<div dir="ltr"><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><a href="https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/#backfromshadows">https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/#backfromshadows</a><br><br><p><span style="font-weight:400">While there has been some activity
since our last update on August 24th, it was not ground-breaking and
nothing that wasn’t expected. In fact, it was basically the same things
being rehashed and we decided to not even bother with a final wrap-up.</span></p>
<p><span style="font-weight:400">However, in the last couple days we
have had more activity that makes this story relevant and interesting,
and have decided to invest some additional time in updating the
coverage. But before we get into the events of the last couple days,
let’s bring everyone up to speed since the end of August.</span></p>
<p><span style="font-weight:400">During the month of August there was a
lot more conversation surrounding the issues when governments hoard
vulnerabilities and don’t notify vendors of vulnerabilities. In fact,
there were even </span><a href="http://www.scmagazine.com/after-nsa-leaks-a-renewed-interest-in-vulnerability-disclosure/article/517952/"><span style="font-weight:400">calls for more transparency in the government’s disclosure process</span></a><span style="font-weight:400"> and the dreaded “</span><i><span style="font-weight:400">responsible disclosure</span></i><span style="font-weight:400">” debate was brought up yet again. Of course, the fact that it was determined that shortly after the leak </span><a href="https://www.wired.com/2016/08/course-people-immediately-started-exploiting-leaked-nsa-vulnerabilities/"><span style="font-weight:400">people were already exploiting the vulnerabilities</span></a><span style="font-weight:400"> continued to pour gasoline on the fire.</span></p>
<p><span style="font-weight:400">There was also a fair amount of
continuing coverage on the dump files and the exploits that were already
leaked. At the end of the August it was found that there was actually </span><a href="http://motherboard.vice.com/read/nsa-huawei-firewalls-shadow-brokers-leak"><span style="font-weight:400">focus on Chinese Firewall Maker Huawei </span></a><span style="font-weight:400">and
it was determined that the Equation Group was specifically targeting
them. It was found that as part of the instruction file that was
included in one of the leaked files (</span><span style="font-weight:400">TURBO_install-new.txt</span><span style="font-weight:400">) there are references to </span><a href="http://huawei.com/ilink/en/solutions/broader-smarter/morematerial-b/HW_133061"><span style="font-weight:400">VRP</span></a><span style="font-weight:400"> 3.30, a version of Huawei’s proprietary operating system.</span></p>
<p><span style="font-weight:400">Huawei </span><a href="http://www.huawei.com/en/psirt/security-notices/huawei-sn-20160823-01-shadowbrokers-en"><span style="font-weight:400">released an advisory</span></a><span style="font-weight:400"> shortly after the initial leak:</span></p>
<blockquote><p><span style="font-weight:400">Up to now, Huawei has not
received any report about tool/script implantation in Huawei firewall
products. To help customers detect whether their firewall device BIOSes
and host software packages have been tampered with and remove implanted
tools/scripts, Huawei provides a patch package for checking the
integrity of the BIOSes and host software packages of the
Eudemon300/500/1000 series.</span></p></blockquote>
<p><span style="font-weight:400">The new information coming out that
Huawei was included as part of the Equation Group’s toolkit comes as no
surprise as they have been </span><a href="http://www.nytimes.com/2014/03/23/world/asia/nsa-breached-chinese-servers-seen-as-spy-peril.html"><span style="font-weight:400">known to be a target</span></a><span style="font-weight:400"> of the U.S. as demonstrated in the </span><a href="http://sinosphere.blogs.nytimes.com/2015/01/20/among-snowden-leaks-details-of-chinese-cyberespionage/"><span style="font-weight:400">documents leaked by Edward Snowden</span></a><span style="font-weight:400">.</span></p>
<p><a href="https://medium.com/@shadowbrokerss/theshadowbrokers-message-3-af1b181b481#.54b68ydo1"><span style="font-weight:400">On October 1st, the Shadow Brokers posted a message</span></a><span style="font-weight:400">
that was a stream of content, with some ranting that turned into a
‘Frequently Asked Questions’ format. The first point that they addressed
was the concern that has been covered previously that the auction
wasn’t real.</span></p>
<blockquote><p><span style="font-weight:400">TheShadowBrokers is realizing peoples is not thinking auction is being real?</span></p></blockquote>
<p><span style="font-weight:400">Their response, was to explain that this auction is just about money.</span></p>
<blockquote><p><span style="font-weight:400">TheShadowBrokers
EquationGroup Auction is sounding crazy but is being real. Expert
peoples is saying Equation Group Firewall Tool Kit worth $1million.
