Another day, another round of interesting takes on the Shadow Brokers’ leaked documents. Sorting through all of the discussions and articles is still a monumental task, but there is a lot of great information to be had. We’ll start with some of the usual updates, including miscellaneous bits, attribution, Bitcoin, and vulnerability analysis updates. After that, we’re going to broach a topic that isn’t receiving much (or any) attention, but likely should.

First, questionable and what could be considered irresponsible headlines and news articles are growing at a concerning pace. Asking “What Exactly Are the NSA Hackers Trying to Accomplish?” clearly states that they hacked the NSA, when that is almost certainly not the case, and the article puts zero evidence forth to back the claim. There is a very big, very important distinction between hacking the NSA (i.e. breaking into their network), hacking a random machine on the Internet that contained some of their tools, and walking out of the agency with a thumb drive full of stolen data. Only two of the theories are actually being discussed, and neither of them involve hacking the NSA’s network. Other articles mimic this same sensationalist and irresponsible wording that cannot be dismissed as hyperbole. “Yup! The NSA Got Hacked” and “If the NSA can be hacked, is anything safe?” are wrong from the start.

Taking it a step farther, Wired’s recent headline “The Shadow Brokers Mess Is What Happens When the NSA Hoards Zero-Days” is a non-sequitur. By this headline’s logic, then we would have seen similar leaks from the PLA Unit 61398, the RBN, and many other state-sponsored groups in the past few years. Even the Hacking Team compromise, that Wired covered a year ago, resulted in thousands of emails being leaked but relatively few of the 0-day exploit archive they had. The notion that any group that hoards 0-days will get compromised and their tools leaked is wrong. Sure, it will happen from time to time, but the simple truth is that those 0-day exploits have incredible value. If a person or group is skilled enough to compromise one of these organizations and pilfer the exploits, they are likely to keep them for their own use, not disclose them publicly.

Moving on, there has been at least one dubious claim that this leaked data has “been available .. for over a year”. While we have not spent much time trying to verify that, it seems very unlikely given the number of security and threat intelligence firms that spend countless hours on the Dark Web looking for such things. Speaking of leaks, a Twitter account popped up claiming to be an “Official Shadow Broker Member” and says that a “CNN File Leakage is next.” We’re taking this one with a grain of salt.

shadowvine

Backing away from the Shadow Broker leak minutiae, Soul Arbiter gives higher-level commentary on the disclosure saying “The #ShadowBrokers  thing IMO shows a lack of capacity in the Infosec community in conducting research. Too few people. Too few skills.” This is a very interesting sentiment, and one we could write a book on. ‘Cybersecurity’ is often called a 0 unemployment industry, due to not having enough people to fill all of the desired roles. Despite tens of thousands of ‘brilliant’ security researchers, we still see more vulnerabilities disclosed every year, and more data breaches every year. While you may think that disclosing the vulnerabilities leads to a more secure environment, remember that a large percentage are not coordinated with the vendor and in many cases no solution is available. This is a good reminder to our entire industry that we must continue to evolve and find new ways to protect customers, without resorting to blinky lights and bolt-on solutions that don’t address the root causes.

Bitcoin Update

In our August 17 update, we noted that some coins sent to the Shadow Brokers’ BTC address were also sent to an address involved in the Silk Road seizure. Security researcher Kryptia dove into this further and notes that “some of the bitcoin payments are coming from the seized Silk Road bitcoins and account.” This leads to the question if the U.S. government, presumably the FBI, are using this to ‘taint’ the auction and/or stir the waters.

A day later, and the leaked data auction shows a very tiny increase to 1.73818328 BTC, but a jump from 26 to 41 bids:

bitcoin-day5

Vulnerability Analysis Update

One of the biggest revelations from the past 24 hours is that the tool archive apparently has an exploit that can remotely extract Cisco VPN private keys. This is potentially the most damaging exploit to organizations worldwide, and the most critical exploit found in the dump. Virtual Private Networks (VPN) designed to secure communication between remote users and the work network would offer privileged access if compromised. Security researcher Mustafa Al-Bassam, who has been doing incredible work in his technical analysis of the dump, posted a series of Tweets outlining his findings yesterday, and followed it up with a blog giving more details. The exploit, dubbed BENIGNCERTAIN in the dump and re-branded as PIXPOCKET with a fun logo, affects Cisco PIX firewalls versions 5.2(9) to 6.3(4). Researcher XORcat tested the exploit and confirmed it does not work against version 8.4(2) of Cisco Adaptive Security Appliances (ASA). In addition to the analysis of the functioning exploit code, Al-Bassam points out there are over 15,000 Cisco PIX firewalls online and vulnerable to this issue, ironically “most of them in Russia”. That said, while the versions impacted and their release date suggest the vulnerability may have been present since 2002, the evidence does not support some headlines.

pixpocket

In addition to the exploits and tools, security researcher Jeff Harrison discovered the serial numbers for four Cisco ASA devices in screamplow-install.txt within the dump. Until ownership of the devices is published, it is uncertain if these were devices being tested during the development of the exploit or if they were real-world targets and potentially compromised.

Brendan Dolan-Gavitt noticed traffic against Cisco devices attempting to exploit the SNMP packet handling remote buffer overflow (dubbed EXTRABACON) vulnerability from the leak. WatchGuard has posted a statement saying the disclosed ESCALATEPLOWMAN vulnerability that appears to target RapidStream appliances does not impact WatchGuard Firebox and XTM appliances (WatchGuard acquired RapidStream in 2002). The blog ends with a note basically saying they did not test RapidStream devices, but implied that is because there are none available to them this long after acquisition. Finally, Sài Gòn Séamus and Jeff Harrison noted that an IP address found in the BOOKISHMUTE exploit (159.226.209.125) is owned by the Computer Network Information Center in China, implying it was targeted at some point.

