Jump to content
Guest Madacala

NSA's Hacking Group Hacked! Bunch of private hacking tools leaked online.

Recommended Posts

An unknown hacker or a group of hackers just claimed to have hacked into "Equation Group" -- a cyber-attack group allegedly associated with the United States intelligence organization NSA -- and dumped a bunch of its hacking tools (malware, private exploits, and hacking tools) online.
Not just this, the hackers, calling themselves "The Shadow Brokers," are also asking for 1 Million Bitcoins (around $568 Million) in an auction to release the 'best' cyber weapons and more files.

I know, it is really hard to believe, but some cybersecurity experts who have been examining the leak data, exploits and hacking tools, believe it to be legitimate.


Widely believed to be part of the NSA, Equation Group was described as "a threat actor that surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades," according to a report published by security firm Kaspersky in 2015.

Equation Group was also linked to the previous infamous Regin and Stuxnet attacks, allegedly the United States sponsored hacks, though the link was never absolutely proven.

Two days back, The Shadow Brokers released some files, which it claimed came from the Equation Group, on Github (deleted) and Tumblr https://theshadowbrokers.tumblr.com/
 

Exploits for American & Chinese Firewalls Leaked:


The files mostly contained installation scripts, configurations for command-and-control (C&C) servers, and exploits allegedly designed to target routers and firewalls from American manufacturers including, Cisco, Juniper, and Fortinet.


According to the leaked files, Chinese company 'Topsec' was also an Equation Group target.

The leak mentioned names of some of the hacking tools that correlate with names used in the documents leaked by whistleblower Edward Snowden, like "BANANAGLEE" and "EPICBANANA."

"We follow Equation Group traffic," says the Shadow Broker. "We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files."

It is yet not confirmed whether the leaked documents are legitimate or not, but some security experts agree that it likely is.

"I haven't tested the exploits, but they definitely look like legitimate exploits," Matt Suiche, founder of UAE-based cyber security firm Comae Technologies, told the Daily Dot.

While some are saying that the leak could be a very well-researched hoax, and the Bitcoin auction could be nothing but a distraction in an attempt to gain media attention.

"If this is a hoax, the perpetrators put a huge amount of effort in," security researcher The Grugqtold Motherboard. "The proof files look pretty legit, and they are exactly the sorts of exploits you would expect a group that targets communications infrastructure to deploy and use."

However, if NSA has successfully been hacked, the hack would be a highly critical cyber security incident.


Sursa: http://thehackernews.com/

 

Edited by Madacala
Adăugat sursă
Link to comment
Share on other sites

@Snowden: The hack of an NSA malware staging server is not unprecedented, but the publication of the take is. Here's what you need to know:

1) NSA traces and targets malware C2 servers in a practice called Counter Computer Network Exploitation, or CCNE. So do our rivals.

2) NSA is often lurking undetected for years on the C2 and ORBs (proxy hops) of state hackers. This is how we follow their operations.

3) This is how we steal their rivals' hacking tools and reverse-engineer them to create "fingerprints" to help us detect them in the future.

4) Here's where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us -- and occasionally succeed.

5) Knowing this, NSA's hackers (TAO) are told not to leave their hack tools ("binaries") on the server after an op. But people get lazy.

6) What's new? NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is.

7) Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack.

8) Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here's why that is significant:

9) This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server.

10) That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies.

11) Particularly if any of those operations targeted elections.

12) Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.

13) TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.

Bonus: When I came forward, NSA would have migrated offensive operations to new servers as a precaution - it's cheap and easy. So? So...

The undetected hacker squatting on this NSA server lost access in June 2013. Rare public data point on the positive results of the leak.

You're welcome, @NSAGov. Lots of love.

https://twitter.com/Snowden

Edited by asswipe
Link to comment
Share on other sites

Equation Group Firewall Operations Catalogue

the password is : theequationgroup

and the link is : https://mega.nz/#!zEAU1AQL!oWJ63n-D6lCuCQ4AY0Cv_405hX8kn7MEsa1iLH5UjKU

 

This week someone auctioning hacking tools obtained from the NSA-based hacking group "Equation Group" released a dump of around 250 megabytes of "free" files for proof alongside the auction.

The dump contains a set of exploits, implants and tools for hacking firewalls ("Firewall Operations"). This post aims to be a comprehensive list of all the tools contained or referenced in the dump.

Exploits

EGREGIOUSBLUNDER A remote code execution exploit for Fortigate firewalls that exploits a HTTP cookie overflow vulnerability. It effects models 60, 60M, 80C, 200A, 300A, 400A, 500A, 620B, 800, 5000, 1000A, 3600, and 3600A. The model of the firewall is detected by examining the ETag in the HTTP headers of the firewall. This is not CVE-2006-6493 as detected by Avast.

ELIGIBLEBACHELOR An exploit for TOPSEC firewalls running the TOS operation system, affecting versions 3.2.100.010, 3.3.001.050, 3.3.002.021 and 3.3.002.030. The attack vector is unknown but it has an XML-like payload that starts with <?tos length="001e:%8.8x"?>.

