The Shadow Brokers EPICBANANAS and EXTRABACON Exploits
blogs.cisco.comOn thing I find odd is
"JETPLOW is a persistent implant of EPICBANANA. Digitally signed Cisco software is signed using secure asymmetrical (public-key) cryptography in newer platforms prevents these types of attacks. The purpose of digitally signed Cisco software is to increase the security posture of Cisco ASA devices by ensuring that the software running on the system has not been tampered with and originated from a trusted source as claimed."
They claim that the implant is digitally signed, then they say that it shouldn't work because Cisco software is digitally signed also, and it's verified by the Cisco Secure Boot.
Isn't that a bit contradictory? sure they might have had flaws in their verification process (we've seen signature verifications that were nothing more than "is this a signed message" before) but since Cisco verifies the signature properly (as you haven't been able to binary patch Cisco boot images for 5+ years) doesn't this implies that the NSA got a hold of the signing keys used by Cisco or an authorized 3rd party?
The advisory is saying that JETPLOW is not signed. And thus, in newer platforms where signing is implemented, it would prevent that type of attack.
It's just poor grammar. Here's the fixed sentence, replacing a confusing proper noun: "PROPERNOUN Cisco software is signed using secure asymmetrical (public-key) cryptography in newer platforms [that] prevents these types of attacks."
Yeah I guess it's a combination of non ideal grammar and lack of reading comprehension on my part :)
They clarified that the files are signed by PKI now. Notice the order of the words "digitally signed [files] are signed using secure [etc] in newer platforms"
It suggests to me that the previous signature style was a symmetric type, whereas now it's asymmetric.
> They claim that the implant is digitally signed
Where do they claim that? Both occurrences of the words "digitally signed" in the quoted section refer to the new Cisco software and not to the JETPLOW payload.
It says in newer platforms. That said, a boot verification is kind of pointless in systems that are expected to run continuously for months. If you have code execution, you might be perfectly fine only having your in for months and not bother to patch the firmware.
re: EXTRABACON
If you have SNMP listening on a public ipv4/ipv6 interface of a firewall (I don't care if it's an EOL/EOS PIX or not), you have done something fundamentally wrong from the start. As a network engineer seeing something like this in a business customer's equipment would cause me to seriously reconsider all other decisions/security configurations made by a predecessor or third party contractor.
It's a pivot though. If you can compromise anything that's on the LAN you can pivot inside with this. The sample files provide prove that they have working exploits, that they're NSA-grade, and that they function. The actual auction files are probably much more "fire and forget" grade -- either acting over the internet or doing privilege escalation combined with these attacks.
yes, absolutely true. If the exploit is running on a non-Cisco compromised device that's in RFC1918 IP space somewhere that it can reach internal, SNMP-listening interfaces of the device, that's a good way to attack it.
IT student here. Genuinely curious: could you explain why this is a fundamental error?
Other people have given good, specific answers. Let me generalize from a security perspective:
Having a port listening on the internet means you've exposed (usually) tens or hundreds of thousands of lines of code to anyone with an internet connection. One vulnerable line of code or mis-configuration could be an entry point into your network for an attacker.
The key then, is deciding what absolutely needs to be exposed. If you run a website, you're going to need to expose your web server to the internet. Need access for remote workers? You'll open up a VPN. There are a bunch of things that generally have no place being exposed to the internet: SNMP, SMB, afp, RDP, Telnet, Any admin console, etc.
A former, pissed-off employee who still remembers all of your routers' IP addresses and SNMP communities can issue a SNMP request to shut down all network interfaces and disable your network to the outside world.
A former employee who tells someone else your SNMP communities...
A current employee who in a moment of laziness, inadvertently leaves your SNMP community in a public pastebin or Github Gist...
So on and so forth.
I'd further elaborate on your answer with:
Even if you can only monitor things, instead of directly issuing commands, it's still information you're leaking.
Information leaks are still a class of vulnerability for a reason. It can give an attacker information on your network topology that he wouldn't usually have.
The less attack surface exposed, the better. Generally, if something is exposed to the Internet that has no (good) reason to be, it's a vulnerability.
SNMP is used for internal management/monitoring of network-enabled devices, which you don't expose to the public internet.
The SNMP supported on old PIX is SNMPv1/SNMPv2 which sends the community string in plaintext, and the reply is similarly unencrypted, so its basically the same security level as telnet or regular http (none).
Thank you for explaining!
The point of EXTRABACON isn't to break into networks protected by an ASA; it's to persist onto that network by infecting the firewall after you manage somehow to bypass it. It's of a kind with exploits for other firewalls through management interfaces that can't be reached on the public interface.
Still, I wonder how long before we see it weaponized by adding this as a payload to ordinary desktop malware. A nice trick would be something that scans the local network, infects the ASA (people are pretty good about keeping SNMP off the internet, possibly less good about keeping it off the internal interfaces), and then does HTTP injection from the ASA with SecondDate of either a malicious or advertising payload.
I agree but if there is one lesson I've learned, its that often when you find such environments it is due to failure of the management/execs to properly support the IT team, so they cut corners, halfass it, or hire contractors as you mentioned. True it shouldnt be done, but if you are selling equipment to a business who has had this failing, its just something to be aware of.
Im so damn tired of companies underfunding IT and then roasting some director or other alive when the technical debt inevitably bites them in the ass.
Usually when I see something like SNMP listening to the public internet, I treat it like this:
http://www.compliancebuilding.com/2009/08/03/compliance-van-...
No way. That's straight up incompetence.
If you have a sufficiently large network, for a sufficiently long time, someone, somewhere, will fuck up an ACL.
This isn't an ACL setting. You have to specifically ask an ASA to bind SNMP to the external interface.
Is this a standard naming convention for exploits?
Those are the names of compartments / projects for classified information.
The way compartments work, they are supposed to be isolated not just from lower level (secret vs top secret) but also among each other. So things would have instructions like "handle via EPICBANANA channels only". So if you are not read into EPICBANANA you don't get access to it, even though you might have TS clearance.
So programs / capabilities are referred by those names. Instead of say "Oh that Cisco ASA blah model VPN MitM thing we have".
That also means that just because you have TS clearance doesn't mean you get to pick up and walk away with all the TS information you want ... oh wait, that did happen already, didn't it... oops.
Snowden was a member of a group with what is known as "PRIVAC", or privileged access, capabilities. To my amateur understanding, this type of access is granted to systems administrators or other users of information systems who may see things they aren't otherwise cleared to see in the course of their normal duties. Additionally, it was reported, though denied by Snowden, that Snowden used other colleagues' credentials to access information for collection and later disclosure.
It's the code names of the exploits which are being released by Shadow Brokers. Likely the names which the original authors utilized. Equation Group is known to utilize code names like this: https://en.wikipedia.org/wiki/Equation_Group#Codewords_and_t...
It it yet another ASN.1-related exploit ?