Attribution Guessing Continues

As always, we’ll remind our readers that so far, all talk of the various types of attribution are based on guesses and theory, with little to no evidence to back them up. It is important to discuss attribution and the implications, but please remember to be prudent in how you put your opinions forward.

bingo

First, in the “Russia did it!” news, various outlets are reporting that Russia was behind the hack as a warning, per Edward Snowden. While most reading these articles focus on who leaked the files, it is interesting to note that Snowden also seems to be behind the theory that the tools were taken off an active server on the Internet, rather than an inside job:

Because enemies do the same thing, said Snowden, NSA hackers told not to get their tools off an enemy system after an operation. But, added the whistleblower, “people get lazy”.

It is important to note that the articles attributing the leak to Russia may be counter to other claims based on analysis of the messages accompanying the leaked data. Security company Taia Global has posted an article detailing that the Shadow Brokers are “native English speaker[s] trying to appear non-native”.

Security researcher The Grugq has posted his take on how the information was stolen, directly countering theories put forth by Dave Aitel and others. By The Grugq’s thinking, the firewall ops kit “came from a dumb TAO operator mistake, not the Snowden docs, not an insider. He goes on to give his theory and justification for this claim.

Finally, according to Sam Biddle of the Intercept, they “can confirm that the arsenal contains authentic NSA software”:

The evidence that ties the ShadowBrokers dump to the NSA comes in an agency manual for implanting malware, classified top secret, provided by Snowden, and not previously available to the public. The draft manual instructs NSA operators to track their use of one malware program using a specific 16-character string, “ace02468bdf13579.” That exact same string appears throughout the ShadowBrokers leak in code associated with the same program, SECONDDATE.

 

Ex-NSA Employees Quoted

In yesterday’s update on attribution thoughts, we mentioned that some outlets are citing ex-NSA sources in their theories about the leak. In some cases they are using the names of the ex-NSA person, while others quote them anonymously. We find it interesting that there are so many ex-NSA employees that are willing to go on record like this when it could be problematic for them. It is important to note that just because information is leaked to the public, in any fashion or method, does not change the classification status of it. As such, any government employee, past or present, must be careful when giving public comment on it for a variety of reasons. More importantly, when it comes to the ex-NSA employees giving commentary, we thought there might be rules or regulations on that.

Matt Suiche appears to have gone the farthest, not only citing an anonymous ex-NSA analyst, but providing picture proof of his source’s accreditation. It’s funny that he both solicited and received proof from a former NSA employee, and posted it, because we solicited the rules and regulations from a former NSA employee ourselves. Our source provided no evidence of his employment, but gleefully helped us by pointing out the regulations his source, and others, broke.

nsa-proof

According to National Security Agency Central Security Service Policy 1-30, this policy applies to all current and former NSA/CSS affiliates and reflects lifetime obligations agreed to in non-disclosure agreements. The policy later defines the non-disclosure agreements as:

A lifetime obligation to safeguard all protected information, to submit all information intended for publication and/or public release for prepublication review, and to report any unauthorized disclosure of protected information. NSA/CSS affiliates are legally bound and obligated by any NdAs they sign for access to NSA/CSS information. They shall not confirm or deny information about NSA/CSS that appears in the public domain without prior approval through the classification or prepublication process.

The policy goes on to say that any “public release in a private capacity: NSA/CSS affiliates acting in a private capacity, and not in connection with their official duties, may prepare information for public release without management approval or policy review provided that the affiliate [..] Uses a disclaimer on any material in which an NSA/CSS affiliation is cited, stating that the views and opinions expressed are those of the affiliate and do not reflect those of NSA/CSS.

According to 18 U.S. Code § 798 governing the disclosure of classified information, which sets forth the following law and penalties:

(a) Whoever knowingly and willfully communicates, furnishes, transmits, or otherwise makes available to an unauthorized person, or publishes, or uses in any manner prejudicial to the safety or interest of the United States or for the benefit of any foreign government to the detriment of the United States any classified information—
(1) concerning the nature, preparation, or use of any code, cipher, or cryptographic system of the United States or any foreign government; or
(2) concerning the design, construction, use, maintenance, or repair of any device, apparatus, or appliance used or prepared or planned for use by the United States or any foreign government for cryptographic or communication intelligence purposes; or
(3) concerning the communication intelligence activities of the United States or any foreign government; or
(4) obtained by the processes of communication intelligence from the communications of any foreign government, knowing the same to have been obtained by such processes—
Shall be fined under this title or imprisoned not more than ten years, or both.

While there may be wiggle room in the wording of 18 USC 798, this law potentially applies to any ex-NSA employee verifying TAO Group activity, procedure, and/or methodology in a public manner. Journalists, remember this when you ask your sources to go on record. Sources, remember this when you go on record.

 



Auction File: Only Worth What Someone Is Willing To Pay (August 22)

There are so many facets to the recent Shadow Brokers’ leak it can be a bit overwhelming. But the Shadow Brokers’ mess does highlight front and center the importance of the perceived value of exploits and vulnerabilities. It is impossible to ignore the value of the exploits when this whole situation is potentially about an auction of high-end vulnerabilities.  

In each RBS blog update covering the leak, we have provided a quick update on the auction status, and the reality is that the auction itself isn’t going very well. The leaked data auction recently showed an increase to 1.74847373 BTC (about US$1017.47), jumping from 41 to 56 bids:

EG-Value1

If this auction really contains valuable 0-day exploits, then one would expect that this would be worth bidding on for sure. But the parameters of the auction are far from standard, and may be one of the many reasons that the auction isn’t proceeding quickly. Rather than a traditional auction where a losing bid means your bid is returned and you lose no money, any bid on this data is not refunded if you do not win. It is also important to note that many believe that this really isn’t about an auction at all, rather to make a statement.

In March 2009 at the CanSecWest security conference, several researchers announced their new philosophy and mantra called ”No More Free Bugs”. EG-Value2It sparked a debate about the issues in the security research community, and made it clear that some researchers had expectations of monetary compensation for their work. They also explained that reporting vulnerabilities for free without any legal agreements in place was very risky altruistic work. The goal was to raise awareness of the problems, and help to push forward for more legal and transparent options for monetizing security research. In their eyes, this hopefully would ensure that fair market value for a researcher’s findings would be obtainable, and also incent researchers to look for vulnerabilities in potentially insecure products. While bug bounties had existed since 1995 when Netscape first introduced the concept, this movement has been pointed to as potentially a watershed moment that helped influence the mainstream rise of and popularity of bug bounties.

