15

First Hand Details: TEG (The Equation Group) is NSA's team of hackers who'd write code to exploit systems worldwide. Some of the private files were recently dropped by a group called Shadow Brokers & they've auctioned it in exchange for BTC bids .. I could trail back to the below mentioned keys which were earlier released previous week by Snowden (if anyhow it's linked {it's just sitting here for references}):

Snowden Tweets about a key

Probable Agenda: As taken inputs from @atdre answer to explain the agenda - there are different versions of the primary agenda as below:

http://www.businessinsider.in/A-shadowy-group-claims-to-have-hacked-an-elite-hacking-group-linked-to-the-NSA/articleshow/53712768.cms

Sources:

  1. Wikileaks Intention to release the same files
  2. RT's version of Cyber Weapon Disclosures
  3. Sputnik's version of Malware Scandal by NSA
  4. Analysis suggests revisions of malware & resemblance to older versions
  5. Shadowbrokers Tainted Bitcoin Transactions, US Involved!? A Question.
  6. Shadowbrokers drops IP Ranges NSA Targeted
  7. Shadowbrokers exits the scene
  8. ShadowBrokers Exploit(s) Released

Shadowbroker & Equation Group are the same & the revisions?

Official Sources Timeline:

  1. The first official after Wikileaks probability of intent to disclose the same set of files, Edward Snowden comes up with a teensy bit of a diplomatic pressure statement. Thanks to @WhiteWinterWolf to report this one out.

Snowden Tweets Officially in links with the "The Equation Group's" files

Some Analysis of the released files Reported:

  1. Analysis by Risk Based Security over The Equation's Group Files
  2. Analysis by Matt Suiche, MVP - Microsoft via Medium
  3. BENIGNCERTAIN Analysis confirmed by The Intercept

Solved Proof Of Concept & it's Working State:

  1. XORCat's EXBE (ExtraBacon) POC from TEG file: The exploits appear to be targeting firewalls, particularly Cisco PIX/ASA, Juniper Netscreen, Fortigate, and more as per analyst.

Questions: The Equation Group were hacked (NSA) & it's a wonder if they aren't backdoor!? Of-course we go through the code .. but could anyone let us know if these files are genuine?

Also, what's the use of the files, what they specifically target? These files landed originally at:

https://theshadowbrokers.tumblr.com

Now they are gone, the links they've provided are gone (except one which's here) & the original copies might have been already backdoored (later ones which might pop up). I read it's related to Stuxnet (or more powerful, I know that Stuxnet targeted Nuclear Facilities) but now that they are gone .. can anyone let know the real intent of the files & the groups they've mentioned as inline:

Equation Group Files

What does each of the section specifically does? All inputs are appreciated & links to this one to be updated one by one as the reason becomes clear.

EDIT: As of Apr, 2017 - Shadown Brokers have released the exploit packages, here are some samples which are on the release:

Exploits

EARLYSHOVEL RedHat 7.0 - 7.1 Sendmail 8.11.x exploit

EBBISLAND (EBBSHAVE) root RCE via RPC XDR overflow in Solaris 6, 7, 8, 9 & 10 (possibly newer) both SPARC and x86.

ECHOWRECKER remote Samba 3.0.x Linux exploit.

EASYBEE appears to be an MDaemon email server vulnerability

EASYPI is an IBM Lotus Notes exploit that gets detected as Stuxnet

EWOKFRENZY is an exploit for IBM Lotus Domino 6.5.4 & 7.0.2

EXPLODINGCAN is an IIS 6.0 exploit that creates a remote backdoor

ETERNALROMANCE is a SMB1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges (MS17-010)

EDUCATEDSCHOLAR is a SMB exploit (MS09-050)

EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061)

EMPHASISMINE is a remote IMAP exploit for IBM Lotus Domino 6.6.4 to 8.5.2

ENGLISHMANSDENTIST sets Outlook Exchange WebAccess rules to trigger executable code on the client's side to send an email to other users

EPICHERO 0-day exploit (RCE) for Avaya Call Server

ERRATICGOPHER is a SMBv1 exploit targeting Windows XP and Server 2003

ETERNALSYNERGY is a SMBv3 remote code execution flaw for Windows 8 and Server 2012 SP0 (MS17-010)

ETERNALBLUE is a SMBv2 exploit for Windows 7 SP1 (MS17-010)

ETERNALCHAMPION is a SMBv1 exploit

ESKIMOROLL is a Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers

ESTEEMAUDIT is an RDP exploit and backdoor for Windows Server 2003

ECLIPSEDWING is an RCE exploit for the Server service in Windows Server 2008 and later (MS08-067)

ETRE is an exploit for IMail 8.10 to 8.22

FUZZBUNCH is an exploit framework, similar to MetaSploit

ODDJOB is an implant builder and C&C server that can deliver exploits for Windows 2000 and later, also not detected by any AV vendors

Utilities

PASSFREELY utility which "Bypasses authentication for Oracle servers"

