Last month a hacker group known as The Shadow Brokers released a series of exploits that they said belong to an NSA contractor that has been call the Equation Group.
Whether the Equation Group is real and whether they are a vendor of exploits to the NSA or not is really not terribly relevant in the big picture.
What is relevant is that they released a whole bunch of exploits that are being used – and likely, at least some of them have been used for a while – to silently break into corporate networks. And probably government networks too. The Exploits attack Cisco, Juniper, Fortinet and Topsec (A Chinese company) firewalls, among other network hardware.
The problem here is one that people have been talking about since US Cybercom was created. That problem is that the same group of people who are responsible for hacking people (the NSA) is also responsible for protecting people from hackers and that is a battle that they cannot deal with. When the NSA / Cybercom finds a vulnerability, they have to decide if they are going to tell the manufacturer so that they can fix it, or keep it to themselves to that they can use it until someone else finds it and tells the manufacturer.
The problem with that philosophy is that given the NSA was able to find it, it is likely that the Chinese or Russians were able to find it also. And the Chinese are unlikely to tell Cisco or Fortinet about their bug, so as long as the NSA keeps it secret, our adversaries, if they know about the bug, are using it against American companies as well.
The President issued a directive explaining the rules of engagement surrounding this issue, but the rules say that the NSA can keep it secret and not tell the manufacturer if they think the bug has intelligence value to them.
So here we have a group of anti-hackers (The Shadow Brokers) that released a whole trove of bugs converted to attacks, which is good for users because now the bugs will eventually be fixed, but in the mean time, until they get fixed, the hackers can use them to attack you and me.
The advisory goes into some detail on the attacks that were disclosed, including ones against the Cisco ASA firewalls, a very popular corporate firewall.
The alert makes a couple of very useful suggestions:
- Segregate your network. What this means is that you want to isolate your network into separate domains so that an attacker doesn’t have the run of the house once they break thru the front door. It provides suggestions on how to do that.
- Limit “lateral” communications. What this means is that you want to limit peer to peer computers from talking to each other unless there is a business reason to do that.
- Harden network devices. This means, on firewalls and such, encrypt all traffic, use robust passwords, restrict physical access and other suggestions described in the alert.
- Secure access to firewalls and switches.
- Perform out of band management. This would stop an attacker from being able to get to certain resources.
- Validate the integrity of the hardware and software.
The alert goes into a lot more detail, but given that we have strong reason to believe that the NSA and probably other intelligence agencies have been using these attacks in the wild and NOW, these attacks are know to every hacker on the planet, it is critical that companies protect themselves.
The CERT advisory can be found here.
A Wired article on the issue can be found here.