The Shadow Brokers actually did exactly the opposite of what the No More Free Bugs movement wanted. They provided some free bugs (confirmed several 0-days) as part of the initial dump, which they stated was proof that the auctioned material was legitimate and real.

The proof file is 134 MB of compressed data that once decrypted is 186 MB and expands out to a 301 MB archive. The file being auctioned is 131 MB compressed, so roughly the same size as the free data.

EG-Value3

If you base it on file sizes, then the Shadow Brokers are claiming that there is somewhere between 40% to 50% more data to come. This means that we have likely seen half of the total data they have from the Equation Group. However, the Shadow Brokers claim that they have kept the best stuff for the auction file, which is supposedly the real value. Here is their statement from the initial dump:

We auction best files to highest bidder. Auction files better than stuxnet. Auction files better than free files we already give you.

You see free files we give for free. You see attacks on banks and SWIFT in news. Maybe there is Equation Group version of cryptolocker+stuxnet for banks and financial systems?

They are claiming what is to come is “better than Stuxnet”, and hinting that tools could be used to attack banks. Dee Kay tweeted that there was some recent information posted on Pastebin that was of note.

EG-Value4

The Pastebin content contains a bunch of news articles about SWIFT fraud, and as Dee Kay notes, the Pastebin text is probably not related but the timing is interesting with the hint of SWIFT exploits in the auction file.

Others such as Bruce Schneier have stated that they believe it is more likely that the second dump will never happen, and if it were to be released it would be mostly junk.

They claim to be auctioning off the rest of the data to the highest bidder. I think that’s PR nonsense. More likely, that second file is random nonsense, and this is all we’re going to get. It’s a lot, though. Yesterday was a very bad day for the NSA.

While this is one possibility, Schneier apparently forgets that while the auction may be PR nonsense, the data may be real and could be released at any time. Regardless of the speculation, the Shadow Brokers are claiming they will release it to the highest bidder, and the process of the auction has already been thoroughly covered.

Value Of The Auction File

Establishing value on 0-day vulnerabilities is often difficult. There are relatively few historical data points, a general lack of participants, and almost no transparency in the market. That said, we reached out to Jonathan Cran at Bugcrowd to help us dig into the value of the leaked vulnerabilities. As a recap you can look at our previous blog post or other analysis of what has been discovered thus far.

The current tally of vulnerabilities, many of which appear to be 0day stands at:

  • 2 Cisco ASA / PIX: EXTRABACON, EPICBANANA (both confirmed 0-day)
  • 1 Cisco VPN: BENIGNCERTAIN (unconfirmed from vendor, apparent 0-day)
  • 1 Fortigate: EGREGIOUSBLUNDER (one confirmed 0-day, old versions)
  • 1 Juniper: FEEDTROUGH (Unconfirmed, vendor is investigating)
  • 1 WatchGuard: ESCALATEPLOWMAN (confirmed not to affect WatchGuard devices, rather RapidScan devices, acquired in 2002)
  • 4 TOPSEC: ELIGIBLECANDIDATE, ELIGIBLEBOMBSHELL, ELIGIBLECONTESTANT, ELIGIBLEBACHELOR (unconfirmed if valid and/or 0-day)

Each of these vulnerabilities would have (and still does in some cases) provide access to a core piece of a target’s infrastructure – a router or firewall. Several of the vulnerabilities targeting firewalls and security appliances require access to the management interface or in one case, the SNMP service. These would not be available remotely over the Internet unless the organization seriously misconfigured the device. The exploit against Cisco VPNs however, specifically targets a service that is designed to be external, making it the most valuable one of the leak.

It’s unclear if these capabilities were obtained from a wholesale purchase, developed by a government contractor (there are several job openings for what appears to be exploit development roles at Harris, Booz Allen and Lockheed), developed in-house at the NSA, or some mix of these options. Its also possible they were developed in collaboration with another agency.  

Much of the value of these exploits flows from the market penetration of the targets. These are some of the most commonly installed firewall and routing capabilities on the internet.

  • Cisco – 13.9% worldwide market share as of 2016.
  • Fortinet – 13.8% worldwide market share as of 2016.
  • Juniper – 4.8% market share  as of 2016.
  • WatchGuard – 3.0% market share as of 2016.
  • TOPSEC – <1.5% worldwide market share as of 2016, but 16.5% market share in China as of 2013.

Assuming a buyer with offensive intent, a couple of the other factors that would weigh into the value of an exploit:

  • Target versions and configuration
    • Specific affected versions – It’s better if multiple versions, and if the software is EOL’d while enjoying a wide deployment, all the better
    • Default configuration – A default configuration is obviously ideal.
    • Variety of affected products – For instance, EXTRABACON affected both hardware and virtual devices, PIX, ASAs and Catalyst switches.
  • Capabilities and type of target
    • Remote, Internet-accessible devices are valued higher than client-side software
    • Hardware is valued higher than software because the bug can be much harder to kill
    • The ability to monitor / control network traffic is an incredible capability for an attacker
  • Exploit reliability and cleanup
    • Does it ever crash the target?
    • Is it detectable after exploitation? What about over the wire?

Now, there’s a significant difference between the pricing for offensive use versus the pricing for defensive use. As a defender, your goal is to kill the bug as quickly and efficiently as possible, thus reducing the exposure. It doesn’t always mean a software update – there may be mitigations and workarounds you can put into place if you have the vulnerability details as well. That said, the defensive value is often much less than the offensive value despite it potentially helping thousands of organizations, versus one buyer using it for offensive purposes.

As an attacker, your goal is to extend the life of the bug by limiting its detection for as long as possible. When selling to a buyer with offensive intent, the seller must take significant (and costly) OPSEC precautions and make tradeoffs in risk that defensive sellers don’t need to take on.

