Equation Group exploit hits newer Cisco ASA, Juniper Netscreen

Hungary-based security consultancy SilentSignal has ported a public exploit to newer models of Cisco's Adaptive Security Appliance (ASA).

The firm expanded the attack range of the ExtraBacon Cisco hack hole revealed as part of the Shadow Brokers cache of National Security Agency-linked exploits and tools.

The exploit was restricted to versions 8.4.(4) and earlier of ASA boxes and has now been expanded to 9.2.(4).

We successfully ported EXTRABACON to ASA 9.2(4) #ShadowBrokers #Cisco pic.twitter.com/UPG6yq9Km2

— SilentSignal (@SilentSignalHU) August 23, 2016

Cisco and Fortinet have confirmed their kit is affected by exploits listed in data cache which included some 300 files circulated online and confirmed stolen from the Equation Group, an entity considered the offensive Tailored Access Operations wing of the NSA.

Meanwhile, networking company Juniper has confirmed an Equation Group exploit affects its NetScreen firewalls and says it is investigating the extent of the damage.

"As part of our analysis of these (Equation Group) files, we identified an attack against NetScreen devices running ScreenOS," Juniper incident response director Derrick Scholl says.

"We are examining the extent of the attack, but initial analysis indicates it targets the boot loader and does not exploit a vulnerability on ScreenOS devices.

"We will continue to evaluate exactly what level of access is necessary in order to execute the attack, whether it is possible to detect the attack, and if other devices are susceptible."

NSA tooling codenamed FEEDTROUGH and ZESTYLEAK are known to target Juniper Netscreen firewalls, although the company did not find evidence of compromise in earlier investigations.

It is an opportunity for Juniper to better study NSA tools and implants than it was previously able as part of NSA document leaks by whistleblower Edward Snowden. ®