TheShadowBrokers is wanting that $1million.</span></p></blockquote>
<p><span style="font-weight:400">The post went on to cover a wide range of topics in question and answer format including:</span></p>
<blockquote><p><span style="font-weight:400">Q: Why not selling on underground?</span></p>
<p><span style="font-weight:400">Q: Why auctioning?</span></p>
<p><span style="font-weight:400">Q: Why public?</span></p>
<p><span style="font-weight:400">Q: Why “no refunds”?</span></p>
<p><span style="font-weight:400">Q: Why no expiration?</span></p>
<p><span style="font-weight:400">Q: Why bitcoin?</span></p>
<p><span style="font-weight:400">Q: How will theShadowBrokers cash out large sums?</span></p>
<p><span style="font-weight:400">Q: Why saying “don’t trust us”?</span></p>
<p><span style="font-weight:400">Q: Why not use escrow?</span></p>
<p><span style="font-weight:400">Q: 1,000,000 BTC or $1,000,000? Dr Evil? 5% of all bitcoin? Are you crazy?</span></p>
<p><span style="font-weight:400">Q: What are you auctioning?</span></p>
<p><span style="font-weight:400">Q: Is it a lie, scam, or trick?</span></p>
<p><span style="font-weight:400">Q: Too expensive. Why not break up, sell in pieces?</span></p>
<p><span style="font-weight:400">Q: Why files is being old?</span></p>
<p><span style="font-weight:400">Q: Is legal? Aren’t I buying stolen goods?</span></p>
<p><span style="font-weight:400">Q: Won’t the EquationGroup be coming after us?</span></p>
<p><span style="font-weight:400">Q: Will theShadowBrokers do interview?</span></p></blockquote>
<p><span style="font-weight:400">Even with detailed answers from the
previous post, it clearly didn’t relieve the concerns many had, and the
auction was not going according to plan for the Shadow Brokers as </span><a href="https://nakedsecurity.sophos.com/2016/10/03/shadow-brokers-are-disappointed-about-lack-of-interest-in-nsa-tools-auction/"><span style="font-weight:400">no one was bidding.</span></a><span style="font-weight:400"> As of October 1st, there were only bids </span><span style="font-weight:400">totaling 1.76 bitcoins (approximately </span><span style="font-weight:400">$1,082 USD), not even close to their goal.</span></p>
<p><a href="https://medium.com/@shadowbrokerss/begin-pgp-signed-message-hash-sha1-2a9aa03838a4#.8exaa2fly"><span style="font-weight:400">On October 15, there was another post</span></a><span style="font-weight:400">
that started talking about a new leak concerning Bill Clinton, but the
real meat was that the Shadow Brokers were calling off the auction:</span></p>
<blockquote><p><span style="font-weight:400">TheShadowBrokers is
deciding to leak the Bill Clinton Lorreta Lynch airplane conversation.
But first TheShadowBrokers is having other announcement.
TheShadowBrokers is being bored with auction so no more auction. Auction
off. Auction finish. Auction done. No winners. So who is wanting
password? TheShadowBrokers is publicly posting the password when receive
10,000 btc (ten thousand bitcoins). Same bitcoin address, same file,
password is crowdfunding. Sharing risk. Sharing reward. Everyone
winning. And now TheShadowBrokers is presenting the “Bill Clinton and
Lorreta Lynch Arizona Airplane Conversation”. Be enjoying!</span></p></blockquote>
<p><span style="font-weight:400">Now that the auction was closed, they decided </span><a href="http://siliconangle.com/blog/2016/10/18/the-shadow-brokers-are-now-crowdfunding-the-release-of-hacked-nsa-linked-hacking-tools/"><span style="font-weight:400">to create a crowdfunding campaign</span></a><span style="font-weight:400">
that hoped to raise the 10,000 bitcoin ($6.38 million USD at the time)
that they were wanting for the Equation Group tools. If the goal was
met, they would publish the password so that everyone could decrypt the
second dump with additional stolen tools.</span></p>
<p><span style="font-weight:400">On October 20th, it came to be known
that federal prosecutors said they were going to charge Harold T. Martin
III, a former National Security Agency contractor with violating the
Espionage Act. It appears that over a period of 20 years he “</span><i><span style="font-weight:400">took at least 50 terabytes of data and six full banker’s boxes worth of documents</span></i><span style="font-weight:400">.” Hal Martin at that time was labeled as the prime suspect behind The Shadow Brokers leaks, according to </span><a href="https://www.washingtonpost.com/world/national-security/government-alleges-massive-theft-by-nsa-contractor/2016/10/20/e021c380-96cc-11e6-bb29-bf2701dbe0a3_story.html"><span style="font-weight:400">a Washington Post report</span></a><span style="font-weight:400">.</span></p>
<p><span style="font-weight:400">On Halloween, October 31, Shadow Brokers </span><a href="https://medium.com/@shadowbrokerss/message-5-trick-or-treat-e43f946f93e6#.jpoecytfl"><span style="font-weight:400">posted another message and dumped more files.</span></a><span style="font-weight:400"> </span><a href="https://motherboard.vice.com/read/shadow-brokers-nsa-hackers-dump-more-files"><span style="font-weight:400">The dump contains some 300 folders of files</span></a><span style="font-weight:400">,
all corresponding to different domains and IP addresses. Domains from
Russia, China, India, Sweden, and many other countries were included.