Not all targets are equal when determining a value for an exploit, and this is reflected in Bugcrowd’s pricing table below:

Description Examples Defensive Pricing Maximum (Published Precedent) Offensive Pricing Maximum (Published Precedent)
“Bespoke” Web Services (ex: Most bug bounties) Most Bug bounties, web services like twitter.com hackerone.com/twitter
bugcrowd.com/mastercard
$33,500 (Facebook) Unknown – 1-2x?
COTS web software (ex WHMCS / Magento bug bounties ) Underlying web software like Ruby on Rails or Perl Internet Bug Bounty $20,000 (Internet Bug Bounty) Unknown  – 3-10x?
COTS installable software (ex: Google, Microsoft VRPs) Operating systems like Windows or iOS Google’s VRT, Microsoft’s program, Yandex’s Browser program $100,000 (Microsoft) 80-85k? – Windows (Trustwave Report)
COTS hardware devices ( ex: FCA, GM, Tesla bug bounties) Hardware devices Apple’s iPhone secure enclave $200,000 (Apple) 500k – $1M – iPhone (Zerodium, FBI)

 

Based on these precedents, it’s reasonable to the think that the defensive market street value of these exploits is somewhere between $200,000 and a cool million. That said, given the capabilities of the targets, in the hands of the right buyer, these exploits could be worth a LOT more.

What other firewall vendor’s exploits could potentially be part of the next auction file dump? Check Point, Palo Alto, Dell? Based on the firewall market share data it would make sense to see these vendors, as well as other lower market share vendors that are specifically deployed more heavily in target countries of interest.

Regardless of market share data, if certain organizations or countries were targeted it could have heavily influenced the exploit development for specific vendors and products. It has been noted that Russia has the highest amount of Cisco PIX firewalls as found by Shodan.

EG-Value5

Christopher Soghoian tweets that a professor reviewed the code and gave them a failing grade:

EG-Value6

Nothing like code shaming! But it also seemed to imply that there was undesirable defects a negative value of the dump based on bad code. However, as quite a few quickly pointed out, that is the problem with academia. Focusing on code quality, and not the fact that the code is confirmed to work, weaponized, and quite powerful is short-sighted and misses the value of the vulnerabilities.

EG-Value7

Robert Graham also believes that the people pointing out that the code is bad, or they make obvious crypto errors, is nonsense. He states that it was largely penetration testers, not software developers, that created the tools as part of the proof dump. He goes on to say:

From that perspective, then, this is fine code, with some effort spent at quality for tools that don’t particularly need it. I’m a professional coder, and my little scripts often suck worse than the code I see here.

Finally, Graham points out that despite the fact that there are 0-days in the dump, that it appears to be mostly post-exploitation tools.

They look like the sort of tools pentesters might develop over years, where each time they pop a target, they do a little development based on the devices they find inside that new network in order to compromise more machines/data.

Pedram Amini was quoted as saying that “None of the code appears to be of the high-value type that could command the millions of dollars that the Shadow Brokers are seeking.” We assume that he was referring to the overall goal of the 1M BTC. However, he did also say that “He estimated the most significant attacks, targeting products built by Cisco Systems Inc., would fetch tens of thousands of dollars in the attack-code market.” Note that comment was likely said before the details of BENIGNCERTAIN, the VPN exploit, were discovered.

When looking at bug bounties, immediately it always comes up that the black and gray markets always pay dramatically more than an official bounty program. This topic has been discussed for many years and even SecuriTeam Secure Disclosure claim their largest payout was over $1M USD.

A recent post titled The Black Market Lie examined this argument further, that black markets pay more than bug bounty, thus somehow making bug bounties irrelevant. The blog covers a lot of topics, but in the end concludes with saying:

Hopefully this will be useful dispelling a common, weak argument against bug bounties. Black markets are certainly something to consider in the overall picture of security, but they hardly make a modern security program irrelevant and only provide more reasons to encourage hacking.

There are some other interesting questions about bug bounty programs that arise such as:

  • If these firewall vendors would have had bounty programs in place, would they have been discovered and patched previously?
    • If possible, what would have needed to be the minimum bounty price to ensure they were disclosed? 1k? 5k? 50k? More?
  • Why don’t these vendors have a bug bounty program?
    • Are there other network vendors that have bounty programs?
      • e.g. Barracuda has one.
  • Have other similar bugs such as the ones included in the proof file been found?
    • Were they disclosed to the vendors?
    • Was a bug bounty program involved?
  • What are the real chances that this would have been disclosed with proper incentive?

No matter what you may think the actual monetary value of the Shadow Brokers auction file may be worth, it is hard to discount that some of the exploits in the proof file are substantial. In fact, Hacker Fantastic takes it a step further pointing out that remote unauthenticated Cisco PIX and ASA code is extremely valuable. We believe this statement does not take into consideration that most of the exploits require internal network access, and focuses on the Cisco VPN exploit which is easily arguable as the most valuable of the entire dump.

EG-Value8

If the Shadow Brokers are sincere that the auction file contains even more powerful, better exploits and tools that have yet to be seen, then it does seems logical that the next dump would be infact very valuable.

Government Involvement With 0-day Vulnerabilities

At DEF CON 20, General Alexander from the NSA gave the keynote address. It was the first time that the NSA had publicly attended the conference, but more importantly had a top ranking official speaking to the crowd. The speech was in 2012, just a year prior to the Edward Snowden leaks, which makes going back and analyzing the transcript even more interesting. And some of the comments now that The Equation Group’s tools have been released even more so!

