[BreachExchange] Shadow Brokers Back From The Shadows (December 19 Update)

Mon Dec 19 10:09:34 EST 2016

https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/#backfromshadows

While there has been some activity since our last update on August 24th, it
was not ground-breaking and nothing that wasn’t expected. In fact, it was
basically the same things being rehashed and we decided to not even bother
with a final wrap-up.

However, in the last couple days we have had more activity that makes this
story relevant and interesting, and have decided to invest some additional
time in updating the coverage. But before we get into the events of the
last couple days, let’s bring everyone up to speed since the end of August.

During the month of August there was a lot more conversation surrounding
the issues when governments hoard vulnerabilities and don’t notify vendors
of vulnerabilities. In fact, there were even calls for more transparency in
the government’s disclosure process
<http://www.scmagazine.com/after-nsa-leaks-a-renewed-interest-in-vulnerability-disclosure/article/517952/>
and the dreaded “*responsible disclosure*” debate was brought up yet again.
Of course, the fact that it was determined that shortly after the leak people
were already exploiting the vulnerabilities
<https://www.wired.com/2016/08/course-people-immediately-started-exploiting-leaked-nsa-vulnerabilities/>
continued to pour gasoline on the fire.

There was also a fair amount of continuing coverage on the dump files and
the exploits that were already leaked. At the end of the August it was
found that there was actually focus on Chinese Firewall Maker Huawei
<http://motherboard.vice.com/read/nsa-huawei-firewalls-shadow-brokers-leak>and
it was determined that the Equation Group was specifically targeting them.
It was found that as part of the instruction file that was included in one
of the leaked files (TURBO_install-new.txt) there are references to VRP
<http://huawei.com/ilink/en/solutions/broader-smarter/morematerial-b/HW_133061>
3.30, a version of Huawei’s proprietary operating system.

Huawei released an advisory
<http://www.huawei.com/en/psirt/security-notices/huawei-sn-20160823-01-shadowbrokers-en>
shortly after the initial leak:

Up to now, Huawei has not received any report about tool/script
implantation in Huawei firewall products. To help customers detect whether
their firewall device BIOSes and host software packages have been tampered
with and remove implanted tools/scripts, Huawei provides a patch package
for checking the integrity of the BIOSes and host software packages of the
Eudemon300/500/1000 series.

The new information coming out that Huawei was included as part of the
Equation Group’s toolkit comes as no surprise as they have been known to be
a target
<http://www.nytimes.com/2014/03/23/world/asia/nsa-breached-chinese-servers-seen-as-spy-peril.html>
of the U.S. as demonstrated in the documents leaked by Edward Snowden
<http://sinosphere.blogs.nytimes.com/2015/01/20/among-snowden-leaks-details-of-chinese-cyberespionage/>
.

On October 1st, the Shadow Brokers posted a message
<https://medium.com/@shadowbrokerss/theshadowbrokers-message-3-af1b181b481#.54b68ydo1>
that was a stream of content, with some ranting that turned into a
‘Frequently Asked Questions’ format. The first point that they addressed
was the concern that has been covered previously that the auction wasn’t
real.

TheShadowBrokers is realizing peoples is not thinking auction is being real?

Their response, was to explain that this auction is just about money.

TheShadowBrokers EquationGroup Auction is sounding crazy but is being real.
Expert peoples is saying Equation Group Firewall Tool Kit worth $1million.
TheShadowBrokers is wanting that $1million.

The post went on to cover a wide range of topics in question and answer
format including:

Q: Why not selling on underground?

Q: Why auctioning?

Q: Why public?

Q: Why “no refunds”?

Q: Why no expiration?

Q: Why bitcoin?

Q: How will theShadowBrokers cash out large sums?

Q: Why saying “don’t trust us”?

Q: Why not use escrow?

Q: 1,000,000 BTC or $1,000,000? Dr Evil? 5% of all bitcoin? Are you crazy?

Q: What are you auctioning?

Q: Is it a lie, scam, or trick?

Q: Too expensive. Why not break up, sell in pieces?

Q: Why files is being old?

Q: Is legal? Aren’t I buying stolen goods?

Q: Won’t the EquationGroup be coming after us?

Q: Will theShadowBrokers do interview?