SMBTOUCH check if the target is vulnerable to samba exploits like ETERNALSYNERGY, ETERNALBLUE, ETERNALROMANCE

ERRATICGOPHERTOUCH Check if the target is running some RPC

IISTOUCH check if the running IIS version is vulnerable

RPCOUTCH get info about windows via RPC

DOPU used to connect to machines exploited by ETERNALCHAMPIONS

GitHub Reference: https://github.com/misterch0c/shadowbroker

Shritam Bhowmick
  • 1,602
  • 14
  • 28

1 Answers1

10

There's been four top-notch analyses so far regarding incident with the free files (40 percent of what is claimed to be released). Nobody has the password to the auction files yet, which represent another 60 percent of what the Shadow Brokers say will be released:

  1. https://lawfareblog.com/very-bad-monday-nsa-0
  2. https://musalbas.com/2016/08/16/equation-group-firewall-operations-catalogue.html
  3. https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/
  4. https://medium.com/@msuiche/shadow-brokers-nsa-exploits-of-the-week-3f7e17bdc216

They're basically Firewall exploits. See the details in the above links for which platforms and versions are generally thought to be affected. Some of the exploits in the free files work fine, such as this SNMP one that targets Cisco ASAs.

The dates related to Snowden only partially add up. The free files do not contain very many dates after June 11, 2013, the day after Booz Allen Hamilton terminated his employment and also the same day that the first newswire about snowden was received, but not correspondence, which happened before June 11. If you look inside the files, the last-known date is February 27, 2013. Another analysis shows an outlier in the file BANANAGLEE/BG3121/Install/LP/BPLANK-3100 with a Built date of July 5, 2013. Snowden has come out to say more about the breaking news story. Some other outliers appear and are documented in story #1 above.

The part about Stuxnet is sort of a joke. "Auction files better than stuxnet". Nobody wants to buy them.

The part about 1M btc (1-million bitcoin) is also very suspect. There is no possible way this will happen, as there are only about 15.8M total bitcoin in existence, and most are locked up by the creator and early adopters. The statement from the Shadow Brokers, "If our auction raises 1,000,000 (million) btc total, then we dump more Equation Group files, same quality, unencrypted, for free, to everyone", will therefore likely not lead to the dump of more files, or files for free because the auction raises 1M btc. They may still do so, but this will not be correlated with the auction.

WikiLeaks says that they intend to release these same files anyways, including cyber weapons. Russia media is split on this issue with RT reporting one version and Sputnik News another. In the Sputnik News version, the Shadow Brokers are WikiLeaks (with no mention of the Shadow Brokers). Dmitri Alperovitch of CrowdStrike, Claudio Guarnieri of Amnesty International (and Citizen Lab), and Sean Sullivan of F-Response appear to agree that the Shadow Brokers are related to Guccifer 2.0, the DNCleaks, and are using their leak and auction to try to further manipulate the upcoming US Presidential Election.

atdre
  • 18,885
  • 6
  • 58
  • 107
  • 1
    this has to mean that these firewalls by default have been installed on various high value targets, can we hear or maybe somehow link back to industries or atleast sectors (retail, nuclear, etc) they are linked to? – Shritam Bhowmick Aug 15 '16 at 22:09
  • It's not about cyber weapons. These are merely NSA ANT Catalog CNO/CNE ops tools from the TAO. They tie to other tools such as firmware-based rootkits/bootkits from specific ANT Catalog codenames. They're probably used to spy on China and other NIPF targets. At least, from what I've seen of the free files. The auction file may contain different exploits -- we will wait and see. – atdre Aug 16 '16 at 01:24
  • some are related to older undisclosed CVE's .. this means it's not one team at NSA but maybe, they outsource some work .. – Shritam Bhowmick Aug 16 '16 at 09:38
  • 1
    Edward Snowden thinks about some kind of [diplomatic pressure](https://twitter.com/Snowden/status/765516504913866752). – WhiteWinterWolf Aug 16 '16 at 12:37
  • @WhiteWinterWolf thanks, I'll update this one to the timeline as well, it can enable us to look at the psychological pattern of 'cyber weapons' – Shritam Bhowmick Aug 16 '16 at 20:56
  • 2
    Here are more details on the free-file tools and their offensive capabilities -- https://twitter.com/musalbas/status/766285367196655616 – atdre Aug 18 '16 at 18:35
  • Again, more details -- https://theintercept.com/2016/08/19/the-nsa-was-hacked-snowden-documents-confirm/ – atdre Aug 19 '16 at 18:20
  • Here is another analysis drop - https://musalbas.com/2016/08/18/equation-group-benigncertain.html I've added to the OP. – Shritam Bhowmick Aug 20 '16 at 02:21
  • 1
    Does anybody know if we have patch available for Linux Exploits yet? – Krishna Pandey May 19 '17 at 12:46
  • @KrishnaPandey Were the Linux ones even released? – forest Dec 30 '17 at 09:14
  • @forest I think so coz major vulnerability scanners claimed to find them. – Krishna Pandey Jan 01 '18 at 04:05