He shared a story about the Enigma machine and codes, then said:

20:39 – that is one of the key reasons the government has to keep secrets

20:43 – not to keep them from you it’s to keep them from our adversaries but if we

20:47 – share in two widely

20:48 – everyone is gonna know about those

It was not specifically about exploits or vulnerabilities that the NSA discovers or hoards, but it does provide some insight into the thinking that it is clear the NSA believes some things just need to be kept secret. Later, he talked about taking cyber security to the next level:

30:50 – how we build the tools of the future, those tools that can help you do much

30:54 – more than if they were capable up today

30:57 – because today it’s one-on-one and when you look at cyberspace and

31:02 – the number of problems that we face

31:03 – it’s one to many, how do we visualize that,  how do we set that up for the future

This bit is interesting as it shows what the NSA was thinking, that instead of going after targets one-by-one, that they were looking for ones to target many larger scale operations, perhaps with toolkits and automation.

A recent Washington Post article quoted a former NSA personnel who claimed to have worked with the tools that was part of the Shadow Brokers’ leak. The source shared that when they worked at the agency, there was an aversion to disclosure.


While I was there, I can’t think of a single example of a zero-day [flaw]” used by the agency “where we subsequently said, ‘Okay, we’re done with it and let’s turn it over to the defensive side so they can get it patched,’ ” said the former employee, who worked at the agency’s Tailored Access Organization for years. During that time, he said, he saw “hundreds” of such flaws.

If it’s something in active use, my experience was they fight like all get-out to prevent it from being disclosed.

The leak of the NSA TAO Group exploits by the Shadow Brokers comes two weeks after a DEF CON 24 presentation by Jason Healey where he summarized many facets of the U.S. government’s policy regarding vulnerabilities and disclosure. As he recently said, he was “surprised and disappointed [the] NSA kept Cisco 0days in [their] arsenal for years.” Healey refers to a 2014 White House statement on disclosing vulnerabilities that among other things says the following:

But there are legitimate pros and cons to the decision to disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences.

[..]

Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest.

Healey also wrote an opinion piece recently covering several topics and stated:

Our best estimate is that the government probably retains a small arsenal of dozens of such zero-days, far fewer than the hundreds or thousands that many experts estimated. It appears they add to that arsenal only by drips and drabs, perhaps by single digits every year.  

Katie Moussouris and Michael Siegel presented a talk called The Wolves of Vuln Street: The 1st System Dynamics Model of the 0day Market at the RSA security conference in 2015.

EG-Value9

The topic that they researched was that the offensive markets are often willing to pay very high prices for vulnerabilities. Therefore, it was decided to find out what market dynamics could tip the odds in the favor of defensive players. The highlights of their findings:

  • The vulnerability market is not controlled by price alone — many levers exist that tip the scales between offense and defense.
  • Bug bounties are still effective to help find vulnerabilities faster, especially for less mature software.
  • Creating incentives for tools and techniques that support vulnerability discovery is a more efficient way for defenders to drain the offense stockpile of 0day vulnerabilities.

Halvar Flake had a strong reaction to a Snowden tweet that the said the Equation Group leak was inevitable consequence if known vulnerabilities were maintained.

EG-Value10

Tom Cross actually presented on this topic in May 2016, a talk titled The Risks of Vulnerability Disclosure in International Conflict at Army Cyber Talks. He discuss the different situations when a vulnerability is discovered, and how is it going to be used and handled. Situations such as if the vulnerability is disclosed is there an opportunity lost to use it and collect intelligence; that it could have continued to be used for additional offensive purposes; and finally is there a risk that while retaining it somebody else might independently discover the same issue and then use it to launch attacks against US assets.

The research from Moussouris, Siegel, and team also looked into “Bug Collisions” between offense and defense with some key points being:  

  • Discovery from offensive stockpile is very sensitive to the correlation. A powerful lever!  
  • Defensive capacity development or offensive capacity minimization have different levels of importance depending on the value of the correlation.

There have also been a few recent and long threads on Twitter about the collisions of vulnerabilities being found between offensive and defensive and how bugs are really squashed. As long-time stewards of a comprehensive vulnerability database, the debate over vulnerability discovery collisions was put to rest in 2004 after seeing many high profile vendors disclose a vulnerability and credit multiple companies and/or researchers.

For those that think that the NSA should disclose vulnerabilities that they find to vendors so they can be fixed, there is this to consider:

EG-Value11

We will leave you with this thread for consideration as this update comes to a close. There was a recent Twitter thread concerning if the bids were actually legitimate. One of the interesting comments came from Mikko Hypponen when he said “Most people don’t have $850 to just throw away. I believe somebody is bidding for real.”

The responses were quite interesting:

From @attritionorg:

EG-Value12

From @mikko, the Chief Research Officer of F-Secure:

EG-Value13

From @hackerfantastic:

EG-Value14

Will we ever see the auction file released to figure out if there is anything juicy in there? This remains to be seen, as the auction has no deadline… so for now we just wait and cross our fingers that someone figures out the password to the encrypted second half of the dump!

 



General Follow-up, Vuln Updates, RedSeal Connection (August 24)

Over the weekend, the analysis and news about the Shadow Broker leak largely seemed to slow down considerably, with one exception. Even the lack of news about the leak made news on Friday, even though it raises a good point. In our August 19 update, we covered the news that it appeared U.S. government controlled bitcoins were being sent to the Shadow Brokers’ auction. After the original blog covering the news made the rounds, some on Twitter disagreed with the assessment.
EG-sb-btc-disagree1

@_SWEXXX on Twitter went on to say that the person who sent BTC to the Shadow Brokers also send coins to the seized Silk Road address in the same transaction, rather than the seized coins being sent to the Shadow Brokers. He went on to clearly say that there is no transaction from the Silk Road seized coins to the Shadow Brokers. MalwareTech goes on to explain everything including how to interpret the Bitcoin transactions and shows how the FBI did not send BTC to the Shadow Brokers.

With each passing day, the number of people drawn into the Shadow Broker’s leak increases significantly. Like most big breaches, it also seems that as more people get involved in the discussion, more and more questionable observations and comments pop up. We’ve seen both news articles say this “sets the stage for a 21st century cold war” and individuals suggest that “cyber war [is] ahead”. These comments seem very misplaced as there has been a virtual cold war, espionage, counter-hacking, and all manners of online warfare in the past decade. The cyber/cold war isn’t coming, it’s closer to celebrating its 10th birthday. Others have made comments that appear as if they are fact when they are not. Worse, they often don’t appear to make much sense, such as suggesting the NSA was hacked “by subversion of its own firmware tools”.

