Earlier this week, a group calling themselves the Shadow Brokers hacked a group linked to the NSA called the Equation Group. Researchers have been poring over the released data, discovering multiple exploits and vulnerabilities. Now it seems they have found an attack that can extract VPN passwords from certain Cisco products.
The NSA Hack
One or more hackers going by the name of “Shadow Brokers” (SB) claims to have hacked a group believed to be linked to the NSA called the Equation Group (EG). The Shadow Brokers released a bunch of EG hacking tools. Then they asked for 1 million bitcoin in an auction to release more files. A million bitcoin is about $568 million dollars.
In a manifesto, the SB said,
“Attention government sponsors of cyber warfare and those who profit from it!!!! How much you pay for enemies cyber weapons? We find cyber weapons made by creators of stuxnet, duqu, flame.”
Most of the tools, which date back to 2013, were designed to target firewalls. Corporations and governments use firewalls to keep out attackers, but with the right exploit a hacker can circumvent the firewall and infiltrate the network.
Security researcher Mustafa Al-Bassam published a list of the tools. He suggests that some of the exploits allow for remote code execution. This means that a hacker can run their commands on the target machine. Other attacks get privilege escalation. Privilege escalation is a fancy term for root/administrator access. The targeted products include those by Cisco, Fortigate, TOPSEC, Watchguard, Juniper and other unknown vendors. Al-Basssm lists 39 tools in all.
A theory put forth by a former NSA insider says that the Shadow Brokers could be a rogue insider. The unknown person told Motherboard,
“My colleagues and I are fairly certain that this was no hack, or group for that matter. This ‘Shadow Brokers’ character is one guy, an insider employee.”
He goes on to say that it is much easier for an insider to steal the data that the Shadow Brokers released online, rather than someone else taking it. Occam’s Razor suggests this is the most plausible theory, at least for now.
Hacking VPN Passwords
On his blog post, security researcher Mustafa Al-Bassam documents a hacking tool with the codename BENIGNCERTAIN. He calls the attack “PixPocket” because the tool targets Cisco PIX. PIX is Cisco’s popular firewall and VPN product, now discontinued.
After analyzing the code, Al-Bassam found that the tool works. He sent a packet to the target computer that forces it to dump part of its memory. The dump includes the authentication password of the VPN for logging into the device. Another researcher, Brian Waters, tested this attack on his computer. He successfully obtained the VPN preshared key.
Waters goes on to say “It’s proof that in a VPN that uses authentication with preshared keys, the NSA could have remotely sent a packet to that VPN from an outside Internet IP and grabbed a preshared key…with access to the preshared key, they could decrypt any traffic.”
Although BENIGNCERTAIN references PIX versions 5.2(9) up to 6.3(4), Waters said he used the attack on hardware running the 6.3(5) version. It is also possible that the attack is capable of extracting private encryption keys from the VPNs too. Waters could not test that, however.
In a blog post, Cisco wrote, “Our investigation so far has not identified any new vulnerabilities in current products related to the exploit. The Cisco PIX product line is “End of Life” and has been end of support for many years.”