Shadow Brokers: NSA Exploits of the Week



Today an unknown group called Shadow Brokers started an auction after claiming they hacked Equation Group(NSA entity named like that by Kaspersky, and believed to be the author of Stuxnet & Flame) here: https://theshadowbrokers.tumblr.com/

image

Current Tumblr page

Update: The Tumblr got taken down on 15 August (PST)

Name

The name of the group seem to come from a video game called Mass Effect, and can originally be described as the following:

“The Shadow Broker is an individual at the head of an expansive organization which trades in information, always selling to the highest bidder. The Shadow Broker appears to be highly competent at its trade: all secrets that are bought and sold never allow one customer of the Broker to gain a significant advantage, forcing the customers to continue trading information to avoid becoming disadvantaged, allowing the Broker to remain in business.”

This certainly help to understand the psychology behind the group, when it comes to the questions people keep asking such as

  • “Why is this auction so fishy ?”
  • “Do they really want half a billion USD?”
  • “Do they really have more files or is that it?”
  • “Is the auction real or just a distraction ?”### Ownership

The files were also present on githubbefore the story broke on Twitter, using the GitHub API we can retrieve the email address of the original github user (who joined github on August 6, 2016, and pushed the files on August 13, 2016 — and the repositor taken down on August 15, 2016) as I mentioned on Twitter — Tutanota is a opensource end-to-end encryption software with cloud hosting which is also popular among ISIS — given what happened to Lavabit in the past it would be interesting to see what will be the response of the US Governement.

userll6gcwaknz@tutanota.com

image

Git Hub API output

Origin

As @thegrugq highlighted, having files (especially an extract of a toolkit) doesn’t necessary mean the NSA was hacked and whole their files got compromised. A theory would be a bad deployment.

Codenames

Update (16 Aug 2016): You can find a more extended list and description of the exploits, implants and tools from the toolkit from Mustafa Al Bassam here: https://musalbas.com/2016/08/16/equation-group-firewall-operations-catalogue.html

Here are some code names that I extracted from the free files offered as a teaser on the Shadow broker blog, the main targets from this dump appeared to be Fortinet, TopSec, Cisco & Juniper firewalls.

Most of the code appears to be batch scripts and poorly coded python scripts, and seems to be a Toolkit against firewalls. Nonetheless, this appears to be legitimate code.

4 letters codename are from the EXPLOITS folder

For clarification, yes there are actual exploits in the dump, with a 2013 timestamp on files. We do not know if they are working as nobody as tried them, but they are actual exploits and not only references.

Update: (16 Aug 2016) Some of the exploits are confirmed to be working:EGBL = EGREGIOUS BLUNDER (Fortigate Firewall + HTTPD exploit (apparently 2006 CVE )
ELBA = ELIGIBLE BACHELOR
ELBO = ELIGIBLE BOMBSHELL (Chinese TOPSEC firewall versions 3.3.005.057.1 to 3.3.010.024.1)
ELCA = ELIGIBLE CANDIDATE
ELCO = ELIGIBLE CONTESTANT
EPBA = EPIC BANANA
ESPL = ESCALATE PLOWMAN
EXBA = EXTRA BACON (Cisco Adaptive Security Appliance v8.0 to v8.4)

BANANAGLEE = Juniper Netscreen Devices
BARGLEE
BLATSTING
BUZZDIRECTION
SP = ScreamPlow 2.3 (BG3001 BG3000 BG3100)
BD = BannanaDaiquiri 3.0.5.1 (BG3001 BG3000 BG3100)

More details can be found in EQGRP-Auction-Files\eqgrp-free-file.tar\Firewall\SCRIPTS

Extra Bacon

image

image

Eligible Bachelor

image

Banana Glee

image

Banana Glee is particularly interesting because it allows references to the JETPLOW explaination from the 2014 NSA’s Tailored Access Operations (TAO) catalog.
https://www.schneier.com/blog/archives/2014/01/jetplow_nsa_exp.html

Last words for today

As highlighted during the “backdoor debate” nation states will continue to try to justify backdoors. If intelligence agencies invest heavily in sabotaging technology products it means companies with valuable assets need to invest more in Incident Response.