Researcher Rob Graham took issue with a recent WIRED article that uses poor wording to describe how vulnerabilities are found.

This WIRED “article” (aka. thinly veiled yellow journalism) demonstrates the essential thing wrong with the 0day debate. Those arguing for NSA disclosure of 0days believe the Zero-Day Faerie brings them, that sometimes when the NSA wakes up in the morning, it finds a new 0day under its pillow.

Dino Dai Zovi had previously noted the same thing, saying “Phrases like ‘when we discover vulnerabilities…’ makes it sound like an accident, which it rarely is. That’s why I prefer the verb ‘hunt.’” He continued on, stating that “Using the verb ‘discover’ to refer to vulnerabilities sounds like “discovering gold.” You usually begin the search for a particular reason.

On the back of claims that the leaked files have been available for over a year on the Dark Web, Gizmodo reports that a Twitter user going by @1×0123 claims he is selling the entire Shadow Brokers dump for $8000 USD. As Gizmodo notes, they have been unable to confirm his claims.

EG-Files For Sale

Notice the screenshot as part of the tweet that appears to show a conversation with Edward Snowden, who many have tried to link to the Shadow Broker’s previously.

Vulnerability Updates

On Saturday, Chinese security vendor TOPSEC posted an advisory confirming the leaked exploits and providing an update to remediate them. Two days later, researcher Ano_Tom posted a more detailed analysis of the TOPSEC vulnerabilities, noting that they affect more than the TOPSEC NGFW 4000 firewall and includes the Talent Unified Threat Management System (TopGate) and Talent VPN products (TopVPN).

In Cisco news, SilentSignal reports that the EXTRABACON exploit has been ported to work against ASA 9.2(4) devices. This is important as the current exploit would not work if it encountered 8.4(5) or later. Dan Goodin writes more about this development on Ars Technica. While Juniper is still investigating, they have finally posted a statement instead of just giving comments to journalists. According to their analysis, the exploit “targets the boot loader and does not exploit a vulnerability on ScreenOS devices.

Researcher Sài Gòn Séamus, who previously called out an interesting IP address, found two more IPs, 204.99.63.157 and 191.64.0.18, in the blatsting_basics.txt file. The first currently belongs to PCS Health Systems based out of Arizona, USA, and the second currently belongs to COMCEL S.A. out of Bogota, Columbia. It isn’t clear if these IPs belonged to those companies in 2013, or whenever the scripts were used.

external int – outside destination – 204.99.63.157

pitch – outside source – 191.64.0.18

Sài Gòn Séamus also found it curious that he had not seen any major news outlet cover the news of these addresses. Finally, researcher David Manouchehri notes that some anti-virus software is finally recognizing some of the leaked tools.

RedSeal Connection?

On Friday, Steve Ragan published an article on his Salted Hash blog breaking the news that hackers allege to have stolen the leaked Equation Group tools from security vendor RedSeal. It can be noted as a bit ironic that the company has been Tweeting since the leak that they can help “to understand your exposure to the ShadowBrokers hack in your specific network”.

EG-redseal-ad

Ragan’s article is partially based on an anonymous Pastebin titled “Shadow Brokers Attempted Release at Defcon 24”:

Note From Defcon

We at Defcon have manysub groups.  We would like to address a rumor regarding invovlement
in the Shadow Brokers NSA malware leak.

In early July, we were approached by an elite hacker Red team called Brother Spartacus.

Information regarding NSA malware theft was presented to Brother Spartacus.

The individual self reported they had walked off an In-Q-Tel contract with RedSeal.  They
had took the Malware pack from a CNC server that was set-up to test RedSeal products.

The individual was not well versed in software and could not point out any zero day threats.
We decided to not push the person forward to public Defcon leaders.

The individual with the malware gave a copy to wikileaks and Kim dot com.

The individual hung out at defcon waiting for a change in leadership decision.  After defcon was over
Aug 7th.  Approximately 5 days later we were contacted about the immenent release of the source.

https://www.defcon.org/html/defcon-24/dc-24-index.html
http://brotherspartacus13johns.tumblr.com/

Other than this Pastebin, there is no actual evidence that an attempt was made to disclose the vulnerabilities at DEF CON 24. A source on the DEF CON CFP team confirmed to us that there is no CFP submission along these lines and no occurrence of their handles. Blueknight, who runs the popular Skytalks track at DEF CON confirms that they were not approached at all either, saying “Skytalks didn’t receive any pitch like this, either in our CFP or hallway pitched to me either before or in Vegas.”  

 



Shadow Brokers Back From The Shadows (December 19)

While there has been some activity since our last update on August 24th, it was not ground-breaking and nothing that wasn’t expected. In fact, it was basically the same things being rehashed and we decided to not even bother with a final wrap-up.

However, in the last couple days we have had more activity that makes this story relevant and interesting, and have decided to invest some additional time in updating the coverage. But before we get into the events of the last couple days, let’s bring everyone up to speed since the end of August.

During the month of August there was a lot more conversation surrounding the issues when governments hoard vulnerabilities and don’t notify vendors of vulnerabilities. In fact, there were even calls for more transparency in the government’s disclosure process and the dreaded “responsible disclosure” debate was brought up yet again. Of course, the fact that it was determined that shortly after the leak people were already exploiting the vulnerabilities continued to pour gasoline on the fire.

There was also a fair amount of continuing coverage on the dump files and the exploits that were already leaked. At the end of the August it was found that there was actually focus on Chinese Firewall Maker Huawei and it was determined that the Equation Group was specifically targeting them. It was found that as part of the instruction file that was included in one of the leaked files (TURBO_install-new.txt) there are references to VRP 3.30, a version of Huawei’s proprietary operating system.

