Juniper Networks has analyzed the implants leaked by Shadow Brokers and while it has confirmed that some of them target its products, the company has not found any evidence that they exploit a vulnerability.
Shadow Brokers has released roughly 300Mb of firewall exploits, implants and tools allegedly stolen from the Equation Group, a threat actor believed to be linked to the U.S. National Security Agency (NSA). The group also claims to possess additional information, which it’s offering to sell for 1 million Bitcoin (roughly $575 million).
Kaspersky Lab and others have confirmed that the files appear to be legitimate, but pointed out that they date back to 2010-2013. Previously unpublished documents released by former NSA contractor Edward Snowden also show that the code is genuine.
Fortinet, Cisco and WatchGuard have analyzed the leaked implants and exploits. While more recent products from Fortinet and WatchGuard don’t appear to be impacted, Cisco has admitted finding a zero-day vulnerability (CVE-2016-6366) that affects its ASA and PIX firewalls.
Juniper Networks has also analyzed the leaked files and it has confirmed that some of the implants target its Netscreen firewalls running ScreenOS. The company’s investigation is ongoing, but an initial analysis indicates that the implants target the device’s bootloader and they don’t exploit a vulnerability in ScreenOS.
After the world learned in December 2013 about the tools used by the NSA, Juniper said it investigated thousands of systems, but it had not found any evidence of a compromise. The network security firm did report identifying a couple of serious vulnerabilities last year that could have been exploited to gain administrative access to some firewalls and decrypt VPN traffic.
BENIGNCERTAIN tool targets Cisco PIX devices
Cisco confirmed last week that two of the exploits leaked by Shadow Brokers, dubbed EXTRABACON and EPICBANANA, and one implant, dubbed JETPLOW, targeted its ASA and PIX firewalls.
Researcher Mustafa Al-Bassam also determined that BENIGNCERTAIN, one of the tools leaked by the hackers, also affects Cisco PIX devices and it can be exploited to extract VPN private keys.
While Cisco PIX has not been supported since 2009, the product is still used by many organizations worldwide.
“Our investigation so far has not identified any new vulnerabilities in current products related to the exploit. Even though the Cisco PIX is not supported and has not been supported since 2009, out of concern for customers who are still using PIX we have investigated this issue and found PIX versions 6.x and prior are affected. PIX versions 7.0 and later are confirmed to be unaffected by BENIGNCERTAIN,” Cisco said in an update to its initial advisory.
Who is behind the Shadow Brokers leak?
While some experts have suggested that Russia is behind the Shadow Brokers leak, evidence also points to the possible involvement of an insider.
A former NSA employee told Motherboard that the names of the leaked files indicated that they were internally accessible files and they should not have been available on a server that could be accessed from outside the agency.
U.S. journalist James Bamford also believes that Edward Snowden might not be the only NSA leaker and that there could be another insider providing information to activists and WikiLeaks.
In the meantime, a hacker using the online moniker “1×0123” also claimed to have hacked the Equation Group, but he has not provided any strong evidence to back his claims.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- The Effect of Cybersecurity Layoffs on Cybersecurity Recruitment
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
