BreachExchange mailing list archives
Shadow Brokers Back From The Shadows (December 19 Update)
From: Inga Goddijn <inga () riskbasedsecurity com>
Date: Mon, 19 Dec 2016 09:09:34 -0600
https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/#backfromshadows While there has been some activity since our last update on August 24th, it was not ground-breaking and nothing that wasn’t expected. In fact, it was basically the same things being rehashed and we decided to not even bother with a final wrap-up. However, in the last couple days we have had more activity that makes this story relevant and interesting, and have decided to invest some additional time in updating the coverage. But before we get into the events of the last couple days, let’s bring everyone up to speed since the end of August. During the month of August there was a lot more conversation surrounding the issues when governments hoard vulnerabilities and don’t notify vendors of vulnerabilities. In fact, there were even calls for more transparency in the government’s disclosure process <http://www.scmagazine.com/after-nsa-leaks-a-renewed-interest-in-vulnerability-disclosure/article/517952/> and the dreaded “*responsible disclosure*” debate was brought up yet again. Of course, the fact that it was determined that shortly after the leak people were already exploiting the vulnerabilities <https://www.wired.com/2016/08/course-people-immediately-started-exploiting-leaked-nsa-vulnerabilities/> continued to pour gasoline on the fire. There was also a fair amount of continuing coverage on the dump files and the exploits that were already leaked. At the end of the August it was found that there was actually focus on Chinese Firewall Maker Huawei <http://motherboard.vice.com/read/nsa-huawei-firewalls-shadow-brokers-leak>and it was determined that the Equation Group was specifically targeting them. It was found that as part of the instruction file that was included in one of the leaked files (TURBO_install-new.txt) there are references to VRP <http://huawei.com/ilink/en/solutions/broader-smarter/morematerial-b/HW_133061> 3.30, a version of Huawei’s proprietary operating system. Huawei released an advisory <http://www.huawei.com/en/psirt/security-notices/huawei-sn-20160823-01-shadowbrokers-en> shortly after the initial leak: Up to now, Huawei has not received any report about tool/script implantation in Huawei firewall products. To help customers detect whether their firewall device BIOSes and host software packages have been tampered with and remove implanted tools/scripts, Huawei provides a patch package for checking the integrity of the BIOSes and host software packages of the Eudemon300/500/1000 series. The new information coming out that Huawei was included as part of the Equation Group’s toolkit comes as no surprise as they have been known to be a target <http://www.nytimes.com/2014/03/23/world/asia/nsa-breached-chinese-servers-seen-as-spy-peril.html> of the U.S. as demonstrated in the documents leaked by Edward Snowden <http://sinosphere.blogs.nytimes.com/2015/01/20/among-snowden-leaks-details-of-chinese-cyberespionage/> . On October 1st, the Shadow Brokers posted a message <https://medium.com/@shadowbrokerss/theshadowbrokers-message-3-af1b181b481#.54b68ydo1> that was a stream of content, with some ranting that turned into a ‘Frequently Asked Questions’ format. The first point that they addressed was the concern that has been covered previously that the auction wasn’t real. TheShadowBrokers is realizing peoples is not thinking auction is being real? Their response, was to explain that this auction is just about money. TheShadowBrokers EquationGroup Auction is sounding crazy but is being real. Expert peoples is saying Equation Group Firewall Tool Kit worth $1million. TheShadowBrokers is wanting that $1million. The post went on to cover a wide range of topics in question and answer format including: Q: Why not selling on underground? Q: Why auctioning? Q: Why public? Q: Why “no refunds”? Q: Why no expiration? Q: Why bitcoin? Q: How will theShadowBrokers cash out large sums? Q: Why saying “don’t trust us”? Q: Why not use escrow? Q: 1,000,000 BTC or $1,000,000? Dr Evil? 5% of all bitcoin? Are you crazy? Q: What are you auctioning? Q: Is it a lie, scam, or trick? Q: Too expensive. Why not break up, sell in pieces? Q: Why files is being old? Q: Is legal? Aren’t I buying stolen goods? Q: Won’t the EquationGroup be coming after us? Q: Will theShadowBrokers do interview? Even with detailed