Lessons to be learned from NSA leak by shadow brokers.
Recent revelations from a group of hackers called shadow group, claiming that they had stolen data from equation group (potentially attributed to NSA) and made a small portion of the hacking tools to the public.
The proof files released by them composed of NSA’s implant framework for firewalls and exploits targeting network infrastructure systems from Cisco, Fortinet, and other commonly used systems.
The big picture from this leak is scary and reflects the importance of securing network infrastructure. The main concern is that attacks on the network infrastructure will affect a significant portion of the Internet and create an enormous impact on security, privacy and service availability.
Advanced attacks at infrastructure levels are targeting the key checkpoints of an organization’s network defense, i.e. their firewalls, routers, DNS servers, and naming systems. In many cases, networking devices rarely updated or replaced. Most networks have the same routers and switches from a decade ago.
The scope of exploitation at an infrastructure level can range from the operation of protocols, exploiting software and firmware bugs, and malware affecting different platform, brand, operating system and versions of devices.
Cisco and Fortinet have confirmed that the exploits sample files (around 300) released by shadow brokers were affecting their products, indicating the authenticity of the leak. Moreover, Juniper has confirmed that the exploits affect their NetScreen firewalls and were evaluating the extent of the problems. Also, Cisco and Fortinet have issued security updates for their products after exploits for their products were found in the leak.
Key security risks from Infrastructure level attacks are :
- Service disruption
- Unauthorized access & escalation of privileges
- Data disclosure and modification—Packet sniffing, man-in-the-middle (MITM) attack
The points mentioned above are an oversimplification. For, e.g., modification of packets and MITM attacks from an Information, Technology infrastructure can be used to plant malware in the end users of a particular infrastructure. Other possibilities are abusing the network for Peer-to-peer and instant messaging, access to illegal content and spamming to mention a few example.
These findings and confirmations from vendors bring to light an important question on whether organizations can trust their firewalls and security devices.
A detailed study from Kaspersky Lab’s Global Research and Analysis Team (GReAT) has exposed the level of sophistication and complexity of techniques used by the tools from Equation groups. These tools were complicated and expensive to develop. The way they infect victims, retrieve data and hide activity is outstandingly professional.
Classic techniques like intercepting physical goods and replacing them with backdoored version are simple and scary. Imagine your company or governmental organization ordering a hard drive or a memory module with a stealthy firmware which can implant a backdoor and remain persistent forever.
The scope is very broad and alarming. These kinds of techniques can go beyond the infrastructures and can even jump the air gaps.Stuxnet and Flame stories can be linked to this context to get an overview of the countless possibilities for corporate and organizational cyber espionage and cyber wars.
This article did not cover much on the possibilities at a protocol level. Attacking routing protocols, DNS, etc. are another broad area. A poor network infrastructure can lead to various attacks like DNS cache poisoning, Zone Transfer attacks, IP spoofing and routing attacks, ICMP, DHCP man in the middle, DNS redirection, etc. All these possibilities together with the malware implantation can create havocs in enterprise security which can remain stealthy for an extended period.
To be concise, attacks at an infrastructure level provides a robust and stealthy launchpad for compromising the safety of an entire network.It gives the flexibility and possibilities for compromising any computers in the network, privilege escalation, and data espionage. It can open up private channels which go under the radar of monitoring software as the attack can easily render the security software as their slaves.
A few guidelines
- Patching the network devices on a regular basis. Replace the devices which are out of support period.
- Deploy a secure network monitoring solution which can detect anomalies.
- Ensure security in purchase and transportation of critical devices.
- Restrict the access to device management to the minimum required.
- Regular password management.