Juniper Acknowledges Equation Group Targeted ScreenOS

Juniper Networks on Friday acknowledged that implants contained in the ShadowBrokers data dump target NetScreen firewalls running ScreenOS.

Juniper Networks on Friday acknowledged that exploits implants contained in the ShadowBrokers data dump do indeed target its products.

“As part of our analysis of these files, we identified an attack against NetScreen devices running ScreenOS,” said Derrick Scholl, director of security incident response at Juniper. “We are examining the extent of the attack, but initial analysis indicates it targets the boot loader and does not exploit a vulnerability on ScreenOS devices.”

“We will continue to evaluate exactly what level of access is necessary in order to execute the attack, whether it is possible to detect the attack, and if other devices are susceptible,” Juniper’s Scholl said.

Exploits for vulnerabilities in Cisco and Fortinet products were also exposed in the data dump by the still-unidentified members of the ShadowBrokers, who last week kicked off an auction of exploits belonging to the so-called Equation Group, largely believed to be affiliated with the National Security Agency.

The Equation Group is considered to be at the top of the APT food chain. A number of researchers, including those at Kaspersky Lab who uncovered and in 2015 reported on the cyberespionage group, confirmed strong connections between the exploits and previous attack tools alleged to belong to the group.

Juniper is the last among the three giant networking vendors targeted by the Equation Group to acknowledge the legitimacy of the files. Cisco, last week, said that one of the attacks targets a zero-day vulnerability in its ASA firewall that has yet to be patched. Another in the ASA command-line interface parser was patched in 2011; that bug could crash appliances running the software allow for code execution if an attacker was already on the machine, Cisco said.

The Cisco zero-day, meanwhile, is in ASA’s SNMP implementation that could allow an unauthenticated remote attacker to remotely execute code on the box. Cisco said it has released an IPS signature, Legacy Cisco IPS Signature ID: 7655-0, and a Snort rule, ID: 3:39885.

“The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted SNMP packets to the affected system,” Cisco said in its advisory. “An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. The attacker must know the SNMP community string to exploit this vulnerability.”

Late last week, researcher Mustafa Al-Bassam tackled a another Equation Group exploit in the dump called BENIGNCERTAIN. This one targets Cisco PIX firewalls that are no longer supported by the company. The attack, Al-Bassam said, allows attackers to remotely sniff and steal private RSA encryption keys.

“Analysis of the tool shows that it appears to be a remote exploit for Cisco PIX devices that sends an Internet Key Exchange (IKE) packet to the victim machine, causing it to dump some of its memory,” Al-Bassam wrote in his report. “The memory dump can then be parsed to extract an RSA private key and other sensitive configuration information.”

Cisco, on Friday, responded to this attack as well saying that its investigation into BENIGNCERTAIN has not turned up any new vulnerabilities in current products.

“Even though the Cisco PIX is not supported and has not been supported since 2009, out of concern for customers who are still using PIX we have investigated this issue and found PIX versions 6.x and prior are affected,” Cisco’s Omar Santos wrote in an updated ShadowBrokers advisory. “PIX versions 7.0 and later are confirmed to be unaffected by BENIGNCERTAIN.  The Cisco ASA is not vulnerable.”

As for Juniper’s acknowledgement, this isn’t the first time its enterprise gear has been targeted by the NSA. Its products were singled out in NSA documents taken by whistleblower Edward Snowden and published by Der Spiegel in 2013. Late last year, the company said it found and removed “unauthorized code” from its ScreenOS operating system that allowed attackers to decrypt VPN traffic from NetScreen devices.

In the 2013 Der Spiegel article written by Jacob Appelbaum Judit Horchert and Christian Stocker, the authors described the NSA’s FEEDTHROUGH implant that provided backdoor access to NetScreen firewalls and VPNs running Screen OS. Two vulnerabilities were found and patched last December by Juniper, one being the VPN decryption backdoor, and another that allowed from remote access to NetScreen devices over SSH or telnet.

Suggested articles