A group of hackers that has been trying to sell exploits and malware allegedly used by the U.S. National Security Agency decided to make the data available for free over the weekend.
The security community was expecting the password-encrypted archive that the Shadow Brokers group unlocked Saturday to contain previously unknown and unpatched exploits — known in the industry as zero-days. That was not the case.
As researchers started to analyze the exploits inside, it became clear that while some of them were technically interesting, the large majority were for old and publicly known vulnerabilities. Some appeared to have actually been sourced from public information and affect software versions that are several years old.
“The exploits that I have tested so far are obsolete,” said Maksym Zaitsev, a researcher who has been analyzing the data in the archive. No significant exploits have been found or confirmed, he said.
Zaitsev works for a French security consultancy and penetration testing firm but did the analysis in his spare time.
Julien Voisin, a reverse engineer who has been cataloging the exploits and tools in the Shadow Brokers archive together with a researcher known online as x0rz, confirmed Zaitsev’s findings.
“Everything should [already] be patched,” Voisin said via email. some of the exploits are interesting from a historical point of view, but no one is likely to be hacked because of them now, Voisin added.
However, while the leak poses no immediate danger to users, it’s probably an operational security nightmare for the NSA’s Tailored Access Operations (TAO) division, which is believed to be behind the cyberespionage group known in the security industry as the Equation.
That’s because the Shadow Brokers archive doesn’t contain only exploits, but also malware implants and other tools that the Equation has developed for various Unix-based systems. Cryptographic keys, logs from hacked servers, and information identifying compromised targets were also found inside.
Researchers extracted a list of IP addresses from the Shadow Brokers archive that correspond to servers compromised by the Equation group. The owners of those IP addresses include many universities, national research centers, and other educational institutions from around the world.
Other information in the archive suggests that the Equation installed implants on mail and other servers belonging to governments, telecommunications providers, networking equipment manufacturers, and other private organizations.
For example, a piece of data suggests that, at some point, the Equation had an implant codenamed STOICSURGEON installed on a mail server used by the Russian government.
The exploits in the archive target Unix-based operating systems like SunOS and Solaris, several distributions of Linux, email and web server software, databases, web applications, and various other software packages commonly found on servers.
The leaked data and tools show that the NSA is targeting telecommunications infrastructure and core GSM networks, x0rz said via Twitter. There are scripts to manipulate GSM data like Call Detail Records (CDRs) and billing information, exploits targeting old versions of Solaris — a common OS in core networks — and target notes about big GSM operators, he said.
The NSA has known for awhile that these files have been leaked and has had enough time to clean up its tracks. However, the information in the Shadow Brokers archive can still be damaging to its present and future operations, because the agency’s targets will now know they’ve been compromised and will launch security reviews and will strengthen their systems.
It’s worth keeping in mind that while none of the exploits in the archive has zero-day status now, some of them likely targeted unpatched vulnerabilities years ago when the NSA was using them.
At that time, the NSA TAO team had a tremendous infiltration capability, Zaitsev said. “We should not underestimate them.”
The Shadow Brokers leaked a first batch of Equation group exploits in August. Some of those exploits turned out to be legitimate and affected hardware firewalls from multiple vendors.
That initial leak was intended to convince people to bid in an auction for the full archive that the group claimed to have. The group failed to attract any significant offers — it wanted 10,000 bitcoins worth around US$12 million — so later it released more information including lists of IP addresses targeted by the Equation and a directory listing showing exploit codenames.
Eventually, the Shadow Brokers called it quits in January and shut down their online accounts, which is why the group’s return on Saturday and its decision to provide the password to the encrypted archive was surprising.
The group’s return was accompanied by an open letter to U.S. President Donald Trump written in apparently broken English, a technique that some experts believe is intentional to hide the fact that the group’s members are native English speakers.