Cisco Exploit Leaked in NSA Hack Modifies to Target Latest Version of Firewalls

2016-08-23T21:36:00

Description

[![cisco-asa-nsa-exploit](https://3.bp.blogspot.com/-0PvYLRbA0lg/V71ZyW2CE2I/AAAAAAAApRE/OJSI-2xFRkAWGN8rfVDAkYsQqIeMIG4WgCLcB/s1600/cisco-asa-nsa-exploit.png)](<https://3.bp.blogspot.com/-0PvYLRbA0lg/V71ZyW2CE2I/AAAAAAAApRE/OJSI-2xFRkAWGN8rfVDAkYsQqIeMIG4WgCLcB/s1600/cisco-asa-nsa-exploit.png>) Recently released NSA exploit from "[The Shadow Brokers](<https://thehackernews.com/2016/08/nsa-hacking-tools.html>)" leak that affects older versions of Cisco System firewalls can work against newer models as well. Dubbed [ExtraBacon](<https://thehackernews.com/2016/08/nsa-hack-exploit.html>), the exploit was restricted to versions 8.4.(4) and earlier versions of Cisco's Adaptive Security Appliance (ASA) – a line of firewalls designed to protect corporate, government networks and data centers. However, the exploit has now been expanded to 9.2.(4) after researchers from Hungary-based security consultancy [SilentSignal](<https://twitter.com/SilentSignalHU/status/768095445444861952?ref_src=twsrc%5Etfw>) were able to modify the code of ExtraBacon to make it work on a much newer version of Cisco's ASA software. Both Cisco and Fortinet have confirmed their firewalls are affected by exploits listed in the Shadow Brokers cache that contained a set of "_cyber weapons_" stolen from the [Equation Group](<https://thehackernews.com/2016/08/nsa-hack-russia-leak.html>). The Equation Group is an elite hacking group tied to the NSA's offensive Tailored Access Operations (TAO) and linked to the previous infamous Regin and Stuxnet attacks. [![Cisco Exploit Leaked in NSA Hack Modifies to Target Latest Version of Firewalls](https://4.bp.blogspot.com/-_1O7LGV7m0E/V71YBTjyGII/AAAAAAAApQ4/w_879c8RhIMkq_a_TIjkFIADbw7oRKFUwCLcB/s1600/EXTRABACON-cisco-exploit.png)](<https://4.bp.blogspot.com/-_1O7LGV7m0E/V71YBTjyGII/AAAAAAAApQ4/w_879c8RhIMkq_a_TIjkFIADbw7oRKFUwCLcB/s1600/EXTRABACON-cisco-exploit.png>) As previously reported, the ExtraBacon exploit leveraged a [zero-day vulnerability](<https://thehackernews.com/2016/08/nsa-hack-exploit.html>) in the Simple Network Messaging Protocol (SNMP) code of Cisco’s ASA software that could allow "an unauthenticated, remote attacker to cause a reload of the affected system" and take full control of a firewall. However, newly released exploit means that ExtraBacon poses a dangerous threat than previously thought, as the modified exploit now does not prevent it from running on newer versions of Cisco firewalls, allowing an attacker to execute malicious code remotely. > "We have test equipment and custom firmware images that make debugging easier," Varga-Perke of SilentSignal [told](<https://arstechnica.com/security/2016/08/nsa-linked-cisco-exploit-poses-bigger-threat-than-previously-thought/>) Ars. "These are most likely available for malicious parties, too; we are quite confident that similar code exists in private hands." Cisco engineers have provided workarounds that help ASA customers detect and stop ExtraBacon-powered attacks, though the multi-billion dollar company has yet to release software updates to address the flaw completely. Just like researchers modified the exploit code to make it work on newer version of Cisco products, the [hacking tools and exploits](<https://thehackernews.com/2016/08/nsa-hack-russia-leak.html>) dumped by the Shadow Brokers could be exploited by a wide range of hackers to carry out advanced attacks.

