Would you like extra bacon with that?
Equation Group Tool Leak – ExtraBacon.
Imagine heading to the office on Monday morning. The company you work for has been breached during the weekend and it’s your responsibility to notify the board members. You scroll through the e-mails you received from the security engineers and it turns out that an attacker has successfully compromised the enterprise network. There are no reported phishing attempts from your users and there is nothing to be found in the log files of the trustworthy IDS. Additional network analysis leads to detecting the use of a recently unveiled attack method: EXTRABACON.
Having your network compromised is always a painful situation. However, being forced to explain the aforementioned situation to board members by using terms such as EXTRABACON and EPICBANANA, is painful on a whole other level.
On the 13th of August, a Twitter account named ‘theshadowbrokers’ placed a tweet to a Pastebin repository containing an unprecedented message. A claim was made that the infamous Equation group had been compromised and that all the ‘hacking’ tools the Equation group used would be sold off to the highest bidder. The Equation group was named by the security company Kaspersky and this group is linked to the NSA’s cyber intelligence division TAO (Tailored Access Operations). Claiming that you compromised a group linked to the NSA and stole their software in the process is one thing. Leaking several tools or so-called ‘exploits’ to prove your point is something completely different. The message contained a screenshot of several humorously named scripts:
A company using any of the products that were targeted by these leaked tools would be at immediate risk after the leak. Luckily most of the tools were designed to penetrate older firewalls and network appliances.
The public availability of an exploit increases the probability of an actual exploitation of the detected weakness. Unfortunately, this goes both ways; a detected vulnerability without a publicly known exploitation method will most likely go un-patched for a longer period of time due to the lower probability of being exploited. The problem with this way of thinking stems from the fast-paced changes in the information security world; exploit methods can become publicly available at any given moment.
Groups like the Equation Group want to create an advantage towards other intelligence agencies and state actors. This advantage is achieved by doing extensive research into new methods of compromising IT infrastructures and applications. These methods will remain in secrecy to maintain this competitive advantage.
So, we have responsible security researchers actively helping vendors by reporting detected vulnerabilities in software products and hardware appliances. Their objective put simply, is to prevent criminals from using these methods for financial gain or other malicious purposes. Not to mention, we have state actors such as the Equation Group hoarding these unknown vulnerabilities to maintain their competitive advantage.
It would be disastrous if cyber criminals trying to criminally profit got a hold of these techniques and methods that were developed by the NSA/TAO. And that is exactly what happened. How the tools were obtained is a mystery to this day. Some say an insider was responsible, others say that the tools were snagged from a compromised NSA/TAO deployment server. Nonetheless, attacks using the leaked exploits were observed in the wild shortly after the leak.
Now let us circle back to the start…the decision to maintain older firmware versions in your network were based on the fact that there were no public exploit methods available...this has now come back to haunt you. So what’s worst case scenario? Your network has been breached using attack methods, with names that are cringe worthy to say the least, that were applicable to older routers and firewalls. Updating and patching all network appliances, not just the appliances that pose more risk, because there are ready-to-use scripts available for exploitation, could have prevented this situation to begin with.
The Outpost24 portfolio contains several valuable in-house developed tools that identifies and targets vulnerabilities, whether these vulnerabilities have publicly known exploitation methods or not. The prioritization is done using CVSS scoring where publicly available exploits do not influence the scoring of detected vulnerabilities. We do however notify our customers of publicly available exploitation methods. We then combine these facts with our focus on solution-based reporting results in a competent and reliable vulnerability management solution.
Please contact your local Outpost24 representatives for more information about the Outpost24 Vulnerability Management portfolio.
Thank you for tuning in!
Until we meet again,