The EXTRABACON exploit from the Shadow Broker dump has been ported to the latest versions of CISCO’s ASA’s. You may recall EXTRABACON exploits a buffer overflow vulnerability in SNMP on the firewalls. The attacker does need to know the SNMP community string though. Luckily, Cisco has started publishing fixes yesterday.
Beware of what you are downloading from WikiLeaks. A recent review of the documents being hosted by WikiLeaks has revealed the site is hosting over 300 confirmed pieces of malware. It seems that if WikiLeaks did at a minimum a simple virus scan of the dumps before uploading them 80 plus percent of the malware could have been purged.
New Ransomware Based on EDA2
We’re seeing at least two new malware variants this week based on the open source ransomware code EDA2. The first, Fantom, disguises itself as a windows update displaying a fake Windows Update screen while it runs. Exiting the update will close the fake window, but the encryption process continues to run in the background. Fantom creates two batch files that are executed when the encryption is finished. Which delete the shadow volume copies and fake Windows Update executable. Files are appended with the .fantom extension and a ransom note is left in each directory it hits. The authors, unfortunately for us, updated the code so that the usually methods of getting the keys for EDA2 based ransomware won’t work. The second piece of ransomware is a bit more tongue in cheek. Avira identified the new malware uploaded to virus total. It uses the graphics from the F-society on the popular show Mr. Robot on USA.
Juniper joins Cisco and Fortigate in identifying that it has been part of the Equation Group dump from the Shadowbrokers. In Juniper’s case though it appears to be implant code that targets the boot loader of NetScreen Devices running ScreenOS, rather than an actual exploit. This sounds like something that would be used in a supply chain attack to target a specific organization. We are also starting to see the many exploits from the dump appear on exploitDB. If you are running any of the many targeted platforms in the dump I highly suggest you take a second look at the configurations and patch levels of all your devices. There has also been further collaboration that the dump is from the NSA if there was anyone that was doubting at this point. The Snowden files reference an exploit named SECONDDATE that performs a man-in-the-middle attack against a target browser and uses a unique identification string. An exploit by the same name, with the same functionality, and same unique string was also in the Equation Group dump. This entire dump is very reminiscent of the Hacking Team dump from last year.
All of the retail store Eddie Bauer’s point of sale systems in its US and Canada stores were infected by malware between January 2, 2016 to July 17, 2016. It appears that this infection wasn’t identified by the retailer itself, but rather by Brain Krebs after he had gotten several reports from his sources and then reached out to the retailer. Giving more credence to the saying “Krebs is my IDS”. The company is reporting that all of the malware has been removed and that online purchases were not affected. If you’ve bought anything at Eddie Bauer this year and your bank hasn’t already canceled your card for you, I suggest you cancel it yourself now.
You may recall the recent DARPA Cyber Grand Challenge that ran at DEFCON where computers competed in a no humans CTF, and had to expose and patch bugs. Well, the third place team Mechanical Phish has open sourced their code on GitHub. The code is extremely complicated and lacks documentation, but regardless it is awesome seeing one of the teams release their work and provide the ground work for any future teams looking to compete in these challenges.
Well the “shortage” of IT and InfoSec Professionals made have just been solved by Cisco. Yesterday Cisco announce it is planning to cut 5,500 jobs from its workforce. The layoffs will supposedly allow the company to invest in key priorities such as security, IoT, collaboration, next generation data center and cloud.
More developments out of The Shadow Brokers dump of the NSA exploits. While researchers are pretty confident that the dump is from 2013 it appears that it does still contain zero days. Both Cisco and Foritgate have confirmed that there are real exploits against their platforms in the dump. Cisco identified two exploits, EPICBANANA and EXTRABACON, in the dump can allow remote code execution against its firewall products. The vulnerability that is exploited by EPICBANANA has been patched, but there is no fix currently for the vulnerability exploited by EXTRABACON. Now the attacker must know the SNMP community string to successfully use EXTRABACON, but honestly how many are “public” or very easily guessable? I would expect to see a huge spike in attacks using EXTRABACON in the coming days. Now Cisco has released Snort rules to detect EXTRABACON. Fortigate is faring a little better. The EGREGIOUSBLUNDER exploit only impacts Fortigate firmware Versions 4.x and lower released before Aug 2012. Firmware 5.x is not affect. There are other exploits for Watchguard and TOPSEC products. While those companies have not released any information, I would not be surprised that there are zero-days against these platforms in the dump.