Update 4: Added link to Cisco blog and CVEs for JETPLOW, EPICBANANA, EXTRABACON.
Update 3: Added links to confirmed(?) test use of EgregiousBlunder and ExtraBacon exploits. Added a bit of information about ELBA (Eligible Bachelor).
This is an updated version of my write-up of the release of Equation Group hacking files, tools, and exploits by a group called ShadowBrokers. The ShadowBrokers group has released some of the files publicly, and are auctioning off the rest. Here, I look at the publicly released files.
The Equation Group is a sophisticated cyber attack group, which is believed by many to be linked to the NSA. Indeed, a number of the codenames contained in the files were disclosed in documents leaked by Edward Snowden.
The comments on the files and exploits come from reading the source code, scripts, and documentation. I haven’t tried excecuting or looking inside any of the binaries. Some of what comes below is the result of speculation or inference, and probably wrong. I’ll keep updating this as I learn more.
The most recent timestamp on any of the released files is from 2013, implying that the ShadowBrokers have been sitting on the files for a couple of years, waiting for a good time to release them. So, why now?
Edward Snowden, in a series of tweets starting here, speculates that the files could have been released to attempt to lessen the response to the DNC hacks. Snowden speculates that ShadowBrokers is likely a Russian group, so proving that they accessed a server by releasing these files means that there is a possibility that they can prove that the US was responsible for attacks launched from that server. Retaliation for the DNC hacks might then be followed by the release of information that implicates the US in other cyber operations—potentially harmful, especially if the ops were directed at allies or elections.
Update: Thomas Rid has an interesting series of tweets, starting here that consider whether Snowden’s messages could have been (or could be interpreted as) a signal from Russian intelligence to Five Eyes intelligence.
ShadowBrokers have released two files, but have provided the decryption key for just one of them. The other, they claim, will be provided to the winner of an auction.
The winner of the auction is the person or group that sends the most bitcoins to a specified address. There is no set end time for the auction—it will end when ShadowBrokers decide to end it. There are no refunds; if you do not win the auction, ShadowBrokers will still keep the BTC you sent. You can see the number of BTC that have been sent to the specified address here.
At the time of writing, a total of about 1.627 BTC (Update: Currently at 1.761 BTC, 63 bids) have been sent. The winning bid is currently 1.5 BTC. A number of the bids seem to be completely wasted: they sent an amount smaller than the highest bid at the time.
ShadowBrokers claim that if the total amount they receive reaches 1 million BTC, then they will also release more of the files to the public. However, given the uncertainty involved in the auction, it’s hard to see how it could ever reach that amount:
- No guarantee of actually receiving anything at the conclusion of the auction, even if you are the winner.
- Low probability of winning in the first place.
- ShadowBrokers have no incentive to actually end the auction—as long as it’s open, people could still bid more, and they already own any BTC sent.
It’s interesting to think about what a good strategy would be for the auction. If the bids were private you would want to bid an amount that represents the value you assign to the files, adjusted by your belief about how likely it is that you will be the highest bidder. If you think you are likely to lose, then it does not make sense to bid a large amount; if you are confident in winning, you would be happy to bid more. However, the transactions can be seen publicly on the bitcoin network, meaning that someone else can observe your bid and then bid slightly higher. You, then, in return could slightly increase on that bid, and so on. As long as the bids keep increasing, it is hard to see the auction being stopped.
In auctions like Ebay, a common strategy is to wait until the last minute or seconds to place your bid. In theory, if everyone knew their valuation of the item being auctioned, it wouldn’t matter when you placed your bid—the person with the highest valuation would win. However, people are often uncertain, and bidding early gives them additional information: your bid influences their valuation (usually increasing it). By bidding at the last minute, it reduces the chances of your bid influencing the value others place on the item.
For this auction, waiting until the last minute is not possible, as the end time is not known. If you place a bid, someone else might use that to decide they’ll place another bid just a little bit higher. A possible strategy might be to wait until bids stop coming for a while and then bid an amount that you think nobody else will beat—but everyone else could be doing the same thing. It’s an interesting problem!
Of course, the auction probably isn’t real anyway — bitcoins can be traced, and the bitcoin address for the auction will be under heavy scrutiny. Actually using any of the profit from the auction would be very difficult. The auction is probably there to help make a state-linked group seem like an independent group, and also, going back to the motivation releasing the files now, to let Equation Group (so, the NSA) know that there is more that could be released in a way that, on the surface, looks profit-motivated rather than the action of a state-sponsored group.