ELIGIBLEBOMBSHELL A remote code execution exploit for TOPSEC firewalls that exploits a HTTP cookie command injection vulnerability, affecting versions 3.2.100.010.1pbc17iv3 to 3.3.005.066.1. Version detection by ETag examination.

WOBBLYLLAMA A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version 3.3.002.030.8_003.

FLOCKFORWARD A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version 3.3.005.066.1.

HIDDENTEMPLE A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version tos_3.2.8840.1.

CONTAINMENTGRID A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version tos_3.3.005.066.1.

GOTHAMKNIGHT A payload for the ELIGIBLEBOMBSHELL TOPSEC firewall exploit affecting version 3.2.100.010.8pbc27. Has no BLATSTING support.

ELIGIBLECANDIDATE A remote code execution exploit for TOPSEC firewalls that exploits a HTTP cookie command injection vulnerability, affecting versions 3.3.005.057.1 to 3.3.010.024.1.

ELIGIBLECONTESTANT A remote code execution exploit for TOPSEC firewalls that exploits a HTTP POST paramter injection vulnerability, affecting versions 3.3.005.057.1 to 3.3.010.024.1. This exploit can be tried after ELIGIBLECANDIDATE.

EPICBANANA A privilege escalation exploit against Cisco Adaptive Security Appliance (ASA) and Cisco Private Internet eXchange (PIX) devices. Exploitation takes advantage of default Cisco credentials (password: cisco). Affects ASA versions 711, 712, 721, 722, 723, 724, 80432, 804, 805, 822, 823, 824, 825, 831, 832 and PIX versions 711, 712, 721, 722, 723, 724, 804.

ESCALATEPLOWMAN A privilege escalation exploit against WatchGuard firewalls of unknown versions that injects code via the ifconfig command.

EXTRABACON A remote code execution exploit against Cisco Adaptive Security Appliance (ASA) devices affecting ASA versions 802, 803, 804, 805, 821, 822, 823, 824, 825, 831, 832, 841, 842, 843, 844. It exploits an overflow vulnerability using the Simple Network Management Protocol (SNMP) and relies on knowing the target's uptime and software version.

BOOKISHMUTE An exploit against an unknown firewall using Red Hat 6.0.

FALSEMOREL Allows for the deduction of the "enable" password from data freely offered by an unspecified firewall (likely Cisco) and obtains privileged level access using only the hash of the "enable" password. Requires telnet to be installed on the firewall's inside interface.

Implants

BLATSTING A firewall software implant that is used with EGREGIOUSBLUNDER (Fortigate) and ELIGIBLEBACHELOR (TOPSEC).

BANANAGLEE A non-persistent firewall software implant for Cisco ASA and PIX devices that is installed by writing the implant directly to memory. Also mentioned in the previously leaked NSA ANT catalogue.

BANANABALLOT A BIOS module associated with an implant (likely BANANAGLEE).

BEECHPONY A firewall implant that is a predecessor of BANANAGLEE.

JETPLOW A firmware persistence implant for Cisco ASA and PIX devices that persists BANANAGLEE. Also mentioned in the previously leaked NSA ANT catalogue.

SCREAMINGPLOW Similar to JETPLOW.

BARGLEE A firewall software implant. Unknown vendor.

BUZZDIRECTION A firewall software implant for Fortigate firewalls.

FEEDTROUGH A technique for persisting BANANAGLEE and ZESTYLEAK implants for Juniper Netscreen firewalls. Also mentioned in the previously leaked NSA ANT catalogue.

JIFFYRAUL A module loaded into Cisco PIX firewalls with BANANAGLEE.

BANNANADAIQUIRI An implant associated with SCREAMINGPLOW. Yes, banana is spelled with three Ns this time.

POLARPAWS A firewall implant. Unknown vendor.

POLARSNEEZE A firewall implant. Unknown vendor.

Tools

BILLOCEAN Retrieves the serial number of a firewall, to be recorded in operation notes. Used in conjunction with EGREGIOUSBLUNDER for Fortigate firewalls.

FOSHO A Python library for creating HTTP exploits.

BARICE A tool that provides a shell for installing the BARGLEE implant.

DURABLENAPKIN A tool for injecting packets on LANs.

BANANALIAR A tool for connecting to an unspecified implant (likely BANANAGLEE).

PANDAROCK A tool for connecting to a POLARPAWS implant.

SECONDDATE A packet injection module for Cisco PIX devices.

TEFLONDOOR A self-destructing post-exploitation shell for executing an arbitrary file. The arbitrary file is first encrypted with a key.

1212/DEHEX Converts hexademical strings to an IP addresses and ports.

XTRACTPLEASING Extracts something from a file and produces a PCAP file as output.

NOPEN A post-exploitation shell consisting of a client and a server that encrypts data using RC6. The server is installed on the target machine.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...