Huawei released an advisory shortly after the initial leak:

Up to now, Huawei has not received any report about tool/script implantation in Huawei firewall products. To help customers detect whether their firewall device BIOSes and host software packages have been tampered with and remove implanted tools/scripts, Huawei provides a patch package for checking the integrity of the BIOSes and host software packages of the Eudemon300/500/1000 series.

The new information coming out that Huawei was included as part of the Equation Group’s toolkit comes as no surprise as they have been known to be a target of the U.S. as demonstrated in the documents leaked by Edward Snowden.

On October 1st, the Shadow Brokers posted a message that was a stream of content, with some ranting that turned into a ‘Frequently Asked Questions’ format. The first point that they addressed was the concern that has been covered previously that the auction wasn’t real.

TheShadowBrokers is realizing peoples is not thinking auction is being real?

Their response, was to explain that this auction is just about money.

TheShadowBrokers EquationGroup Auction is sounding crazy but is being real. Expert peoples is saying Equation Group Firewall Tool Kit worth $1million. TheShadowBrokers is wanting that $1million.

The post went on to cover a wide range of topics in question and answer format including:

Q: Why not selling on underground?

Q: Why auctioning?

Q: Why public?

Q: Why “no refunds”?

Q: Why no expiration?

Q: Why bitcoin?

Q: How will theShadowBrokers cash out large sums?

Q: Why saying “don’t trust us”?

Q: Why not use escrow?

Q: 1,000,000 BTC or $1,000,000? Dr Evil? 5% of all bitcoin? Are you crazy?

Q: What are you auctioning?

Q: Is it a lie, scam, or trick?

Q: Too expensive. Why not break up, sell in pieces?

Q: Why files is being old?

Q: Is legal? Aren’t I buying stolen goods?

Q: Won’t the EquationGroup be coming after us?

Q: Will theShadowBrokers do interview?

Even with detailed answers from the previous post, it clearly didn’t relieve the concerns many had, and the auction was not going according to plan for the Shadow Brokers as no one was bidding.  As of October 1st, there were only bids totaling 1.76 bitcoins (approximately $1,082 USD), not even close to their goal.

On October 15, there was another post that started talking about a new leak concerning Bill Clinton, but the real meat was that the Shadow Brokers were calling off the auction:

TheShadowBrokers is deciding to leak the Bill Clinton Lorreta Lynch airplane conversation. But first TheShadowBrokers is having other announcement. TheShadowBrokers is being bored with auction so no more auction. Auction off. Auction finish. Auction done. No winners. So who is wanting password? TheShadowBrokers is publicly posting the password when receive 10,000 btc (ten thousand bitcoins). Same bitcoin address, same file, password is crowdfunding. Sharing risk. Sharing reward. Everyone winning. And now TheShadowBrokers is presenting the “Bill Clinton and Lorreta Lynch Arizona Airplane Conversation”. Be enjoying!

Now that the auction was closed, they decided to create a crowdfunding campaign that hoped to raise the 10,000 bitcoin ($6.38 million USD at the time) that they were wanting for the Equation Group tools. If the goal was met, they would publish the password so that everyone could decrypt the second dump with additional stolen tools.

On October 20th, it came to be known that federal prosecutors said they were going to charge Harold T. Martin III, a former National Security Agency contractor with violating the Espionage Act. It appears that over a period of 20 years he “took at least 50 terabytes of data and six full banker’s boxes worth of documents.” Hal Martin at that time was labeled as the prime suspect behind The Shadow Brokers leaks, according to a Washington Post report.

On Halloween, October 31, Shadow Brokers posted another message and dumped more files.  The dump contains some 300 folders of files, all corresponding to different domains and IP addresses. Domains from Russia, China, India, Sweden, and many other countries were included. The latest dump allows victims of the Equation Group to be able to use these files to determine if they were potentially targeted, or compromised, by the NSA-linked unit.

An interesting tweet from security researcher Mustafa Al-Bassam brings us back to the Attribution conversation. His observation was that the IP addresses may relate to servers the NSA has compromised and then used to deliver exploits making attribution hard.

Even though the crowdfunding approach seemed more much reasonable, it didn’t generate much more interest.

The final statistics for the Auction were 69 Transactions with 2.006074 BTC received.

Now to the new activity!

If we look back to a Pastebin post from August 28th, we were given some insight on what was to potentially come next from the Shadow Brokers.

We have more good shit. But, no more free stuff. We intend make money for our risk. We prefer serr in burk to more responsibre party. One more rikery to discrose than hurt peopres. We give pubric auction one more week. Maybe a government, security company, wearth individuar step up, do rite thing, get seen doing it. If not, we assume no one interested and we start serring on the underground. Rots of transparency and discrosure there.

As described the auction and subsequent crowdsourced campaign was not successful.  Per the August 28th post it was suggested if they did not get the money they were seeking, that they would then start to sell the exploits on the underground. Some still believed the auction was not legitimate, and therefore selling the tools via other means was more misdirection.

However, it now appears that the Shadow Brokers are trying to sell the tools directly to interested buyers. A user that goes by Boceffus Cleetus, who describes themselves as a “ZeroNet enthusiast” posted that it appeared that the Shadow Brokers are selling the undisclosed NSA tools individually. You can noticed that the Boceffus Cleetus Twitter account was just created in December 2016 and it appears specifically to announce this information about the Shadow Brokers.

Motherboard published a post that they have attempted to contact The Shadow Brokers through various different channels since August with no luck. However, just this week the group posted saying that they have not been arrested. This further supports that The Shadow Brokers and Hal Martin (the arrested NSA contracted), although possibly connected (e.g. Martin could be a member of a larger group), are not necessarily one and the same as messages have continued to be posted since Martin’s arrest.

When further reviewing the site on ZeroNet, it indicates that the Shadow Brokers are apparently selling the Equation Group hacking tools from between one and 100 bitcoins each ($780—$78,000 USD). If someone wanted to purchase all of the tools they can be acquired for 1,000 bitcoins ($780,000 USD).

