[SingCERT] Advisory on Shadow Brokers Leaked Tools Targeting Popular Network Devices

Published on Thursday, 01 September 2016 10:48

Background

On 13 August 2016, a group named Shadow Brokers released a large number of hacking tools that were targeting specific network devices. These included Cisco, WatchGuard and Fortinet equipment. The leaked files contain exploits, discovery tools, implants and documentation on how to use the tools. Users and organizations that are using the affected products are advised to assess and patch them immediately.

Affected Products and Versions

Currently, the following products and versions are known to be affected:

  • Cisco ASA 8.4(3) and earlier
  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Cisco ASA 1000V Cloud Firewall
  • Cisco Adaptive Security Virtual Appliance (ASAv)
  • Cisco Firepower 4100 Series
  • Cisco Firepower 9300 ASA Security Module
  • Cisco Firepower Threat Defense Software
  • Cisco Industrial Security Appliance 3000
  • Cisco PIX Firewalls*
  • Cisco Firewall Services Module (FWSM)*
  • FortiGate (FortiOS) 4.3.8 and below
  • FortiGate (FortiOS) 4.2.12 and below
  • FortiGate (FortiOS) 4.1.10 and below
  • FortiSwitch 3.4.2 and below
  • WatchGuard RapidStream devices

* These products have reached their End-of-Life (EOL). Cisco will not be releasing any patches or fixes for these devices.

Impact

Several of the leaked tools have been verified to be fully functional and allow a remote attacker to bypass authentication, gain administrative privilege control, and steal sensitive information such as VPN password or cryptographic keys that are cached or stored on vulnerable device. They also allow an attacker to snoop on unencrypted traffic passing through and inject traffic onto the victim’s network. The impact of these tools are severe from security perspective.

Recommendations
  1. Verify that all the affected devices listed in the Affected Products and Versions section are not compromised.
  2. If there are signs of compromise:
    1. Backup the device’s configuration files.
    2. Reinstall a clean version of the device’s firmware and reconfigure the device.
  3. Where upgrades and patches are available, update them to the latest version.
  4. Restrict Secure Shell (SSH) and/or Telnet logins to the devices to a few trusted IP addresses only.
  5. Wherever possible, enable multi-factor authentication on the device.
  6. Review the vendor’s documentation and manuals to secure and harden the device’s configuration.
  7. Plan to decommission and upgrade end-of-life (EOL) devices to ensure that you will still be able to receive security updates from the vendor.
References

https://blogs.cisco.com/security/shadow-brokers
http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-56516
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-cli
http://fortiguard.com/advisory/FG-IR-16-023
https://www.secplicity.org/2016/08/16/nsa-equation-group-exploit-leak-mean/
http://www.topsec.com.cn/aqtb/aqtb1/jjtg/160820.htm
http://www.huawei.com/en/psirt/security-notices/huawei-sn-20160823-01-shadowbrokers-en
https://forums.juniper.net/t5/Security-Incident-Response/Shadow-Brokers-Release-of-Hacking-Code/ba-p/296128
https://devcentral.f5.com/articles/leaked-shadowbrokers-tools-does-not-target-f5-networks-21700
https://musalbas.com/2016/08/16/equation-group-firewall-operations-catalogue.html
http://cert.europa.eu/static/SecurityAdvisories/CERT-EU-SA2016-133.pdf
https://www.cert.gov.uk/resources/advisories/advisory-multiple-vulnerabilities-in-various-products-posted-online/
https://xorcat.net/2016/08/16/equationgroup-tool-leak-extrabacon-demo/
https://xorcat.net/2016/08/19/equation-group-crashing-asas-follow-up/