Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Latest Shadow Brokers exploit dump poses little threat

Lucian Constantin | April 11, 2017
The leak reveals old exploits but also exposes supposed NSA targets, implants, and techniques.

The Shadow Brokers publishes password to NSA data dump.

A group of hackers that has been trying to sell exploits and malware allegedly used by the U.S. National Security Agency decided to make the data available for free over the weekend.

The security community was expecting the password-encrypted archive that the Shadow Brokers group unlocked Saturday to contain previously unknown and unpatched exploits -- known in the industry as zero-days. That was not the case.

As researchers started to analyze the exploits inside, it became clear that while some of them were technically interesting, the large majority were for old and publicly known vulnerabilities. Some appeared to have actually been sourced from public information and affect software versions that are several years old.

"The exploits that I have tested so far are obsolete," said Maksym Zaitsev, a researcher who has been analyzing the data in the archive. No significant exploits have been found or confirmed, he said.

Zaitsev works for a French security consultancy and penetration testing firm but did the analysis in his spare time.

Julien Voisin, a reverse engineer who has been cataloging the exploits and tools in the Shadow Brokers archive together with a researcher known online as x0rz, confirmed Zaitsev's findings.

"Everything should [already] be patched," Voisin said via email. some of the exploits are interesting from a historical point of view, but no one is likely to be hacked because of them now, Voisin added.

However, while the leak poses no immediate danger to users, it's probably an operational security nightmare for the NSA's Tailored Access Operations (TAO) division, which is believed to be behind the cyberespionage group known in the security industry as the Equation.

That's because the Shadow Brokers archive doesn't contain only exploits, but also malware implants and other tools that the Equation has developed for various Unix-based systems. Cryptographic keys, logs from hacked servers, and information identifying compromised targets were also found inside.

Researchers extracted a list of IP addresses from the Shadow Brokers archive that correspond to servers compromised by the Equation group. The owners of those IP addresses include many universities, national research centers, and other educational institutions from around the world.

Other information in the archive suggests that the Equation installed implants on mail and other servers belonging to governments, telecommunications providers, networking equipment manufacturers, and other private organizations.

For example, a piece of data suggests that, at some point, the Equation had an implant codenamed STOICSURGEON installed on a mail server used by the Russian government.

The exploits in the archive target Unix-based operating systems like SunOS and Solaris, several distributions of Linux, email and web server software, databases, web applications, and various other software packages commonly found on servers.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.