answers from the previous post, it clearly didn’t relieve the concerns many had, and the auction was not going according to plan for the Shadow Brokers as no one was bidding. <https://nakedsecurity.sophos.com/2016/10/03/shadow-brokers-are-disappointed-about-lack-of-interest-in-nsa-tools-auction/> As of October 1st, there were only bids totaling 1.76 bitcoins (approximately $1,082 USD), not even close to their goal. On October 15, there was another post <https://medium.com/@shadowbrokerss/begin-pgp-signed-message-hash-sha1-2a9aa03838a4#.8exaa2fly> that started talking about a new leak concerning Bill Clinton, but the real meat was that the Shadow Brokers were calling off the auction: TheShadowBrokers is deciding to leak the Bill Clinton Lorreta Lynch airplane conversation. But first TheShadowBrokers is having other announcement. TheShadowBrokers is being bored with auction so no more auction. Auction off. Auction finish. Auction done. No winners. So who is wanting password? TheShadowBrokers is publicly posting the password when receive 10,000 btc (ten thousand bitcoins). Same bitcoin address, same file, password is crowdfunding. Sharing risk. Sharing reward. Everyone winning. And now TheShadowBrokers is presenting the “Bill Clinton and Lorreta Lynch Arizona Airplane Conversation”. Be enjoying! Now that the auction was closed, they decided to create a crowdfunding campaign <http://siliconangle.com/blog/2016/10/18/the-shadow-brokers-are-now-crowdfunding-the-release-of-hacked-nsa-linked-hacking-tools/> that hoped to raise the 10,000 bitcoin ($6.38 million USD at the time) that they were wanting for the Equation Group tools. If the goal was met, they would publish the password so that everyone could decrypt the second dump with additional stolen tools. On October 20th, it came to be known that federal prosecutors said they were going to charge Harold T. Martin III, a former National Security Agency contractor with violating the Espionage Act. It appears that over a period of 20 years he “*took at least 50 terabytes of data and six full banker’s boxes worth of documents*.” Hal Martin at that time was labeled as the prime suspect behind The Shadow Brokers leaks, according to a Washington Post report <https://www.washingtonpost.com/world/national-security/government-alleges-massive-theft-by-nsa-contractor/2016/10/20/e021c380-96cc-11e6-bb29-bf2701dbe0a3_story.html> . On Halloween, October 31, Shadow Brokers posted another message and dumped more files. <https://medium.com/@shadowbrokerss/message-5-trick-or-treat-e43f946f93e6#.jpoecytfl> The dump contains some 300 folders of files <https://motherboard.vice.com/read/shadow-brokers-nsa-hackers-dump-more-files>, all corresponding to different domains and IP addresses. Domains from Russia, China, India, Sweden, and many other countries were included. The latest dump allows victims of the Equation Group to be able to use these files to determine if they were potentially targeted, or compromised, by the NSA-linked unit. An interesting tweet from security researcher Mustafa Al-Bassam <https://twitter.com/musalbas/status/793001139310559232> brings us back to the Attribution conversation. His observation was that the IP addresses <https://twitter.com/musalbas/status/793001955824111616> may relate to servers the NSA has compromised and then used to deliver exploits making attribution hard. Even though the crowdfunding approach seemed more much reasonable, it didn’t generate much more interest. The final statistics for the Auction <https://blockchain.info/address/19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK?offset=0&filter=6> were 69 Transactions with 2.006074 BTC received. Now to the new activity! If we look back to a Pastebin post from August 28th <http://pastebin.com/5R1SXJZp>, we were given some insight on what was to potentially come next from the Shadow Brokers. We have more good shit. But, no more free stuff. We intend make money for our risk. We prefer serr in burk to more responsibre party. One more rikery to discrose than hurt peopres. We give pubric auction one more week. Maybe a government, security company, wearth individuar step up, do rite thing, get seen doing it. If not, we assume no one interested and we start serring on the underground. Rots of transparency and discrosure there. As described the auction and subsequent crowdsourced campaign was not successful. Per the August 28th post it was suggested if they did not get the money they were seeking, that they would then start