Given the timeframe (Post-DNC hack), this could possibly be orchestrated by the Russian government so America will be stuck with Donald Trump as a President.

Update (16 Aug 2016): Kaspersky supports those files belongs to Equation Group:

And for those who thought that being a governmental agent was fun and like in James Bond movies — not sure what’s up but that’s definitely a lot of jokes around BANANAs, BOMBSHELLs & BACHELORs.

See also: The inside theory

Invitation

From:  
bitmessage = BM-NBvAHfp5Y6wBykgbirVLndZtEFCYGht8 i2p-bote = o1uHOkOcMoFEa7O7dbEilzfMvWzo7bDu~td3x9gYz4b4t5OriJ7U6GUWr5GZoWxQ9f2TrIY5RzhpIMVP6hTLXZ  
Equation Group Cyber Weapons Auction - Invitation - ------------------------------------------------  
!!! Attention government sponsors of cyber warfare and those who profit from it !!!!  
How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.  
Picture Urls - ------------ http://imgur.com/a/sYpyn https://theshadowbrokers.tumblr.com/ https://github.com/theshadowbrokers/EQGRP-AUCTION  
File Urls - ----------  
magnet:?xt=urn:btih:40a5f1514514fb67943f137f7fde0a7b5e991f76&tr=http://diftracker.i2p/announce.php  
https://mega.nz/#!zEAU1AQL!oWJ63n-D6lCuCQ4AY0Cv_405hX8kn7MEs... https://app.box.com/s/amgkpu1d9ttijyeyw2m4lso3egb4sola https://www.dropbox.com/s/g8kvfl4xtj2vr24/EQGRP-Auction-File... https://ln.sync.com/dl/5bd1916d0#eet5ufvg-tjijei4j-vtadjk6b-... https://yadi.sk/d/QY6smCgTtoNz6  
Free Files (Proof) - ------------------ eqgrp-free-file.tar.xz.gpg  
sha256sum = b5961eee7cb3eca209b92436ed7bdd74e025bf615b90c408829156d128c7a169  
gpg --decrypt --output eqgrp-free-file.tar.xz eqgrp-free-file.tar.xz.gpg  
Password = theequationgroup  
Auction Files - ------------- eqgrp_auction_file.tar.xz.asc  
sha256sum = af1dabd8eceec79409742cc9d9a20b9651058bbb8d2ce60a0edcfa568d91dbea  
Password = ????  
Auction Instructions - -------------------- We auction best files to highest bidder. Auction files better than stuxnet. Auction files better than free files we already give you. The party which sends most bitcoins to address: 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK before bidding stops is winner, we tell how to decrypt. Very important!!! When you send bitcoin you add additional output to transaction. You add OP_Return output. In Op_Return output you put your (bidder) contact info. We suggest use bitmessage or I2P-bote email address. No other information will be disclosed by us publicly. Do not believe unsigned messages. We will contact winner with decryption instructions. Winner can do with files as they please, we not release files to public.  
FAQ - --- Q: Why I want auction files, why send bitcoin? A: If you like free files (proof), you send bitcoin. If you want know your networks hacked, you send bitcoin. If you want hack networks as like equation group, you send bitcoin. If you want reverse, write many words, make big name for self, get many customers, you send bitcoin. If want to know what we take, you send bitcoin.  
Q: What is in auction files? A: Is secret. Equation Group not know what lost. We want Equation Group to bid so we keep secret. You bid against Equation Group, win and find out or bid pump price up, piss them off, everyone wins.  