The site includes a long list of supposed items for sale, with a similar naming convention as we saw previously such as ENVOYTOMATO, EGGBASKET, and YELLOWSPIRIT.

The folks over at HackerHouse took a look and posted some more detailed analysis of the table of software that is impacted that the Shadow Brokers provided. HackerHouse has compiled the table into a spreadsheet and they believe that the “data shows some very compelling information that this indeed could be an NSA and GCHQ toolkit.”

They go on to say:

There also appears to be unpublished “0day” exploits for a number of platforms, with a heavy focus on Solaris throughout the tool set distribution. This shows a very mature and extensively developed set of tools for hacking UNIX servers that is now available to anyone who wishes to try to purchase them. This could have devastating consequences as several of these tools appear to exploit unknown vulnerabilities.

The following are some of what HackerHouse believe are the most interesting attacks not yet publicly known.

  • Solaris RPC 0day
  • Solaris CDE ttsession exploit
  • Solaris iPlanet 5.2 Mail service exploit
  • cPanel privilege escalation 0day & possible remote exploit
  • Avaya Communications Manager attack
  • Sendmail Linux exploit XORG Privilege escalation
  • Apache local root exploit (0day?)
  • Unknown additional exploits

At RBS, we are always very interested in the value of vulnerabilities, exploits and tools.   Since the Shadow Brokers are now selling each tool individually we are able to see what they believe to be the value of each.  In looking over the spreadsheet, it is clear that they believe that the Implants are the most valuable as they are priced the highest at $78,949.

So here we go again!  What can we expect?

  • More attribution debates… of course!
  • More analysis of the data, exploits, tools and targets
  • Attacks being carried out, from people that buy the tools directly
  • Attacks being carried out, from people that use this information to hunt for bugs
  • Attacks being carried out by almost every government entity, reminding us where this all began.

If you want to do some analysis on your own, the ShadowBroker files are posted here.



Auction Ends: Shadow Brokers Release Key In Retaliatory Strike (April 8)

Since our last update, The Shadow Brokers story continued to have a few more updates here and there with the group saying they were going dark, calling it quits and finally done on January 12th, 2017. Just eight days before inauguration of Donald Trump, The Shadow Brokers posted a farewell message where they explained that they were deleting their accounts and making an exit since the auction failed to reach their goal.

On, April 6th, 2017 at 8:40 p.m. Eastern time, the United States fired missiles at a Syria airfield as what was described to be a message to the world that President Trump was no longer willing to stand idly by as Mr. Assad used horrific weapons in his country’s long civil war.

The following day, April 7th, Russia warns of serious consequences from the U.S. airstrike in Syria:

Russia warned on Friday that U.S. cruise missile strikes on a Syrian air base could have “extremely serious” consequences, as President Donald Trump’s first major foray into a foreign conflict opened up a rift between Moscow and Washington.

And then today, on April 8 at 7:05am Eastern, The Shadow Brokers, who had previously said they were done, have come back again with very pointed message to President Trump which just so happens to include the publishing the password key to the auction that we have been discussing here for months.

The message they posted is very long containing accusations that President Trump has been “abandoning your base, the movement, and the peoples who getting you elected.”, and also includes specifics as to what they believe to be evidence supporting their claim.

Respectfully, what the fuck are you doing? TheShadowBrokers voted for you. TheShadowBrokers supports you. TheShadowBrokers is losing faith in you. Mr. Trump helping theshadowbrokers, helping you. Is appearing you are abandoning “your base”, “the movement”, and the peoples who getting you elected.

Good Evidence:

#1 — Goldman Sach (TheGlobalists) and Military Industrial Intelligence Complex (MIIC) cabinet
#2 — Backtracked on Obamacare
#3 — Attacked the Freedom Causcus (TheMovement)
#4 — Removed Bannon from the NSC
#5 — Increased U.S. involvement in a foreign war (Syria Strike)

The post continues on explaining to President Trump about his supporters saying they:

– Don’t care what is written in the NYT, Washington Post, or any newspaper, so just ignore it.
– Don’t care if you swapped wives with Mr Putin, double down on it, “Putin is not just my firend he is my BFF”.
– Don’t care if the election was hacked or rigged, celebrate it “so what if I did, what are you going to do about it”.
– Don’t care if your popular or nice, get er done, Obama’s fail, thinking he could create compromise. No compromise.
– Don’t want foreign wars, Do want domestic wars, “drain the swamp”, “destroy the nanny state”
– Don’t care about your faith, you sound like a smuck when you try to say god things
– DO support the ideologies and policies of Steve Bannon, Anti-Globalism, Anti-Socialism, Nationalism, Isolationism

The Shadow Brokers then provide some lengthy “suggestions” on topics such as:

  • Globalism
  • White Privilege
  • Socialist Collectivism
  • Russia
  • MAGA

Finally, the post ends with The Shadow Brokers bombshell conclusion:

Mr. President Trump theshadowbrokers sincerely is hoping you are being the real deal and that you received this as constructive criticism toward #MAGA. Some American’s consider or maybe considering TheShadowBrokers traitors. We disagreeing. We view this as keeping our oath to protect and defend against enemies foreign and domestic. TheShadowBrokers wishes we could be doing more, but revolutions/civil wars taking money, time, and people. TheShadowBrokers has is having little of each as our auction was an apparent failure. Be considering this our form of protest. The password for the EQGRP-Auction-Files is CrDj”(;Va.*NdlnzB9M?@K2)#>deB7mN

While the topics in the post may be of interest to many, the security industry is obviously most curious about the the password for the auction files.  They were confirmed by Twitter user @x0rz pretty quickly and confirmed to be legit.

We at RBS have also confirmed that the password is legit and verified the file listing.

We have not yet had a chance to look or do additional analysis on the files themselves.   However, now that the password key has been provided, we expect that many sources will start their analysis and there will be more revelations about the Equation Group over the coming days and weeks.

Oh ya, The Shadow Brokers are still open for donations, because remember that was the reason they did this whole auction to begin with in the first place.

But we’d still be happy to accept donations to further the cause. 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK