NSA hacking tools used against Cisco customers

Cisco products are now vulnerable to Equation group exploits
Cisco products are now vulnerable to Equation group exploits

Leaked NSA hacking tools are now being used on Cisco customers, according to the tech giant. The company published an advisory on Friday saying that NSA grade hacking tools are now being used against customers.

The authors wrote that the “Cisco Product Security Incident Response Team (PSIRT) is aware of exploitation of the vulnerability for some Cisco customers who are running the affected platforms.” Cisco have not yet identified those that have fallen prey to the exploit.

The vulnerability affects a variety of Cisco product and by extension, anyone who is using them including any Cisco PIX firewalls and Cisco products running affected releases of Cisco iOS software, iOS XE software and iOS XR software. However, the company are currently checking whether the vulnerability affects any more of their products.

The vulnerability, known alternately  as CVE - 2016 - 6415 or BENIGNCERTAIN, occurs in an encryption mechanism called IKEv1. Insufficient condition checks within the code could allow attackers to steal private information.

There are currently no workaround for this vulnerability and Cisco have advised customers using the affected products to monitor affected systems and implement intrusion prevention and detection systems to help deter attacks.

Cisco will also be releasing software to customers to fix the bug, although when that will occur is not yet known.

This vulnerability comes from a mysterious group called the Shadow Brokers. Widely believed to be a Russian state-backed APT group itself, it released a dump of information from an NSA-linked APT group, Equation, earlier this year.

The files were part of a larger tranche from the US APT group, which the Brokers claimed to be auctioning to the highest bidder. It was shortly after  Edward Snowden's 2013 disclosures verified the legitimacy of the files shown off by the group.

The basic revelation is shocking enough French Caldwell, chief evangelist at MetricStream, told SCMagazineUK.com. It's “a nation's entire library of hacking tools which have fallen into the hands of their adversaries. All other national security agencies, including GCHQ, should be deemed vulnerable. If the NSA was hacked, the chances that they too have been targeted are certainly more than 50/50”.

The presence of these kinds of exploits should give businesses pause, “all national governments are pushing for increased collaboration with business, to tackle a very real cyber-security threat, but incidents like this raise serious questions over this ethos of co-operation. Why should businesses trust the government to protect their secrets when they can't protect their own?”

It is still unclear who pulled this off but Ewan Lawson, senior fellow for military influence at the Royal United Services Institute, offered some insight to SC.

“I wonder if in part this is a reaction by Shadow Brokers to the response that the tools were dated and therefore likely already patched against? It seems to have gone very quiet regarding the auction with public attention switched to Colin Powell and WADA hacks.”

Lawson added, “I would like to think that the key agencies were already sharing the exploits with the vendors however circuitously but perhaps that's me being naive.”