An attack group calling itself the Shadow Brokers has released a trove of data it claims to have stolen from the Equation cyberespionage group. The data contains a range of exploits and tools the attack group state were used by Equation. The Shadow Brokers said that the data dump was a sample of what had been stolen from hacking Equation and that the “best” files would be auctioned off to the highest bidder.
Equation was uncovered last year, when it was found to be using highly advanced malware tools to target organizations in a range of countries. The group is technically competent and well resourced, using highly developed malware tools that go to great lengths to evade detection.
Symantec Security Response is analyzing the data released by Shadow Brokers in order to assess the accuracy of the group's claims and will update our malware and exploit protections if necessary.
Q: How much data has been released?
A: Shadow Brokers released a 256-megabyte compressed archive containing around 4,000 files.
Q: What kinds of files are in the archive?
A: The files mainly appear to be installation scripts, configuration files, and exploits targeting a range of routers and firewall appliances.
Q: How old is the data?
A: Most of the files appear to be several years old, dating back to between 2010 and 2013.
Q: Does the data dump actually contain working exploits?
A: It will take some time to assess all of the released files. However, early indications are that at least some of the tools released are functioning exploits.
Q: What do we know about Shadow Brokers?
A: The group has no prior history. While it may be previously unknown, “Shadow Brokers” could also be a cover name for another group.
Q: What do we know about the unreleased data held by the group?
A: Very little. It has said it is keeping this a secret and simply claimed that it contains the “best” files.
Q: How will it auction the unreleased data?
A: The group provided a Bitcoin address and instructed interested parties to send Bitcoin to it. Losing bids would not be refunded and instead losing bidders would be granted “consolation prizes”. It claimed it was seeking to raise the incredibly large sum of 1 million Bitcoin (US$576.3 million) and, if it received this, it would publicly release more data.
Q: Is it possible this is a hoax?
A: While the files released are certainly not junk, it will take some time to fully establish if they are definitely linked to the Equation group.
Q: Does the data dump have links to any known tools?
A: Some of the files reference alleged US National Security Agency (NSA) tools named in the Edward Snowden leaks, e.g. “EPIC BANANA”, “EXTRA BACON”, and “ELIGIBLE CONTESTANT.” However, since these names were already public information it doesn’t provide proof of the files’ origin.
Update – August 18, 2016:
Q: There have been reports that leaked files contain a unique implementation of the RC5/RC6 encryption algorithm that has previously only been seen in Equation Group malware. Can you corroborate this?
A: We don’t believe this can prove a definite link between the two. The RC5/RC6 implementations are similar, in that some values used for instantiating the algorithm in their implementation were negated. However, further analysis by Symantec found a large number of files previously seen in the wild where these values were also present. We believe that the negated values might be an optimization introduced by the compiler used. In short, the similarities could have come about by accident rather than design.
Q: Have patches been released for any of the vulnerabilities disclosed in the leak?
A: To date, Cisco and Fortinet have issued security updates after exploits for their products were found in the leak. Cisco said that the leaked files contained exploits of two vulnerabilities affecting a number of its products: the Cisco ASA (Adaptive Security Appliance) and legacy Cisco PIX firewalls. The company has issued security advisories for both:
Cisco said that the while CVE-2016-6366 was a newly discovered vulnerability, CVE-2016-6367 had been fixed in 2011.
Meanwhile Fortinet has published a security advisory about a cookie parser buffer overflow vulnerability which it said affected older versions of its FortiGate (FOS) firmware, versions 4.3.8 and below. Customers are advised to upgrade to release 5.x or upgrade to 4.3.9 or above for models not compatible with 5.x.
Q: Did the leak include any exploits for Symantec products?
A: No exploits of Symantec products were found in the released files. Our investigation is still in progress.
Update – August 23, 2016:
Q: Are Juniper Networks products affected by the leak?
A: Juniper Networks has said the leak included tools targeting its NetScreen devices. “As part of our analysis of these files, we identified an attack against NetScreen devices running ScreenOS,” a Juniper Networks spokesperson said. “We are examining the extent of the attack, but initial analysis indicates it targets the boot loader and does not exploit a vulnerability on ScreenOS devices.” The company said it would continue its analysis and publish any new information in a blog or security advisory once more is known.
Q: Has any money been sent to the Shadow Brokers yet?
A: Records associated with the Bitcoin address provided by the Shadow Brokers show that the group has received 63 payments totaling 1.76 Bitcoin (approximately US$1,023). The majority came from a single payment of 1.5 Bitcoin.
Q: Do Symantec products detect the tools released in the leak?
A: Symantec and Norton products protect against the malware and exploits found in the leak with the following detections:
Antivirus
Intrusion prevention