Even with detailed answers from the previous post, it clearly didn’t
relieve the concerns many had, and the auction was not going according to
plan for the Shadow Brokers as no one was bidding.
<https://nakedsecurity.sophos.com/2016/10/03/shadow-brokers-are-disappointed-about-lack-of-interest-in-nsa-tools-auction/>
 As of October 1st, there were only bids totaling 1.76 bitcoins
(approximately $1,082 USD), not even close to their goal.

On October 15, there was another post
<https://medium.com/@shadowbrokerss/begin-pgp-signed-message-hash-sha1-2a9aa03838a4#.8exaa2fly>
that started talking about a new leak concerning Bill Clinton, but the real
meat was that the Shadow Brokers were calling off the auction:

TheShadowBrokers is deciding to leak the Bill Clinton Lorreta Lynch
airplane conversation. But first TheShadowBrokers is having other
announcement. TheShadowBrokers is being bored with auction so no more
auction. Auction off. Auction finish. Auction done. No winners. So who is
wanting password? TheShadowBrokers is publicly posting the password when
receive 10,000 btc (ten thousand bitcoins). Same bitcoin address, same
file, password is crowdfunding. Sharing risk. Sharing reward. Everyone
winning. And now TheShadowBrokers is presenting the “Bill Clinton and
Lorreta Lynch Arizona Airplane Conversation”. Be enjoying!

Now that the auction was closed, they decided to create a crowdfunding
campaign
<http://siliconangle.com/blog/2016/10/18/the-shadow-brokers-are-now-crowdfunding-the-release-of-hacked-nsa-linked-hacking-tools/>
that hoped to raise the 10,000 bitcoin ($6.38 million USD at the time) that
they were wanting for the Equation Group tools. If the goal was met, they
would publish the password so that everyone could decrypt the second dump
with additional stolen tools.

On October 20th, it came to be known that federal prosecutors said they
were going to charge Harold T. Martin III, a former National Security
Agency contractor with violating the Espionage Act. It appears that over a
period of 20 years he “*took at least 50 terabytes of data and six full
banker’s boxes worth of documents*.” Hal Martin at that time was labeled as
the prime suspect behind The Shadow Brokers leaks, according to a
Washington Post report
<https://www.washingtonpost.com/world/national-security/government-alleges-massive-theft-by-nsa-contractor/2016/10/20/e021c380-96cc-11e6-bb29-bf2701dbe0a3_story.html>
.

On Halloween, October 31, Shadow Brokers posted another message and dumped
more files.
<https://medium.com/@shadowbrokerss/message-5-trick-or-treat-e43f946f93e6#.jpoecytfl>
 The dump contains some 300 folders of files
<https://motherboard.vice.com/read/shadow-brokers-nsa-hackers-dump-more-files>,
all corresponding to different domains and IP addresses. Domains from
Russia, China, India, Sweden, and many other countries were included. The
latest dump allows victims of the Equation Group to be able to use these
files to determine if they were potentially targeted, or compromised, by
the NSA-linked unit.

An interesting tweet from security researcher Mustafa Al-Bassam
<https://twitter.com/musalbas/status/793001139310559232> brings us back to
the Attribution conversation. His observation was that the IP addresses
<https://twitter.com/musalbas/status/793001955824111616> may relate to
servers the NSA has compromised and then used to deliver exploits making
attribution hard.

Even though the crowdfunding approach seemed more much reasonable, it
didn’t generate much more interest.

The final statistics for the Auction
<https://blockchain.info/address/19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK?offset=0&filter=6>
were 69 Transactions with 2.006074 BTC received.

Now to the new activity!

If we look back to a Pastebin post from August 28th
<http://pastebin.com/5R1SXJZp>, we were given some insight on what was to
potentially come next from the Shadow Brokers.

We have more good shit. But, no more free stuff. We intend make money for
our risk. We prefer serr in burk to more responsibre party. One more rikery
to discrose than hurt peopres. We give pubric auction one more week. Maybe
a government, security company, wearth individuar step up, do rite thing,
get seen doing it. If not, we assume no one interested and we start serring
on the underground. Rots of transparency and discrosure there.