There is one folder, called “Firewall”, inside the released archive. Unsurprisngly, given the name, the folders contain exploits, implants, tools, and scripts for compromising and controlling firewalls. Fortigate, Cisco ASA and PIX, TOPSEC, and Juniper Netscreen devices are all mentioned within the files. The Firewall folder contains the following folders.
The EXPLOITS folder
EGBL — Egregious Blunder
- Fortigate Firewall, remote HTTPD exploit.
- Models 60, 60M, 80C, 200A, 300A, 400A, 500A, 620B, 800, 3600
- 60 and 60M for firmware version 3 only; others both versions 3 and 4.
BLATSTING implant available for some versions
Possibly confirmed working, see this tweet
ELBA — Eligible Bachelor
- Mentions versions v3.2.100.010, v3.3.001.050, v3.3.002.021, v3.3.002.030
- Possibly TOPSEC firewall?
- Name referenced in BLATSTING/BLATSTING_20322/install.txt
- Exploit loads NOPEN server on target, NOPEN client then gives a shell which is used to install BLATSTING.
ELBO — Eligible Bombshell
- Installs NOSERVER RAT
# Path to RAT NOSERVER = /current/up/morerats/staticrats/noserver-220.127.116.11-linux-i386-static
ELCA — Eligible Candidate
- TOPSEC firewall versions 3.3.005.057.1 to 3.3.010.024.1
ELCO — Eligible Contestant
- TOPSEC: “Versions have been tested ranging from 3.3.005.057.1 to 3.3.010.024.1”
- “Should work against many firewalls with port 443 open.”
- “Will fail against older TS firewalls ( < v.3.3) and ARM based firewalls.”
EPBA — Epic Banana
- Cisco PIX and ASA
- ASA firmware versions: 711, 712, 721, 722, 723, 724, 804, 805, 822, 823, 824, 825, 831, 832, 80432
- PIX firmware versions: 711, 712, 721, 722, 723, 724, 804
- “Coming soon”: asa841 asa842 asa843 asa844
- Makefile to build payload for target version
- Python script, can deploy payload over telnet or ssh (password required).
- Exploits vulnerability in command-line interface.
- Cisco blogged about this exploit. Fixed in ASA 8.4(1).
- CVE here
ESPL — Escalate Plowman
- Seems to create a shell/cli command that will download (over ftp, tftp, or http) and execute a file, which makes a callback to a specified IP/port.
- It looks like this just displays the command, which can probably then be pasted into another terminal to execute on the remote system.
EXBA — Extra Bacon
- Cisco ASA
- Vulnerability in SNMP code — SNMP must be configured and enabled.
- From file: “Works on most 8.x(y) versions through 8.4(4)”
- From Cisco: “All Cisco ASA Software releases are affected.”
- This has been tested and confirmed to work. See here.
- Cisco blogged about this exploit.
- CVE here
- Updated to work with newer versions of ASA.
#We require certain information for this to work #You need to own a SNMP server in the config #Or be 100 percent certain of the targets version and uptime #EX: snmp-server host inside X.X.X.X community public #Community String EX: snmp-server community public (may be randon characters) #Ideally you should know the Version and Uptime of the FW. #You can crash if it is freshly rebooted and has a long community string #Ports 161, 22 or 23
A lot of the exploits target web servers on the remote devices. Many of them, such as EGBL and ELBO, seem to use ETags (which are returned in http responses) to identify or fingerprint the software/firmware versions running on the remote device and to verify whether or not an exploit has been successful.
# The device returns wacky, invalid ETags sometimes. This file just records # the "normal" looking parts (without "" and other characters). E.g.: # # device ETag | this file # ---------------------|------------------ # "e8-569-46b6b873" | e8-569-46b6b873 # "3991-583-4727f5a3" | 3991-583-4727f5a3 # W/"55b-583-47958bb3" | 55b-583-47958bb3 # W/"55f-583-47e0a4a8" | 55f-583-47e0a4a8 # W/"600-5e7-494fd7a7" | 600-5e7-494fd7a7 # W/"69a-5e7-49c3697f" | 69a-5e7-49c3697f
There are config files linking ETags to different hardware/firmware versions, and specifying (depending on the exploit) different parameters for the exploit, such as url or stack address.