Q: What if bid and no win, get bitcoins back? A: Sorry lose bidding war lose bitcoin and files. Lose Lose. Bid to win! But maybe not total loss. Instead to losers we give consolation prize. If our auction raises 1,000,000 (million) btc total, then we dump more Equation Group files, same quality, unencrypted, for free, to everyone.  
Q: When does auction end? A: Unknown. When we feel is time to end. Keep bidding until we announce winner.  
Q: Why I trust you? A: No trust, risk. You like reward, you take risk, maybe win, maybe not, no guarantees. There could be hack, steal, jail, dead, or war tomorrow. You worry more, protect self from other bidders, trolls, and haters.  
Closing Remarks - --------------------------------------------------  
!!! Attention Wealthy Elites !!!  
We have final message for "Wealthy Elites". We know what is wealthy but what is Elites? Elites is making laws protect self and friends, lie and fuck other peoples. Elites is breaking laws, regular peoples go to jail, life ruin, family ruin, but not Elites. Elites is breaking laws, many peoples know Elites guilty, Elites call top friends at law enforcement and government agencies, offer bribes, make promise future handjobs, (but no blowjobs). Elites top friends announce, no law broken, no crime commit. Reporters (not call journalist) make living say write only nice things about Elites, convince dumb cattle, is just politics, everything is awesome, check out our ads and our prostitutes. Then Elites runs for president. Why run for president when already control country like dictatorship? What this have do with fun Cyber Weapons Auction? We want make sure Wealthy Elite recognizes the danger cyber weapons, this message, our auction, poses to their wealth and control. Let us spell out for Elites. Your wealth and control depends on electronic data. You see what "Equation Group" can do. You see what cryptolockers and stuxnet can do. You see free files we give for free. You see attacks on banks and SWIFT in news. Maybe there is Equation Group version of cryptolocker+stuxnet for banks and financial systems? If Equation Group lose control of cyber weapons, who else lose or find cyber weapons? If electronic data go bye bye where leave Wealthy Elites? Maybe with dumb cattle? "Do you feel in charge?" Wealthy Elites, you send bitcoins, you bid in auction, maybe big advantage for you?  
bitmessage = BM-NBvAHfp5Y6wBykgbirVLndZtEFCYGht8 i2p-bote = o1uHOkOcMoFEa7O7dbEilzfMvWzo7bDu~td3x9gYz4b4t5OriJ7U6GUWr5GZoWxQ9f2TrIY5RzhpIMVP6hTLXZ  
END MESSAGE  
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2  
iQIcBAEBCAAGBQJXrr2sAAoJEAQSTyzLXAwbVzwP/jR5sQcS8VzH2jmuRjbE6RLV P3RkY6RWyyTyCtTiyTXK4RtWQoz8CfEjnXdIaR3BIZG4u827iI2fbQMVlWu0jMn4 NYN1I/neBoDaagApRgGQqYXip3IdHsqJennOAxRqr0ZoOgJ3IVtiZK8/6vtEnXRK 03IJvKu0zOVROuP0a9OPX0jko2g3Rl2tvo1ljkU1bqLKHs6xb1VzmdoqlAOYR1Bv 4Kb/Gbr6uc5fG84sM8FzSdiyJgS3U21SqfUENyFLyyP05iCyKCybFMne1JckFre8 gI/nUhdRHJaETYorY49PTQvdBaD30aT1I7efyAAM9uxsF97Au/UEvk0hkzh0YfoR /m+htNKlaP/oclL5GhJEq2O4wWb1KJuyrHU3FZYdUWRA4SlELBb0oR64cw/8kDo+ 6WftSANdlolgQLMbng2/ORGTeXHQ033mX6Op93o2oZUuNNhHvR1PnhWPUA2vMcIs ndo6YuYV2TZR/4GVNiJYQhTcWVNZ7a10FuvWk7yyHkTKXRVHG43G5Rzzm9ZxMUcL DMAExiPnrehGYTcxrrOP28RB+Mw7Is5YwRpc/h0mwDYGijjUzXGLXPWKFLa8ksxR zdaUnAjJzhVwR4IVGmGlU687Ox0FayJz9LAhst5eiittciY0iooz8YLee8hrxD7C XqUIpr4n+QKMYs4AfWd+ =5yni -----END PGP SIGNATURE-----

Matt Suiche is the Founder of UAE based cyber security start up Comae Technologies