{"id": "THN:6B82D2F6AD195008E50D67CFFF88E897", "type": "thn", "bulletinFamily": "info", "title": "Cisco Exploit Leaked in NSA Hack Modifies to Target Latest Version of Firewalls", "description": "[![cisco-asa-nsa-exploit](https://3.bp.blogspot.com/-0PvYLRbA0lg/V71ZyW2CE2I/AAAAAAAApRE/OJSI-2xFRkAWGN8rfVDAkYsQqIeMIG4WgCLcB/s1600/cisco-asa-nsa-exploit.png)](<https://3.bp.blogspot.com/-0PvYLRbA0lg/V71ZyW2CE2I/AAAAAAAApRE/OJSI-2xFRkAWGN8rfVDAkYsQqIeMIG4WgCLcB/s1600/cisco-asa-nsa-exploit.png>)\n\nRecently released NSA exploit from \"[The Shadow Brokers](<https://thehackernews.com/2016/08/nsa-hacking-tools.html>)\" leak that affects older versions of Cisco System firewalls can work against newer models as well. \n \nDubbed [ExtraBacon](<https://thehackernews.com/2016/08/nsa-hack-exploit.html>), the exploit was restricted to versions 8.4.(4) and earlier versions of Cisco's Adaptive Security Appliance (ASA) \u2013 a line of firewalls designed to protect corporate, government networks and data centers. \n \nHowever, the exploit has now been expanded to 9.2.(4) after researchers from Hungary-based security consultancy [SilentSignal](<https://twitter.com/SilentSignalHU/status/768095445444861952?ref_src=twsrc%5Etfw>) were able to modify the code of ExtraBacon to make it work on a much newer version of Cisco's ASA software. \n \nBoth Cisco and Fortinet have confirmed their firewalls are affected by exploits listed in the Shadow Brokers cache that contained a set of \"_cyber weapons_\" stolen from the [Equation Group](<https://thehackernews.com/2016/08/nsa-hack-russia-leak.html>). \n \nThe Equation Group is an elite hacking group tied to the NSA's offensive Tailored Access Operations (TAO) and linked to the previous infamous Regin and Stuxnet attacks. \n\n\n[![Cisco Exploit Leaked in NSA Hack Modifies to Target Latest Version of Firewalls](https://4.bp.blogspot.com/-_1O7LGV7m0E/V71YBTjyGII/AAAAAAAApQ4/w_879c8RhIMkq_a_TIjkFIADbw7oRKFUwCLcB/s1600/EXTRABACON-cisco-exploit.png)](<https://4.bp.blogspot.com/-_1O7LGV7m0E/V71YBTjyGII/AAAAAAAApQ4/w_879c8RhIMkq_a_TIjkFIADbw7oRKFUwCLcB/s1600/EXTRABACON-cisco-exploit.png>)\n\nAs previously reported, the ExtraBacon exploit leveraged a [zero-day vulnerability](<https://thehackernews.com/2016/08/nsa-hack-exploit.html>) in the Simple Network Messaging Protocol (SNMP) code of Cisco\u2019s ASA software that could allow \"an unauthenticated, remote attacker to cause a reload of the affected system\" and take full control of a firewall. \n \nHowever, newly released exploit means that ExtraBacon poses a dangerous threat than previously thought, as the modified exploit now does not prevent it from running on newer versions of Cisco firewalls, allowing an attacker to execute malicious code remotely. \n\n\n> \"We have test equipment and custom firmware images that make debugging easier,\" Varga-Perke of SilentSignal [told](<https://arstechnica.com/security/2016/08/nsa-linked-cisco-exploit-poses-bigger-threat-than-previously-thought/>) Ars. \"These are most likely available for malicious parties, too; we are quite confident that similar code exists in private hands.\"\n\nCisco engineers have provided workarounds that help ASA customers detect and stop ExtraBacon-powered attacks, though the multi-billion dollar company has yet to release software updates to address the flaw completely. \n \nJust like researchers modified the exploit code to make it work on newer version of Cisco products, the [hacking tools and exploits](<https://thehackernews.com/2016/08/nsa-hack-russia-leak.html>) dumped by the Shadow Brokers could be exploited by a wide range of hackers to carry out advanced attacks.\n", "published": "2016-08-23T21:36:00", "modified": "2016-08-24T08:36:18", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://thehackernews.com/2016/08/cisco-firewall-hack.html", "reporter": "Mohit Kumar", "references": [], "cvelist": [], "lastseen": "2018-01-27T10:06:49", "viewCount": 4, "enchantments": {"score": {"value": 1.6, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 1.6}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645546502, "score": 1659788215}}