######################################################### # ETags # # desired format is five fields: # ETAG = <ETag> : 0x<stack addr> : <hw model> : <gen> : <firmware> # generation is 3 or 4 or 4nc # # four fields legacy format (default firmware generation 3): # ETAG = <ETag> : 0x<stack addr> : <hw model> : <firmware> # # two fields legacy format (default firmware generation 3): # ETAG = <ETag> : 0x<stack addr> # # if line has # BLATSTING comment, implant is available # #########################################################
which is followed by long lists of ETAGS:
### model 80C ########################################## ETAG = 4a4a955b : 0xbffff270 : 80C : 3 : 0744 # BLATSTING ETAG = 4ace863a : 0xbffff270 : 80C : 3 : 0750 # BLATSTING ETAG = 4b3185d6 : 0xbffff270 : 80C : 3 : 0752 # BLATSTING
These are then presumably used by the scripts to automatically identify the correct version of the exploit to use.
Other files, folders, and tools
There are a lot of other tools mentioned or referenced in other files. The SCRIPTS folder, in particular, contains a lot of well-documented scripts for how to use the tools. The OPS folder contains scripts to help set up the ops environment, from which these firewall exploits can be launched.
JIFFYRAUL (module for BananaGlee?) — saves session keys
# The JIFFYRAUL module in the "active" state is saving session keys in # an array. If the JIFFYRAUL module is placed in a "de-active" state # then the target Pix functions normally and does NOT save session keys.
- For Juniper Netscreen
- Persists BANANAGLEE
- Feedtrough is also mentioned in the TAO catalog. More info here
- BananaBallot (Bios Module)
BarIce (Remote shell for installing BarGlee?)
- teflonhandle makes encrypted binary for windows machines that acts as a ftp server?
- teflondoor (is the renamed output of teflonhandle?) is the ftp server on remote machine?
- PolarPaws (PBD — permanent backdoor?)
- PolarSneeze — implant
- PandaRock — connects to PolarSneeze
- This appears to be a Python library for conducting exploits over HTTP/HTTPS
Used by ELCA and ELCO.
FalseMorel (Cisco PIX):
## Description # 1.Allows deduction of enable password from data freely offered by the firewall. # 2.Allows privileged level access, knowing only the hash of the enable password. # Requires telnet to be enabled on the inside interface and access must be possible # to the inside interface of the firewall (access is subject to the same restrictions # as applied to telnet.)
- from sampleman_commands.txt
# If you see logging at Informational or Debugging, it logs everything you # type. Also, "who" will show you who is logged on via telnet or ssh, not # console or by Morel. If you see someone else, bail!
- Very user-friendly. Scripts with menus to pick which actions to take.
- Mentions a few other tools:
echo "----------------------------------------------------------------------------------------" echo "| |" echo "| WELCOME TO BANANAGLEE / BARGLEE / BLATSTING / BUZZLIGHTYEAR / BANALMONKEY |" echo "| |" echo "----------------------------------------------------------------------------------------"
Followed by prompts asking the user things like:
- “What version of Tool are you going to use: “
- “Is this a NETSCREEN firewall (y,[n])? “
- “Are you sure? Don’t forget that NETSCREEN firewalls require BANANALIAR!!”
- “What version of BLATSTING are you going to use: “
- “Enter Project Name(required): “
- “Enter actual firewall IP Address(required): “
- “Would you like to use a different IP to communicate to BG with (y,[n])? “
- “What IP would you like to use: “
- “Enter Host Name(required): “
- “Enter LP IP Address(127.0.0.1): “
- “Enter Implant IP Address(127.0.0.1): “
- “Are you sure you do not want to use 127.0.0.1 (y,n)?”
- N: “Ok…changing to 127.0.0.1”
- Y: “Ok..hope you know what you are doing…do not directly connect to target.”
- “Enter Source Port(RHP) to use($source): “
- “Enter Dest Port(RHP) to use($dest): “
If you do something wrong, you get a (not so) helpful message:
echo "Oh no!! You screwed something up." echo "" echo "Please try again."
