Blog

Considerable time and effort has been spent in researching and weaponizing vulnerabilities for client applications, server operating systems, and server applications. To date, much less research has been done on network-based appliances. This is likely because it is more difficult—and more expensive—to acquire these devices. However, this doesn’t mean that they don’t have vulnerabilities or that we should assume they are secure by design. In fact, in most cases the opposite is true. The recent Shadow Brokers leak, which includes numerous attacks against commercial firewalls, supports this hypothesis. If you haven’t heard about this leak, the high level is that earlier this month a group calling themselves The Shadow Brokers leaked files that have been attributed to the Equation Group, which may or may not have ties to NSA. Attribution in this field is notoriously difficult to confirm.

Who the Shadow Brokers are is itself difficult to determine, with guesses ranging from a Russian-supported hacker group to a rogue NSA insider. What we do know is that a set of files was leaked with the stated purpose of demonstrating the quality of a larger cache of attack tools. A second set of files will only be made accessible if somebody pays a sizeable amount in bit coin currency. If the leaked free files are just a movie trailer, then the feature presentation (the files that need the bitcoin) will certainly have more zero days, malware, and implants than the leaks from the Milan-based Hacking Team last year. It will also shed a great deal of light on the modus operandi of the nation-state intelligence/surveillance agency.

The details of the leaks to date along with information about vendors that has been made public is extremely well documented here: https://musalbas.com/2016/08/16/equation-group-firewall-operations-catalogue.html. Information can also be found at: https://arstechnica.com/information-technology/2016/08/group-claims-to-hack-nsa-tied-hackers-posts-exploits-as-proof/

Almost all of the exploits target broadly deployed commercial firewalls. These exploits allow unauthenticated remote code execution over the network. This is an extremely dangerous vector because the exploits are easily wormable. Since the code has already been leaked, it’s just a matter of time before mass malware authors utilize it to implant malware. In fact, some of the code (ExtraBacon) has already been modified so that it works on newer versions of Cisco ASA firewalls. The next step is of course to weaponize the payloads.

Over the last couple of years, operating systems and applications have considerably beefed up their mitigation mechanisms. This in turn is making security devices prime targets for attacks. Security appliances and their software are complex in nature with lots of functionality (parsers, interpreters, etc.), which exposes a large attack surface. The Shadow Brokers file dump demonstrated that there currently are threat actors targeting the biggest and most widely deployed firewall vendors in the world. That is not a surprise, of course, but it should remind us all that attackers don’t need to craft a malicious email, exploit client applications, or maintain persistent lateral movement with these exploits. They simply need to compromise the firewall and install an implant, and then they can then pretty much see all of the communication happening inside the network. This is what makes attacks against security controls so attractive for intelligence agencies—and no doubt for other threat actors. This leak may very well be a sign that the attack landscape is changing, with the next wave of attacks focusing on devices that have been overlooked, such as routers and firewalls.

NSS Labs recommends treating every security vendor with caution, subject all vendors and their products to thorough risk assessment before deploying into your organization, and continuously monitor your network for oddities. Define a baseline to see what normal looks like. And, of course, patch.