The latest dump allows victims of the Equation Group to be able to use
these files to determine if they were potentially targeted, or
compromised, by the NSA-linked unit. </span></p>
<p><span style="font-weight:400">An interesting tweet from </span><a href="https://twitter.com/musalbas/status/793001139310559232"><span style="font-weight:400">security researcher Mustafa Al-Bassam</span></a><span style="font-weight:400"> brings us back to the Attribution conversation. </span><a href="https://twitter.com/musalbas/status/793001955824111616"><span style="font-weight:400">His observation was that the IP addresses</span></a><span style="font-weight:400"> may relate to servers the NSA has compromised and then used to deliver exploits making attribution hard.</span></p>
<p></p>
<p><span style="font-weight:400">Even though the crowdfunding approach seemed more much reasonable, it didn’t generate much more interest. </span></p>
<p><a href="https://blockchain.info/address/19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK?offset=0&filter=6"><span style="font-weight:400">The final statistics for the Auction</span></a><span style="font-weight:400"> were 69 Transactions with 2.006074 BTC received.</span></p>
<p></p>
<p><span style="font-weight:400">Now to the new activity!</span></p>
<p><span style="font-weight:400">If we look back to a </span><a href="http://pastebin.com/5R1SXJZp"><span style="font-weight:400">Pastebin post from August 28th</span></a><span style="font-weight:400">, we were given some insight on what was to potentially come next from the Shadow Brokers.</span></p>
<blockquote><p><span style="font-weight:400">We have more good shit.
But, no more free stuff. We intend make money for our risk. We prefer
serr in burk to more responsibre party. One more rikery to discrose than
hurt peopres. We give pubric auction one more week. Maybe a government,
security company, wearth individuar step up, do rite thing, get seen
doing it. If not, we assume no one interested and we start serring on
the underground. Rots of transparency and discrosure there.</span></p></blockquote>
<p><span style="font-weight:400">As described the auction and
subsequent crowdsourced campaign was not successful. Per the August
28th post it was suggested if they did not get the money they were
seeking, that they would then start to sell the exploits on the
underground. Some still believed the auction was not legitimate, and
therefore selling the tools via other means was more misdirection.</span></p>
<p><span style="font-weight:400">However, it now appears that the </span><a href="http://motherboard.vice.com/read/newly-uncovered-site-suggests-nsa-exploits-for-direct-sale"><span style="font-weight:400">Shadow Brokers are trying to sell the tools directly </span></a><span style="font-weight:400">to interested buyers. </span><a href="https://medium.com/@CleetusBocefus/are-the-shadow-brokers-selling-nsa-tools-on-zeronet-6c335891d62a#.i6bhfduse"><span style="font-weight:400">A user that goes by Boceffus Cleetus</span></a><span style="font-weight:400">, who describes themselves as a “</span><a href="https://zeronet.io/"><span style="font-weight:400">ZeroNet enthusiast</span></a><span style="font-weight:400">” posted that it appeared that the Shadow Brokers are selling the undisclosed NSA tools individually. </span><a href="https://twitter.com/CleetusBocefus"><span style="font-weight:400">You can noticed that the Boceffus Cleetus Twitter account</span></a><span style="font-weight:400"> was just created in December 2016 and it appears specifically to announce this information about the Shadow Brokers.</span></p>
<p><a href="http://motherboard.vice.com/read/a-brief-interview-with-the-shadow-brokers-the-hackers-selling-nsa-exploits"><span style="font-weight:400">Motherboard published a post </span></a><span style="font-weight:400">that
they have attempted to contact The Shadow Brokers through various
different channels since August with no luck. However, just this week
the group posted saying that they have not been arrested. This further
supports that The Shadow Brokers and Hal Martin (the arrested NSA
contracted), although possibly connected (e.g. Martin could be a member
of a larger group), are not necessarily one and the same as </span><a href="https://motherboard.vice.com/read/while-alleged-nsa-thief-sits-in-detention-shadow-brokers-post-messages"><span style="font-weight:400">messages have continued to be posted</span></a><span style="font-weight:400"> since Martin’s arrest.</span></p>
