Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Juniper Confirms Leaked Implants Target Its Products

Juniper Networks has analyzed the implants leaked by Shadow Brokers and while it has confirmed that some of them target its products, the company has not found any evidence that they exploit a vulnerability.

Juniper Networks has analyzed the implants leaked by Shadow Brokers and while it has confirmed that some of them target its products, the company has not found any evidence that they exploit a vulnerability.

Shadow Brokers has released roughly 300Mb of firewall exploits, implants and tools allegedly stolen from the Equation Group, a threat actor believed to be linked to the U.S. National Security Agency (NSA). The group also claims to possess additional information, which it’s offering to sell for 1 million Bitcoin (roughly $575 million).

Kaspersky Lab and others have confirmed that the files appear to be legitimate, but pointed out that they date back to 2010-2013. Previously unpublished documents released by former NSA contractor Edward Snowden also show that the code is genuine.

Fortinet, Cisco and WatchGuard have analyzed the leaked implants and exploits. While more recent products from Fortinet and WatchGuard don’t appear to be impacted, Cisco has admitted finding a zero-day vulnerability (CVE-2016-6366) that affects its ASA and PIX firewalls.

Juniper Networks has also analyzed the leaked files and it has confirmed that some of the implants target its Netscreen firewalls running ScreenOS. The company’s investigation is ongoing, but an initial analysis indicates that the implants target the device’s bootloader and they don’t exploit a vulnerability in ScreenOS.

After the world learned in December 2013 about the tools used by the NSA, Juniper said it investigated thousands of systems, but it had not found any evidence of a compromise. The network security firm did report identifying a couple of serious vulnerabilities last year that could have been exploited to gain administrative access to some firewalls and decrypt VPN traffic.

BENIGNCERTAIN tool targets Cisco PIX devices

Cisco confirmed last week that two of the exploits leaked by Shadow Brokers, dubbed EXTRABACON and EPICBANANA, and one implant, dubbed JETPLOW, targeted its ASA and PIX firewalls.

Advertisement. Scroll to continue reading.

Researcher Mustafa Al-Bassam also determined that BENIGNCERTAIN, one of the tools leaked by the hackers, also affects Cisco PIX devices and it can be exploited to extract VPN private keys.

While Cisco PIX has not been supported since 2009, the product is still used by many organizations worldwide.

“Our investigation so far has not identified any new vulnerabilities in current products related to the exploit. Even though the Cisco PIX is not supported and has not been supported since 2009, out of concern for customers who are still using PIX we have investigated this issue and found PIX versions 6.x and prior are affected. PIX versions 7.0 and later are confirmed to be unaffected by BENIGNCERTAIN,” Cisco said in an update to its initial advisory.

Who is behind the Shadow Brokers leak?

While some experts have suggested that Russia is behind the Shadow Brokers leak, evidence also points to the possible involvement of an insider.

A former NSA employee told Motherboard that the names of the leaked files indicated that they were internally accessible files and they should not have been available on a server that could be accessed from outside the agency.

U.S. journalist James Bamford also believes that Edward Snowden might not be the only NSA leaker and that there could be another insider providing information to activists and WikiLeaks.

In the meantime, a hacker using the online moniker “1×0123” also claimed to have hacked the Equation Group, but he has not provided any strong evidence to back his claims.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...