3rd Party Risk Management , Information Sharing , Network Firewalls, Network Access Control
Equation Group Stings Firewall Vendors with Zero-Day FlawsHas the US Long Known About the Vulnerabilities?
Cisco is preparing a patch for a zero-day vulnerability in its firewalls revealed by an unprecedented dump of data from a group allegedly linked to the U.S. National Security Agency. The vulnerability reveals that at least some of the aging attack code in the dump remains potent. That finding may also stoke longstanding concerns that the U.S. government isn't disclosing critical vulnerabilities soon enough to vendors, which could be used by competing spy agencies.
See Also: OnDemand | Understanding Human Behavior: Tackling Retail's ATO & Fraud Prevention Challenge
Cisco wasn't the only vendor affected by the data dump, released by a mysterious group calling itself the Shadow Brokers. The files show Fortinet, Juniper, WatchGuard and Chinese firewall vendor TopSec were also targeted with attack code designed to compromise firewalls - a crucial piece of networking equipment (see Mystery Surrounds Breach of NSA-Like Spying Toolset).
Fortinet has already issued a patch for a vulnerability revealed via the data dump.
The leaked files are strongly believed to have originated with the Equation Group, an advanced cyber-espionage group first outed by Kaspersky Lab. Many security experts theorize that the Shadow Brokers might be affiliated with Russia - already at odds with the U.S. over cyberattacks against the Democratic Party - or might be someone who worked inside the NSA's Tailored Access Operations group (see Confirmed: Leaked Equation Group Hacking Tools Are Real).
"We're getting to a whole new level of breaches and leaks," says Jerome Segura, lead malware intelligence analyst with Malwarebytes. "First private corporations, now governments and agencies. It seems nothing can stay protected anymore."
Vulnerability Information Sharing Deficit?
The NSA has never confirmed if it is the Equation Group. But if experts have pegged the connection correctly, it begs questions over how committed the U.S. government is to sharing vulnerability information with private vendors.
There has been fierce debate over when U.S. intelligence agencies should share information on vulnerabilities they discover with affected vendors. The software flaws can be used for intelligence operations, but the longer the flaws go unpatched, the greater the chance another party may discover it, including competing cyber spies.
The U.S. government put in place a framework called the Vulnerabilities Equities Process in 2010 for notifying vendors of software flaws it found. But intelligence agencies are allowed to keep the information secret for compelling national security reasons. The VEP has been criticized by organizations, including the Electronic Frontier Foundation, as being opaque.
The Cisco zero-day vulnerability would appear to have been closely held. "I imagine that there are different types of exploits, and the extremely valuable ones may be kept secret because of existing operations or great leverage for cyber warfare," Segura says.
It's a significant vulnerability, too, allowing an attacker to gain full control of the firewall, according to an Aug. 17 Cisco advisory. Secret NSA documents leaked in 2013 showed the agency has long specialized in penetrating firewalls, as they're a pivotal network point, providing visibility into all network traffic flows.
The most recent files in the Equation Group leak come from 2013. If the Equation Group is the NSA, the agency has long known of the flaw. If the Shadow Brokers is affiliated with Russia, meanwhile, that's also a concern, because it means the Russians have also long known of the flaw and perhaps used it offensively.
"It sure is strange when your company doesn't just have to worry about attacks from foreign intelligence agencies, but from your own as well," says Mikko Hypponen, chief research officer for Finnish security firm F-Secure, via Twitter.
A U.S. company blogs about attacks against their products, done by U.S intelligence agency. https://t.co/YiqSauozTC pic.twitter.com/7FnEk1oDpF— Mikko Hypponen (@mikko) August 18, 2016
More Grief for Cisco, Customers
Cisco was outspoken following documents leaked in 2013 via former NSA contractor Edward Snowden, which revealed the agency's "interdiction" operations, which involved secretly intercepting Cisco equipment en route to customers and adding spying code. Then-CEO John Chambers argued in a letter to President Barack Obama at the time that spy agency interference was undermining confidence in American products.
In response to the new Equation Group findings, Cisco says in a statement: "We are deeply concerned with anything that may impact the integrity of our products or our customers' networks, and we continue to seek additional information. With the security of our customers in mind, we will continue to address facts as they become clear through available channels."
Cisco also issued another advisory for a separate vulnerability that the Equation Group exploited. The vulnerability, which affects Cisco's ASA and the Pix line of firewalls, was patched in 2011, but Cisco says it chose to issue a more prominent advisory now, in light of the findings, to emphasize the importance of installing the patch for any holdouts.
Risks to Other Vendors
For customers of Fortinet, firmware that runs some Fortigate firewalls - released before August 2012 - contains a buffer overflow vulnerability that can be exploited, the company warns. That vulnerability has now been patched, Fortinet says in an Aug. 17 advisory.
"We continue to investigate this exploit and are conducting an additional review of all of our Fortinet products," the company says in a statement.
Juniper says it is reviewing the Equation Group dump and will notify customers if a vulnerability is found.
A spokesman for WatchGuard said its currently supported appliances are not affected by an exploit in the dump. The vulnerability for that exploit targeted RapidStream-branded appliances, he says. WatchGuard acquired RapidStream in 2002, and the vulnerability didn't carry over to WatchGuard appliances.