The «Shadow Brokers» threats
Date : August 07, 2016
On the weekend of August the 13th and 14th, 2016, a « group » of hackers dubbed « Shadow Brokers » has released on Pastebin and GitHub, 2 archives containing hacking tools that the NSA would have developed. The first archive is in free access and the second containing the « best cyber-weapons » has not been revealed yet. The latter is auctioned and the amount requested is 1 million bitcoins, or approximately $550 million.
« Shadow Brokers » would have got these exploits codes by hacking the « Equation group », name given by Kaspersky in 2015 to a reputed organization close to the NSA.
According to the Kaspersky’s report, and without mentioned the NSA, the « Equation group » would have worked with the team behind Flame, Duqu or Stuxnet (a worm used against Iranian centrifuges to enrich uranium) and have developed their own arsenal of malware whose most famous are Fanny and GrayFish. Kaspersky has also found similarities between the codes of Fanny and Stuxnet.
According to Le Monde, the « Equation group » would serve as a « toolbox » for the NSA. For others experts, « Equation » would the NSA elite unit which is engaged for Tailored Access Operations (TAO). For these experts, it is the unit that appears on the photo of the confidential documents revealed by Snowden and published by Glenn Greenwald.
Finally, according to Motherboard, the leak comes from a NSA employee, a kind of Edward Snowden. For its part, Snowden emits on Twitter, the hypothesis that the Russian intelligence services would be behind this leak.
Making reference to the game « Mass Effect », « Shadow Brokers » has disclosed some of the collected data. It includes installation scripts, configuration files and software allowing to exploit flaws against security network devices, such as firewalls, of four US companies and the TopSec Chinese Company whose vulnerabilities date back to between 2010 and 2013.
A summary of the list of files belonging to « Equation » with associated descriptions is available in French and in English. This guide help to make the difference between:
- a tool, which is a software package that allows to deploy multiple implants and exploits,
- an implant, which is malware installed on a compromised device,
- an exploit, which is a vulnerability that allows the attacker to compromise the device, extract data, or deploy an implant/tool.
We list below the different tools, implants and exploits for these manufacturers and for which we issued the Potential Danger CERT-IST/DG-2016.004:
- Cisco (CERT-IST/AV-2016.0790): EXTRABACON (CVE-2016-6366), EPICBANANA (CVE-2016-6367), JETPLOW, BENIGNCERTAIN,
- Fortinet (CERT-IST/AV-2016.0791): EGREGIOUSBLUNDER,
- Juniper : FEEDTROUGH et ZESTYLEAK,
- WatchGuard : ESCALATEPLOWMAN.
- Topsec: ELIGIBLECONTESTANT, ELIGIBLECANDIDATE, ELIGIBLEBOMBSHELL, ELIGIBLEBACHELOR.
Moreover, to better track the threats related to the publication of these exploits codes and the various tools of this hack, we opened the « Shadow Brokers » blog in our Crisis Hub.