Cisco Systems warned its customers Wednesday after the networking equipment company learned of malware — purportedly stockpiled by the National Security Agency — affecting commercially sold security hardware including firewalls and routes.
The tech titan issued the security advisory after a cache of source code was posted online this week by individuals claiming to have acquired it from Equation Group, an elite team of hackers widely believed to be an arm of the NSA. The files were circulated Monday by an entity known only as “Shadow Broker,” and several individuals previously involved with the government agency have since verified their authenticity.
Included in those files, said Cisco, is malware designed to exploit a previously unknown security flaw affecting every supported version of its Adaptive Security Appliance (ASA) firewall used by businesses and corporations.
“This exploit could allow the attacker to execute arbitrary code and obtain full control of the system,” said Omar Santos, a principal engineer for Cisco’s Product Security Incident Response Team.
Cisco has ranked the vulnerability “high” in terms of severity, and has directed affected customers to instructions for a workaround. The company has not yet released an update that fully addresses the flaw.
“It’s still a critical vulnerability even though it requires access to the internal or management network, as once exploited it gives the attacker the opportunity to monitor all network traffic,” security researcher Mustafa Al-Bassam told Ars Technica upon reviewing the leaked source code. “I wouldn’t imagine it would be difficult for the NSA to get access to a device in a large company’s internal network, especially if it was a datacenter.”
A second code included in the cache — the blueprints for an exploit code named “EPICBANANA” — addresses a separate Cisco vulnerability that the company patched in 2011. Another, “EGREGIOUSBLUNDER,” targets a flaw that affects certain firewalls sold by competitor Fortinet — specifically its machines running firmware from 2012 or earlier. In a statement to Fortune, a company for the corporation said customers should “update their systems with the highest priority.”
The companies’ warnings this week occurred as former members of the NSA and its official hacking division, the Tailored Access Operations (TAO) union, addressed skepticism surrounding the authenticity of the Equation Group files.
“Without a doubt, they’re the keys to the kingdom,” a former TAO employee told The Washington Post this week on condition of anonymity.
In a 2015 report, Kaspersky Lab said its security researchers had uncovered “a threat actor that surpasses anything known in terms of complexity and sophistication of techniques.”
Kaspersky named Equation Group as the hackers, and subsequent investigations found similarities between that team’s operations and those of the NSA.
“This code similarity makes us believe with a high degree of confidence that the tools from the ShadowBrokers leak are related to the malware from the Equation Group,” Kaspersky said Tuesday.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.