Security Experts:

Connect with us

Hi, what are you looking for?



Juniper Confirms Leaked Implants Target Its Products

Juniper Networks has analyzed the implants leaked by Shadow Brokers and while it has confirmed that some of them target its products, the company has not found any evidence that they exploit a vulnerability.

Juniper Networks has analyzed the implants leaked by Shadow Brokers and while it has confirmed that some of them target its products, the company has not found any evidence that they exploit a vulnerability.

Shadow Brokers has released roughly 300Mb of firewall exploits, implants and tools allegedly stolen from the Equation Group, a threat actor believed to be linked to the U.S. National Security Agency (NSA). The group also claims to possess additional information, which it’s offering to sell for 1 million Bitcoin (roughly $575 million).

Kaspersky Lab and others have confirmed that the files appear to be legitimate, but pointed out that they date back to 2010-2013. Previously unpublished documents released by former NSA contractor Edward Snowden also show that the code is genuine.

Fortinet, Cisco and WatchGuard have analyzed the leaked implants and exploits. While more recent products from Fortinet and WatchGuard don’t appear to be impacted, Cisco has admitted finding a zero-day vulnerability (CVE-2016-6366) that affects its ASA and PIX firewalls.

Juniper Networks has also analyzed the leaked files and it has confirmed that some of the implants target its Netscreen firewalls running ScreenOS. The company’s investigation is ongoing, but an initial analysis indicates that the implants target the device’s bootloader and they don’t exploit a vulnerability in ScreenOS.

After the world learned in December 2013 about the tools used by the NSA, Juniper said it investigated thousands of systems, but it had not found any evidence of a compromise. The network security firm did report identifying a couple of serious vulnerabilities last year that could have been exploited to gain administrative access to some firewalls and decrypt VPN traffic.

BENIGNCERTAIN tool targets Cisco PIX devices

Cisco confirmed last week that two of the exploits leaked by Shadow Brokers, dubbed EXTRABACON and EPICBANANA, and one implant, dubbed JETPLOW, targeted its ASA and PIX firewalls.

Researcher Mustafa Al-Bassam also determined that BENIGNCERTAIN, one of the tools leaked by the hackers, also affects Cisco PIX devices and it can be exploited to extract VPN private keys.

While Cisco PIX has not been supported since 2009, the product is still used by many organizations worldwide.

“Our investigation so far has not identified any new vulnerabilities in current products related to the exploit. Even though the Cisco PIX is not supported and has not been supported since 2009, out of concern for customers who are still using PIX we have investigated this issue and found PIX versions 6.x and prior are affected. PIX versions 7.0 and later are confirmed to be unaffected by BENIGNCERTAIN,” Cisco said in an update to its initial advisory.

Who is behind the Shadow Brokers leak?

While some experts have suggested that Russia is behind the Shadow Brokers leak, evidence also points to the possible involvement of an insider.

A former NSA employee told Motherboard that the names of the leaked files indicated that they were internally accessible files and they should not have been available on a server that could be accessed from outside the agency.

U.S. journalist James Bamford also believes that Edward Snowden might not be the only NSA leaker and that there could be another insider providing information to activists and WikiLeaks.

In the meantime, a hacker using the online moniker “1×0123” also claimed to have hacked the Equation Group, but he has not provided any strong evidence to back his claims.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...


Cybersecurity firm Group-IB is raising the alarm on a newly identified advanced persistent threat (APT) actor targeting government and military organizations in Asia and...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...