Santa adding ShadowBrokers to his naughty list.

The ShadowBrokers have released details of another selection of software from the Equation Group auction files. This time they are listed as individual sale items on a zeronet website including a brief description of what each software could be used for. We took a look at the latest leaked data to attempt to determine what the impact of these files could be and what you may need todo to prevent them impacting on your organization. A table of software has been provided by the Shadow Brokers, with each software having a classification of type and price. A total of 56 entries are detailed in the table with a brief one-word description of the software purpose. A PGP signed collection of files has been provided alongside the table of prices validating the authenticity of this data. The image below shows that the data collection has been signed and originates from the same group or individual responsible for previous leaks.We found some discrepancies in the data when we compared the files to the table however the data mostly supported ShadowBrokers classification of each tool. The file collection consists of the output of the “find” command in each project, alongside a screen shot of a file system browsing utility. This also gives the added benefit of providing file type information. The bulk of these projects are not provided in source code form and instead appear to be binary files, which further strengthens the hypothesis that these files were compromised from an operational staging post or actively obtained from a field operation by a 3rd party. If they had been in source code format then this would suggest an insider leak is more likely, binary files are often used in operations and distributed to team members over their source code counterpart. There is no conclusive evidence to identify the source of the leak and we will focus on the risks that the unreleased data may introduce. In addition to the screen shot and file output some files contain snippets of usage data and in one a full blown man page is provided! The team at Hacker House has been able to determine the following information about the as-yet-unreleased Equation Group toolkits. Price of each software has been converted to USD from the current market rate of BitCoin.

We compiled the table above into a spreadsheet which you can download here. The data shows some very compelling information that this indeed could be an NSA and GCHQ toolkit. The ShadowBrokers themselves have alluded that some of these tools may have been used in the “Belgacom” intrusion on social media, the “curses” tool certainly appears to be used specifically for the telecoms world. It’s output includes file and folder structures for Siemens Mobile Switch Centre (MSC) equipment, not usually seen outside of telecommunication carriers. There also appears to be unpublished “0day” exploits for a number of platforms, with a heavy focus on Solaris throughout the tool set distribution. This shows a very mature and extensively developed set of tools for hacking UNIX servers that is now available to anyone who wishes to try to purchase them. This could have devastating consequences as several of these tools appear to exploit unknown vulnerabilities. The following highlights some of the most interesting attacks not yet publicly known.

  • Solaris RPC 0day
  • Solaris CDE ttsession exploit
  • Solaris iPlanet 5.2 Mail service exploit
  • cPanel privilege escalation 0day & possible remote exploit
  • Avaya Communications Manager attack
  • Sendmail Linux exploit
  • XORG Privilege escalation
  • Apache local root exploit (0day?)
  • Unknown additional exploits

The Solaris RPC exploit appears to exploit a range of RPC services and could be used to compromise ANY Solaris server that has exposed RPC services. This particular exploit, EBBISLAND, is a holygrail of infrastructure attack tools and could have a wide impact much like the previously leaked EXTRABACON Cisco ASA attack. The EBBISLAND exploit data suggests that it is using findsock() routines for payload management, indicating its authors developed this in a manner to avoid detection and provide a high degree of stealth. It is imperative that until more about this exploit is known, admins should be aware that any and all Solaris RPC services should be protected from external networks especially the Internet. Additional attacks can be used to compromise older and more legacy UNIX/LINUX server estates. The ENGLANDBOGGY as an example is a privilege escalation attack that appears to load a shared library into a XORG privileged process for local root access. Another privilege escalation ENDLESSDONUT elevates a user from the “nobody” uid to “root” via exploitation of Apache httpd, a particularly interesting attack. The snippet of files contain a number of tools that are designed for stealth operation of a compromised UNIX host and as such could be vital for forensic analysts and incident response teams who are attempting to determine if they are impacted by the Equation Group and its tools. Amongst the collection of data is the man page for a forensically aware network capture tool, that appears to have been developed professionally. The output below shows the man page which is provided for the “strifeworld” tool.

Information on JACKLADDER & INCISION tools that is contained in the release could assist forensics teams analyzing HP-UX servers that may have been compromised. It exposes some indicators of compromise such as process names the tool uses alongside networking port configuration data. This latest leak gives strong evidence that a highly valuable cache of weaponized exploits and attack tools used for espionage purposes has indeed leaked to a 3rd party. Additionally these tools are now in the hands of unknown threat actors and could be distributed to additional parties. One of the tools has most certainly been implicated in the Belgacom hack and this leak, combined with previous leaks, may help other organizations identify if they have been victims of this APT group. Evidence is beginning to mount that the tools may indeed be the craftsmanship of the NSA and GCHQ. It would appear that through possible bad tradecraft or a deliberate leak these exploits and tools are now available to 3rd parties, highlighting the very real risk of the militarization of cyber space when tools are compromised. The ShadowBrokers original files are posted here. Merry Christmas and if anyone is wondering what to get our team this festive season, EBBISLAND would be highly desired!

Comments are closed.