As described the auction and subsequent crowdsourced campaign was not
successful.  Per the August 28th post it was suggested if they did not get
the money they were seeking, that they would then start to sell the
exploits on the underground. Some still believed the auction was not
legitimate, and therefore selling the tools via other means was more
misdirection.

However, it now appears that the Shadow Brokers are trying to sell the
tools directly
<http://motherboard.vice.com/read/newly-uncovered-site-suggests-nsa-exploits-for-direct-sale>to
interested buyers. A user that goes by Boceffus Cleetus
<https://medium.com/@CleetusBocefus/are-the-shadow-brokers-selling-nsa-tools-on-zeronet-6c335891d62a#.i6bhfduse>,
who describes themselves as a “ZeroNet enthusiast <https://zeronet.io/>”
posted that it appeared that the Shadow Brokers are selling the undisclosed
NSA tools individually. You can noticed that the Boceffus Cleetus Twitter
account <https://twitter.com/CleetusBocefus> was just created in December
2016 and it appears specifically to announce this information about the
Shadow Brokers.

Motherboard published a post
<http://motherboard.vice.com/read/a-brief-interview-with-the-shadow-brokers-the-hackers-selling-nsa-exploits>that
they have attempted to contact The Shadow Brokers through various different
channels since August with no luck. However, just this week the group
posted saying that they have not been arrested. This further supports that
The Shadow Brokers and Hal Martin (the arrested NSA contracted), although
possibly connected (e.g. Martin could be a member of a larger group), are
not necessarily one and the same as messages have continued to be posted
<https://motherboard.vice.com/read/while-alleged-nsa-thief-sits-in-detention-shadow-brokers-post-messages>
since Martin’s arrest.

When further reviewing the site on ZeroNet, it indicates that the Shadow
Brokers are apparently selling the Equation Group hacking tools from
between one and 100 bitcoins each ($780—$78,000 USD). If someone wanted to
purchase all of the tools they can be acquired for 1,000 bitcoins ($780,000
USD).

The site includes a long list of supposed items for sale, with a similar
naming convention as we saw previously such as ENVOYTOMATO, EGGBASKET, and
YELLOWSPIRIT.

The folks over at HackerHouse took a look and posted
<https://www.myhackerhouse.com/merry-haxmas-shadowbrokers-strike-again/>
some more detailed analysis of the table of software that is impacted that
the Shadow Brokers provided. HackerHouse has compiled the table into a
spreadsheet
<https://github.com/HackerFantastic/Public/blob/master/misc/EquationGroupUNIX.xlsx>
and they believe that the “*data shows some very compelling information
that this indeed could be an NSA and GCHQ toolkit*.”

They go on to say:

There also appears to be unpublished “0day” exploits for a number of
platforms, with a heavy focus on Solaris throughout the tool set
distribution. This shows a very mature and extensively developed set of
tools for hacking UNIX servers that is now available to anyone who wishes
to try to purchase them. This could have devastating consequences as
several of these tools appear to exploit unknown vulnerabilities.

The following are some of what HackerHouse believe are the most interesting
attacks not yet publicly known
<https://www.myhackerhouse.com/merry-haxmas-shadowbrokers-strike-again/>.

   - Solaris RPC 0day
   - Solaris CDE ttsession exploit
   - Solaris iPlanet 5.2 Mail service exploit
   - cPanel privilege escalation 0day & possible remote exploit
   - Avaya Communications Manager attack
   - Sendmail Linux exploit XORG Privilege escalation
   - Apache local root exploit (0day?)
   - Unknown additional exploits

At RBS, we are always very interested in the value of vulnerabilities,
exploits and tools.   Since the Shadow Brokers are now selling each tool
individually we are able to see what they believe to be the value of each.
In looking over the spreadsheet, it is clear that they believe that the
Implants are the most valuable as they are priced the highest at $78,949.

So here we go again!  What can we expect?

   - More attribution debates… of course!
   - More analysis of the data, exploits, tools and targets
   - Attacks being carried out, from people that buy the tools directly
   - Attacks being carried out, from people that use this information to
   hunt for bugs
   - Attacks being carried out by almost every government entity, reminding
   us where this all began.

If you want to do some analysis on your own, the ShadowBroker files are
posted here. <https://bit.no.com:43110/theshadowbrokers.bit/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161219/9113c1da/attachment.html>