An analysis of the BENIGNCERTAIN exploit that existed in the data που διέρρευσαν οι Shadow Brokers αποκαλύπτει ότι το Equation Group, μια ομάδα που συνδέεται με την NSA, είχε την ικανότητα να παραβιάσει firewalls PIX της Cisco και να αποκτήσει ιδιωτικά κλειδιά RSA από VPN, αλλά και άλλες ευαίσθητες λεπτομέρειες.
Over the weekend, Shadow Brokers provided online several tools stolen from a server that used the Equation Group.
Hackers have this data to bidders at an auction with Bitcoins.
Among these exploits are EPICBANANA, JETPLOW and EXTRABACON, targeting Cisco ASA devices. Other exploits like ESCALATEPLOWMAN are targeting WatchGuard firewalls, while EGREGIOUSBLUNDER targets Fortinet devices.
Mustafa Al-Bassam, also known as tFlow, co-founder of hulking group LulzSec, is now a legitimate White Hat researcher, reportedly examining the BENIGNCERTAIN expliot.
Found that BENIGNCERTAIN targets Cisco PIX hardware versions 5.2 (9) up to 6,3 (4), and uses three archives σε ένα exploitation chain που εξετάζει την μνήμη of the device using Internet Key Exchange (IKE) packets.
Can the NSA steal the keys?
"The memory dump can then be parsed to extract a private RSA key and other sensitive configuration information," Al-Bassam said in his analysis.
Below is how memory dump looks.
RSA private key structure at offset 0x% 04x, size 0x% x bytes: *** Found probable RSA private key *** RSA public key structure at offset 0x% 04x, size 0x% x bytes: *** Found probable RSA public key *** RSA key structure at offset 0x% 04x, size 0x% x bytes: RSA keys were generated at% s VPN group structure at offset 0x% 04x, size 0x% x bytes Split-tunnel ACL: 0x% 08x% s Idle-time: 0x% 08x [% d seconds] Max time: 0x% 08x [% d% s] PFS: 0x% 08x% s Clear-client-cfg: 0x% 08x% s User-idle-timeout: 0x % 08x [% d seconds] Authen. server: 0x% 08x% s Secure-unit-auth: 0x% 08x% s User authen .: 0x% 08x% s Device pass-thru: 0x% 08x% s
