Connect with us

Hi, what are you looking for?


Network Security

Firewall Vendors Analyze Exploits Leaked by “Shadow Brokers”

Cisco, Fortinet and WatchGuard have analyzed the exploits leaked recently by a threat group calling itself Shadow Brokers. While Fortinet and WatchGuard determined that the vulnerabilities were patched several years ago, Cisco did find a zero-day in its products.

Cisco, Fortinet and WatchGuard have analyzed the exploits leaked recently by a threat group calling itself Shadow Brokers. While Fortinet and WatchGuard determined that the vulnerabilities were patched several years ago, Cisco did find a zero-day in its products.

The mysterious Shadow Brokers group claims to have hacked The Equation Group, a threat actor believed to be associated with the U.S. National Security Agency (NSA). Shadow Brokers, which some speculate might be sponsored by Russia, has released 300Mb of firewall exploits, implants and tools, and is offering to sell even more information for 1 million Bitcoin (valued at more than $500 million).

Kaspersky Lab, which has conducted an extensive analysis of Equation Group tools, has confirmed that the leaked files appear to come from the NSA-linked actor, but pointed out that the files date back to 2010-2013. Nevertheless, this is still a significant leak.

Shadow Brokers has published exploits and implants for hacking firewalls made by Fortinet, Chinese company TOPSEC, Cisco, Juniper Networks, WatchGuard and several unknown vendors.

Cisco finds zero-day vulnerability

In the case of Cisco, the exploits target the company’s PIX and ASA firewalls. Based on its analysis of the leaked files, the networking giant has determined that one of the exploits, dubbed “EPICBANANA,” relied on a vulnerability in the command-line interface (CLI) parser of Cisco Adaptive Security Appliance (ASA) software.

The security hole, tracked as CVE-2016-6367, can be exploited to cause a denial-of-service (DoS) condition or to execute arbitrary code. However, Cisco noted that this vulnerability was patched in 2011.

The second vulnerability identified by Cisco, leveraged in an exploit dubbed “EXTRABACON,” is actually a zero-day. The high severity issue, CVE-2016-6366, exists in the Simple Network Management Protocol (SNMP) code of Cisco ASA software and it allows an unauthenticated attacker to remotely cause a system to reload or execute arbitrary code.

Advertisement. Scroll to continue reading.

The flaw impacts PIX and ASA firewalls, Firepower security modules, and Firewall Services Modules. Cisco has yet to release security updates for this issue, but the company has provided workarounds and signatures for intrusion prevention systems.

The Shadow Brokers leak also contains JETPLOW, a persistent firmware implant for EPICBANANA. Cisco said the implant doesn’t work against its newer platforms, which include a secure boot feature and digitally signed components.

Other companies patched their products

Fortinet has published an advisory to detail the remote code execution exploit dubbed “EGREGIOUSBLUNDER.” According to the vendor, the exploit targets a cookie parser buffer overflow that affected FortiGate (FOS) firmware released before August 2012.

WatchGuard explained that the “ESCALATEPLOWMAN” exploit targets RapidStream appliances. WatchGuard acquired RapidStream in 2002, but the company said the vulnerabilities were not carried over to WatchGuard appliances.

In the case of Juniper Networks, hackers leaked a Netscreen firewall implant called “FEEDTROUGH.” While Juniper has not published an advisory, some speculated last year that “FEEDTROUGH” might be related to the backdoor found by the company in its Netscreen firewalls.

The Chinese company TOPSEC has not released an advisory, despite the fact that many of the exploits target its firewalls. On the other hand, the company doesn’t appear to have issued any security advisories on its website for more than a year.

Related: Cisco Reviewing Code After Juniper Backdoor Hack

Related: Fortinet Unveils New Security Fabric, High-Performance Firewalls

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet