Shadow Brokers: NSA Exploits of the Week

Today an unknown group called Shadow Brokers started an auction after claiming they hacked Equation Group (NSA entity named like that by Kaspersky, and believed to be the author of Stuxnet & Flame) here: https://theshadowbrokers.tumblr.com/

Current Tumblr page

Update: The Tumblr got taken down on 15 August (PST)

Name

The name of the group seem to come from a video game called Mass Effect, and can originally be described as the following:

“The Shadow Broker is an individual at the head of an expansive organization which trades in information, always selling to the highest bidder. The Shadow Broker appears to be highly competent at its trade: all secrets that are bought and sold never allow one customer of the Broker to gain a significant advantage, forcing the customers to continue trading information to avoid becoming disadvantaged, allowing the Broker to remain in business.”

This certainly help to understand the psychology behind the group, when it comes to the questions people keep asking such as

  • “Why is this auction so fishy ?”
  • “Do they really want half a billion USD?”
  • “Do they really have more files or is that it?”
  • “Is the auction real or just a distraction ?”

Ownership

The files were also present on github before the story broke on Twitter, using the GitHub API we can retrieve the email address of the original github user (who joined github on August 6, 2016, and pushed the files on August 13, 2016 — and the repositor taken down on August 15, 2016) as I mentioned on Twitter — Tutanota is a opensource end-to-end encryption software with cloud hosting which is also popular among ISIS — given what happened to Lavabit in the past it would be interesting to see what will be the response of the US Governement.

userll6gcwaknz@tutanota.com

Git Hub API output

Origin

As @thegrugq highlighted, having files (especially an extract of a toolkit) doesn’t necessary mean the NSA was hacked and whole their files got compromised. A theory would be a bad deployment.

Codenames

Update (16 Aug 2016): You can find a more extended list and description of the exploits, implants and tools from the toolkit from Mustafa Al Bassam here: https://musalbas.com/2016/08/16/equation-group-firewall-operations-catalogue.html

Here are some code names that I extracted from the free files offered as a teaser on the Shadow broker blog, the main targets from this dump appeared to be Fortinet, TopSec, Cisco & Juniper firewalls.

Most of the code appears to be batch scripts and poorly coded python scripts, and seems to be a Toolkit against firewalls. Nonetheless, this appears to be legitimate code.

4 letters codename are from the EXPLOITS folder

For clarification, yes there are actual exploits in the dump, with a 2013 timestamp on files. We do not know if they are working as nobody as tried them, but they are actual exploits and not only references.

Update: (16 Aug 2016)
Some of the exploits are confirmed to be working:


EGBL = EGREGIOUS BLUNDER (Fortigate Firewall + HTTPD exploit (apparently 2006 CVE )
ELBA = ELIGIBLE BACHELOR
ELBO = ELIGIBLE BOMBSHELL (Chinese TOPSEC firewall versions 3.3.005.057.1 to 3.3.010.024.1)
ELCA = ELIGIBLE CANDIDATE
ELCO = ELIGIBLE CONTESTANT
EPBA = EPIC BANANA 
ESPL = ESCALATE PLOWMAN
EXBA = EXTRA BACON (Cisco Adaptive Security Appliance v8.0 to v8.4)

BANANAGLEE = Juniper Netscreen Devices
BARGLEE
BLATSTING
BUZZDIRECTION
SP = ScreamPlow 2.3 (BG3001 BG3000 BG3100)
BD = BannanaDaiquiri 3.0.5.1 (BG3001 BG3000 BG3100)

More details can be found in EQGRP-Auction-Files\eqgrp-free-file.tar\Firewall\SCRIPTS

Extra Bacon

Eligible Bachelor

Banana Glee

Banana Glee is particularly interesting because it allows references to the JETPLOW explaination from the 2014 NSA’s Tailored Access Operations (TAO) catalog.
https://www.schneier.com/blog/archives/2014/01/jetplow_nsa_exp.html

Last words for today

As highlighted during the “backdoor debate” nation states will continue to try to justify backdoors. If intelligence agencies invest heavily in sabotaging technology products it means companies with valuable assets need to invest more in Incident Response.

Given the timeframe (Post-DNC hack), this could possibly be orchestrated by the Russian government so America will be stuck with Donald Trump as a President.

Update (16 Aug 2016): Kaspersky supports those files belongs to Equation Group:

And for those who thought that being a governmental agent was fun and like in James Bond movies — not sure what’s up but that’s definitely a lot of jokes around BANANAs, BOMBSHELLs & BACHELORs.

See also: The inside theory

Matt Suiche is the Founder of UAE based cyber security start up Comae Technologies