Otherwise the script continues and will use the values you entered to generate lines which can be copy-pasted to run the exploits:
echo "Your redirection line is as follows:" echo "------------------------------------" echo "Unix:" echo "-tunnel" case $dummy in 0) echo "u $_Dest1 $_I1 $_Dest1 $_Source1";; 1) echo "u $_Dest1 $_diffIP $_Dest1 $_Source1";; *) echo "Something screwed up, you SHOULD know your tunnel";; esac echo "" echo "" echo "" echo "Here is your LP line to paste." if [ "$USE_BLIAR" = "YES" ]; then echo "./BLIAR-2110 --lp $_LP1 --implant $_Implant1 --idkey /current/bin/FW/OPS/$_Key1 --sport $_Source1 --dport $_Dest1" elif [ "$USE_BARLIAR" = "YES" ]; then echo "./BARLIAR-3110 --lp $_LP1 --implant $_Implant1 --idkey /current/bin/FW/OPS/$_Key1 --sport $_Source1 --dport $_Dest1" elif [ "$USE_BUZZ" = "YES" ]; then echo "./run-lp_python.sh --lp $_LP1 --implant $_Implant1 --key /current/bin/FW/OPS/$_Key1 --sport $_Source1 --dport $_Dest1" elif [ "$USE_BRIDE" = "YES" ]; then echo "./bride-1120 --lp $_LP1 --implant $_Implant1 --sport $_Source1 --dport $_Dest1" else echo "./lp --lp $_LP1 --implant $_Implant1 --idkey /current/bin/FW/OPS/$_Key1 --sport $_Source1 --dport $_Dest1" fi
Installed by EGBL. Allows a number of operations to be performed remotely.
- Read files from host/network
- Network Profiler — filter and extract information from packets
- Set up tunnels
- See EGBL_AND_BLATSTING.txt
The SCRIPTS/fw_wrapper/tunnel.py script provides a bit more detail about the tunnels. Allows a tunnel to be made through the firewall to access a host behind the firewall. The advanced mode, which was not implemented, would allow different routes for inbound and outbound connections on both sides of the firewall.
def printStart(self): if self.sfile['mode'] == 'simple': self.logger.info(' ------------------Attacker------------------') self.logger.info(' | ^') self.logger.info(' v |') self.logger.info(' Attacker to Firewall Packet Firewall to Attacker Packet') self.logger.info(' Source IP : attk_source Source IP : attk_dest') self.logger.info(' Dest IP : attk_dest Dest IP : attk_source') self.logger.info(' Source Port: attk_sport Source Port: attk_dport') self.logger.info(' Dest Port: attk_dport Dest Port: attk_sport') self.logger.info(' | ^') self.logger.info(' v Iface Num: attk_int |') self.logger.info(' -------------------------Firewall-------------------------') self.logger.info(' | Iface Num: tgt_int ^') self.logger.info(' v |') self.logger.info(' Firewall to Target Packet Target to Firewall Packet') self.logger.info(' Source IP : tgt_source Source IP : tgt_dest') self.logger.info(' Dest IP : tgt_dest Dest IP : tgt_source') self.logger.info(' Source Port: tgt_sport Source Port: tgt_dport') self.logger.info(' Dest Port: tgt_dport Dest Port: tgt_sport') self.logger.info(' | ^') self.logger.info(' v |') self.logger.info(' -------------------Target-------------------')
Watch out for Satellite Hops!
There are a couple of comments reminding users to watch out for Sat Hops:
##### BEFORE YOU PROCEED.. CHECK FOR SAT HOPS! ##### # Check for a sat hop between your redirector and target pix. If there is a sat # hop, you MUST find a different redirector w/o a sat hop! #####
## ON REDIRECTOR ## ## Reminder: Check for SATHOPS!! ##
There’s a lab
There are references to a lab, presumably with lots of different equipment where the exploits and tools can be developed and tested. This is quite interesting as it implies that the people running the exploits are not necessarily the same as the people developing them. A team of presumably highly-skilled exploit developers work to make user-friendly scripts and provide support to allow others to actually execute the attacks.
# 400A is weird in firmware generation 3 # two or more addrs possible # might have to toggle through a couple to win # consult developer with etag for lab work
# multicore (4) in v3 yields a few different addrs that can work # first two observed in NIGHTHUNTER, others in lab
A few extra codenames
There are references to a few other codenames throughout the files. These could possibly be specific operations or targets rather than other tools.
Referenced from EGBL
Referenced from ELBO