<p><span style="font-weight:400">When further reviewing the site on
ZeroNet, it indicates that the Shadow Brokers are apparently selling the
Equation Group hacking tools from between one and 100 bitcoins each
($780—$78,000 USD). If someone wanted to purchase all of the tools they
can be acquired for 1,000 bitcoins ($780,000 USD).</span></p>
<p><span style="font-weight:400">The site includes a long list of
supposed items for sale, with a similar naming convention as we saw
previously such as ENVOYTOMATO, EGGBASKET, and YELLOWSPIRIT. </span></p>
<p><span style="font-weight:400">The folks over at </span><a href="https://www.myhackerhouse.com/merry-haxmas-shadowbrokers-strike-again/"><span style="font-weight:400">HackerHouse took a look and posted</span></a><span style="font-weight:400"> some more detailed analysis of the table of software that is impacted that the Shadow Brokers provided. HackerHouse has </span><a href="https://github.com/HackerFantastic/Public/blob/master/misc/EquationGroupUNIX.xlsx"><span style="font-weight:400">compiled the table into a spreadsheet</span></a><span style="font-weight:400"> and they believe that the “</span><i><span style="font-weight:400">data shows some very compelling information that this indeed could be an NSA and GCHQ toolkit</span></i><span style="font-weight:400">.”</span></p>
<p><span style="font-weight:400">They go on to say:</span></p>
<blockquote><p><span style="font-weight:400">There also appears to be
unpublished “0day” exploits for a number of platforms, with a heavy
focus on Solaris throughout the tool set distribution. This shows a very
mature and extensively developed set of tools for hacking UNIX servers
that is now available to anyone who wishes to try to purchase them. This
could have devastating consequences as several of these tools appear to
exploit unknown vulnerabilities.</span></p></blockquote>
<p><span style="font-weight:400">The following are some of what HackerHouse believe are the </span><a href="https://www.myhackerhouse.com/merry-haxmas-shadowbrokers-strike-again/"><span style="font-weight:400">most interesting attacks not yet publicly known</span></a><span style="font-weight:400">. </span></p>
<ul><li style="font-weight:400"><span style="font-weight:400">Solaris RPC 0day </span></li><li style="font-weight:400"><span style="font-weight:400">Solaris CDE ttsession exploit </span></li><li style="font-weight:400"><span style="font-weight:400">Solaris iPlanet 5.2 Mail service exploit </span></li><li style="font-weight:400"><span style="font-weight:400">cPanel privilege escalation 0day & possible remote exploit </span></li><li style="font-weight:400"><span style="font-weight:400">Avaya Communications Manager attack </span></li><li style="font-weight:400"><span style="font-weight:400">Sendmail Linux exploit XORG Privilege escalation </span></li><li style="font-weight:400"><span style="font-weight:400">Apache local root exploit (0day?) </span></li><li style="font-weight:400"><span style="font-weight:400">Unknown additional exploits</span></li></ul>
<p><span style="font-weight:400">At RBS, we are always very interested
in the value of vulnerabilities, exploits and tools. Since the Shadow
Brokers are now selling each tool individually we are able to see what
they believe to be the value of each. In looking over the spreadsheet,
it is clear that they believe that the Implants are the most valuable as
they are priced the highest at $78,949.</span></p>
<p><span style="font-weight:400">So here we go again! What can we expect?</span></p>
<ul><li style="font-weight:400"><span style="font-weight:400">More attribution debates… of course!</span></li><li style="font-weight:400"><span style="font-weight:400">More analysis of the data, exploits, tools and targets</span></li><li style="font-weight:400"><span style="font-weight:400">Attacks being carried out, from people that buy the tools directly</span></li><li style="font-weight:400"><span style="font-weight:400">Attacks being carried out, from people that use this information to hunt for bugs</span></li><li style="font-weight:400"><span style="font-weight:400">Attacks being carried out by almost every government entity, reminding us where this all began.</span></li></ul>
<p><span style="font-weight:400">If you want to do some analysis on your own, the </span><a href="https://bit.no.com:43110/theshadowbrokers.bit/"><span style="font-weight:400">ShadowBroker files are posted here.</span></a></p><br></div></div></div></div></div></div></div></div>
</div>