As most of you know, recently an entity within the NSA--or very close to the NSA--was hacked. This NSA associated group, often referred to as the Equation Group was most probably responsible for both the Stuxnet and Flame malware of a few years back. I believe that this group is the TAO (NSA's offensive unit known as the Tailored Access Operations) or a very close NSA contractor (Booz Allen?). Among the bounty these hackers found when they entered the Equation Group's systems were a number of zero-day exploits. In addition, this group known as the Shadow Brokers is offering other information they found at the Equation Group for 1 million bitcoins or about $500 million.
National Security Agency director Michael S. Rogers looking exasperated
The Back Story
Shadow Brokers is likely a state-sponsored cyber organization, most likely with ties to the Russian government. After hacking the Equation Group, they posted many exploits they stole on github and other places. Initially, experts were skeptical that they exploits were real until Cisco conclusively revealed that the EXTRABACON exploit works against their firewalls and they did not yet have a patch. Later, other manufacturers such as Fortinet have also confirmed the validity of these exploits against their products.
Some speculate that the Russians are flexing their hacking muscle before the U.S. Presidential election coming in November that they seem determined to influence. Or, maybe the Russians are simply flexing their cyber muscle as a way of letting the U.S. know that despite the U.S. superiority in kinetic weapons, they are still superior in cyber warfare. Whatever the case, this may be a "shot across the bow" of the U.S. intelligence community and the major political parties that they, the Russians, can do as they please within the most highly-secure environments. They are also indicating that they have more information coming that may be damaging to the U.S. intelligence community or U.S. politicians (the same group probably hacked the Democrat National Committee).
Outside of the geopolitical framework, this hack represents further proof that the NSA harbors zero-days that NSA does not release to the manufacturers such as Cisco and make everyone less safe. Furthermore, if the Russians can hack the NSA, then the NSA may be overestimating their own capability and defenses.
CISCO and EXTRABACON
Although many had been skeptical of the validity of the exploits released by Shadow Brokers, within a day or so, Cisco confirmed the validity of the exploits by issuing the following alert on their Cisco Advisory Service.
According to Cisco, this EXTRABACON exploit enables attackers within the network and with the SNMP community string to execute code remotely on their firewalls. In essence, the appliance designed to protect our network is compromised making the entire network unsafe. Like so many other pieces of remote code execution malware, EXTRABACON takes advantage of a buffer overflow in the code of the affected device.
EXTRABACON enables the attacker to gain full control of the firewall/appliance. For more information on SNMP and cracking the SMNP community string, check out my article here.
This exploit requires;
1. SNMP be enabled on the device
2. Knowledge of the community string in any version of SNMP (v1,v2,v3)
2. an attack with IPv4 packets only
4. Access to a system residing on the interface to the firewall
Diagram Courtesy Cisco Systems
How to Get Your EXTRABACON
The EXTRABACON exploit is a python script that you can download here.
I've downloaded it to my Kali Linux system to demonstrate how it works. Once downloaded, it creates a directory named 40258. Let's navigate to it and then list its contents.
kali > cd 40258
kali > ls -l
As you can see above, it has one executable file (extrabacon_1.1.0.1.py) and four directories. When we move to the versions directory, we can see that this exploit has shellcode for each type of the vulnerable Cisco ASA Firewall.
Our friends at the Equation Group even gave this exploit a help file. We can see it by simply typing;
kali > ./extrabacon_1.1.0.1.py -h
It's important to note that this exploit can be used in info mode or exec mode.
First, one must use the info mode to gather information the exploit needs from the firewall and then use that information file in the exec mode.
Let's use EXTRABACON to gather information from the target firewall. To do so, we will need its IP address and its community string. In my example, I used an IP of 192.168.1.101 and a community string of "hackers-arise".
kali > ./extrabacon info -t 192.168.1.101 -c hackers-arise
This will return a file that we need in exec mode of EXTRABACON. Here, I have named that file OTW. Of course, yours will be different.
Now, to execute our shellcode on the target we will;
1. use the "exec" option
2. -k option followed by the file generated in the info mode (OTW)
3. -t followed by the IP address of the firewall,
4. the SNMP community string
5. and the --mode pass-enable
Such as;
kali > ./extrabacon_1.1.0.1.py exec -k OTW -t 192.168.1.101 -c hackers-arise --mode pass-enable
When the exploit is successful, it will execute the shellcode on the Cisco ASA firewall, giving the attacker complete control!
Snort Rule to Detect EXTRABACON
In response to the release of EXTRABACON exploit by Shadow Brokers, Cisco (now owners of Snort and SourceFire) released a signature to detect the EXTRABACON exploit.
You can see it below.
Lets examine this rule to understand what it does. I have broken the rule into individual components with an explanation of each to help you understand the function of this Snort rule.
alert udp any any -> any 161 the rule looks for UDP traffic coming from any IP and any port to any IP and port 161 (the SNMP port) (msg:"ET EXPLOIT Equation Group ExtraBacon? Cisco ASA AAAADMINAUTH Disable"; if triggered the rule will send this message to the security engineer content:"|bf a5 a5 a5 a5 b8 d8 a5 a5 a5 31 f8 bb a5|"; it looks for this hex content in the payload content:"|ad 31 fb b9 a5 b5 a5 a5 31 f9 ba a2 a5 a5 a5 31 fa cd 80 eb 14 bf|"; and this hex content in the payload distance:2; within:22; starting at the second byte and within the first 22 bytes content:"|31 c9 b1 04 fc f3 a4 e9 0c 00 00 00 5e eb ec e8 f8 ff ff ff 31 c0 40 c3|"; Next, it looks for this hex content in the payload distance:4; within:24; starting at the fourth byte and within the first 24 bytes reference:url,xorcatt.wordpress.com/2016/08/16/equationgroup-tool-leak-extrabacon-demo/; classtype:attempted-admin; sid:2023071; rev:1;) and then it references these sources.
Defenses
Until Cisco releases a patch for this exploit, your best defenses are two.
1. Make your SNMP community string long and complex
2. Disable SNMP on the vulnerable device (no snmp-server enable)
EXTRABACON clearly indicates to us that there are still many zero-day exploits out there that we must be cautious and concerned about. It addition, it shows us that these exploits can be really very simple to develop and execute.
I'll be analyzing the other zero-day exploits released by Shadow Brokers in coming articles, so keep coming back to Hackers-Arise!