A few days ago, we reported on a hacking group, named Shadow Brokers, which claimed to have gained access to NSA-affiliated hacking tools and exploits. At the time, security experts tentatively said the exploits posted as proof of the breach seemed legitimate. Now there’s more corroborating evidence, with Cisco admitting that its software has been vulnerable for years to one of the exploits that was published.
Shadow Brokers published a number of exploits online, claimed to have been taken from the Equation Group. This second group is an elite hacking operation, believed to either be directly part of, or have very strong ties with, the NSA. While none of the exploits posted online by Shadow Brokers is more recent than 2013, that doesn’t seem to have impacted their potency. And you don’t have to look further than Cisco for proof of that.
Two of the exploits leaked, brilliantly named EPICBANANA and EXTRABACON, target Cisco’s hardware and firewall software – exactly the products the company claims keep other businesses secure. The good news is that the EPICBANANA flaw, which is a Cisco ASA CLI Remote Code Execution vulnerability, was patched back in 2011, though older versions of Cisco’s Adaptive Security Appliance (ASA) software are still vulnerable. The second bit of good news is that both exploits require some special circumstances and access to internal company data to be used.
The bad news is that EXTRABACON, an SNMP flaw that can be used to get into Cisco’s ASA, PIX and Firewall Service Module, was publicly discovered with this data dump from the hackers – but it’s been known about for at least three years. The really bad news is that there’s currently no patch available, though Cisco has taken steps to partially mitigate the issue.
With Cisco’s admission that these flaws are not only real, but possibly being exploited in the wild, there’s now clear evidence that at least some of the exploits taken and leaked by Shadow Brokers are very much real. But that doesn’t prove they actually hacked the NSA just yet.