to sell the exploits on the underground. Some still believed the auction was not legitimate, and therefore selling the tools via other means was more misdirection. However, it now appears that the Shadow Brokers are trying to sell the tools directly <http://motherboard.vice.com/read/newly-uncovered-site-suggests-nsa-exploits-for-direct-sale>to interested buyers. A user that goes by Boceffus Cleetus <https://medium.com/@CleetusBocefus/are-the-shadow-brokers-selling-nsa-tools-on-zeronet-6c335891d62a#.i6bhfduse>, who describes themselves as a “ZeroNet enthusiast <https://zeronet.io/>” posted that it appeared that the Shadow Brokers are selling the undisclosed NSA tools individually. You can noticed that the Boceffus Cleetus Twitter account <https://twitter.com/CleetusBocefus> was just created in December 2016 and it appears specifically to announce this information about the Shadow Brokers. Motherboard published a post <http://motherboard.vice.com/read/a-brief-interview-with-the-shadow-brokers-the-hackers-selling-nsa-exploits>that they have attempted to contact The Shadow Brokers through various different channels since August with no luck. However, just this week the group posted saying that they have not been arrested. This further supports that The Shadow Brokers and Hal Martin (the arrested NSA contracted), although possibly connected (e.g. Martin could be a member of a larger group), are not necessarily one and the same as messages have continued to be posted <https://motherboard.vice.com/read/while-alleged-nsa-thief-sits-in-detention-shadow-brokers-post-messages> since Martin’s arrest. When further reviewing the site on ZeroNet, it indicates that the Shadow Brokers are apparently selling the Equation Group hacking tools from between one and 100 bitcoins each ($780—$78,000 USD). If someone wanted to purchase all of the tools they can be acquired for 1,000 bitcoins ($780,000 USD). The site includes a long list of supposed items for sale, with a similar naming convention as we saw previously such as ENVOYTOMATO, EGGBASKET, and YELLOWSPIRIT. The folks over at HackerHouse took a look and posted <https://www.myhackerhouse.com/merry-haxmas-shadowbrokers-strike-again/> some more detailed analysis of the table of software that is impacted that the Shadow Brokers provided. HackerHouse has compiled the table into a spreadsheet <https://github.com/HackerFantastic/Public/blob/master/misc/EquationGroupUNIX.xlsx> and they believe that the “*data shows some very compelling information that this indeed could be an NSA and GCHQ toolkit*.” They go on to say: There also appears to be unpublished “0day” exploits for a number of platforms, with a heavy focus on Solaris throughout the tool set distribution. This shows a very mature and extensively developed set of tools for hacking UNIX servers that is now available to anyone who wishes to try to purchase them. This could have devastating consequences as several of these tools appear to exploit unknown vulnerabilities. The following are some of what HackerHouse believe are the most interesting attacks not yet publicly known <https://www.myhackerhouse.com/merry-haxmas-shadowbrokers-strike-again/>. - Solaris RPC 0day - Solaris CDE ttsession exploit - Solaris iPlanet 5.2 Mail service exploit - cPanel privilege escalation 0day & possible remote exploit - Avaya Communications Manager attack - Sendmail Linux exploit XORG Privilege escalation - Apache local root exploit (0day?) - Unknown additional exploits At RBS, we are always very interested in the value of vulnerabilities, exploits and tools. Since the Shadow Brokers are now selling each tool individually we are able to see what they believe to be the value of each. In looking over the spreadsheet, it is clear that they believe that the Implants are the most valuable as they are priced the highest at $78,949. So here we go again! What can we expect? - More attribution debates… of course! - More analysis of the data, exploits, tools and targets - Attacks being carried out, from people that buy the tools directly - Attacks being carried out, from people that use this information to hunt for bugs - Attacks being carried out by almost every government entity, reminding us where this all began. If you want to do some analysis on your own, the ShadowBroker files are posted here. <https://bit.no.com:43110/theshadowbrokers.bit/>
_______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Shadow Brokers Back From The Shadows (December 19 Update) Inga Goddijn (Dec 19)