News

Leaked NSA Tools Incriminated in Cisco Firewall Attacks

Some of Cisco's firewall appliance products have been targeted by purportedly leaked U.S. National Security Agency (NSA) hacking tools, the networking giant said last week.

The targeted firewalls include Cisco's current Adaptive Security Appliance (ASA) and its deprecated PIX products. Cisco ended PIX sales in 2009. The Cisco Product Security Incident Response team investigated disclosures by the "Shadow Brokers," a hacking entity that has been auctioning off exploit code used by the "Equation Group." Supposedly, the Equation Group is a reference to the NSA.

The Cisco team published a summary of two vulnerabilities at this page. Cisco identified eight exploit tools released by the Shadow Brokers, noting that three of the tools (ExtraBacon, EpicBanana and JetFlow) have references to Cisco products. The code used in the stolen tools is "dated around 2013 or older," Cisco noted, in a blog post.

A New York Times article speculated that the 2013 date of the exploit files reflects NSA security measures taken around that time. The idea is that the NSA took additional measures at that time after press disclosures of NSA documents leaked by former NSA contractor and whistleblower Edward Snowden.

The two targeted Cisco firewall flaws both could enable remote code execution attacks. One of the flaws, targeted by ExtraBacon, is a newly discovered exploit in Cisco ASA. In response, Cisco released signatures to detect the problem, but it hasn't issued a fix yet.

The other exploit is an ASA CLI defect that Cisco patched in 2011. It's targeted by EpicBanana and could lead to denial-of-service attacks. The JetFlow hacking tool is used by EpicBanana, but its purpose wasn't explained.

A security researcher has claimed that another hacking tool up for auction, called "BenignCertain," also targets Cisco PIX products, potentially enabling private key discovery, as noted in this Motherboard story.

An article by The Intercept offered evidence that at least one of the tools up for action, called "SecondDate," really is a leaked NSA hacking tool. That tool uses a specific name for a tracing string that's referenced in a new NSA document leaked by Snowden. SecondDate is designed to "intercept Web requests" and point browsers to malware-infected NSA Web servers, the article explained.

The purportedly leaked NSA hacking tools likely target flaws in other security products as well. An Ars Technica article suggested that a Fortinet FortiGate buffer overflow vulnerability was targeted by EgregiousBlunder, another hacking tool that's alleged to originate from the NSA.

Commenting via Twitter, Snowden last week noted that these flaws in U.S. networks went unaddressed from more than three years to support NSA offensive purposes. However, "the inevitable consequence of maintaining known vulnerabilities in US products is their discovery by enemies."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.