Juniper Networks is investigating the recent release of files reported to have been taken from the so-called Equation Group. For reference, we addressed the existence of these kinds of tools in JSA10605.
However, this is the first time possible examples of those tools have been available for inspection. As part of our analysis of these files, we identified an attack against NetScreen devices running ScreenOS. We are examining the extent of the attack, but initial analysis indicates it targets the boot loader and does not exploit a vulnerability on ScreenOS devices. We will continue to evaluate exactly what level of access is necessary in order to execute the attack, whether it is possible to detect the attack, and if other devices are susceptible.
When more detailed information is known about this issue, it will be shared either in this blog or via a Juniper Security Advisory available at http://advisory.juniper.net .
Update Aug. 25, 2016
Juniper Networks can confirm that the code recently released by The Shadow Brokers specifically targets ScreenOS and does not include any remote exploits. To execute the attack, malicious code from the files must be loaded onto a device running ScreenOS, either through administrative privileges or physical access to the device. Because there is no vulnerability being exploited, no patches are needed.
We continue to analyze the intricacies of the attack and believe we will soon be able to provide customers with a method for determining if the malicious code has been installed on a device.
If more information becomes available about this or other attacks, it will be shared either in this blog or via a Juniper Security Advisory available at http://advisory.juniper.net
Update Oct. 3, 2016
Juniper Networks is continuing our analysis of the package released by The Shadow Brokers.
Based on our investigation to date, the information that has been released only contains components to attack ScreenOS 5.0.0r0 through 6.3.0r13. Our investigation reflects that no other versions or Juniper products are susceptible to attacks contained in the package.
We’ve also determined that there are two key parts of a potential exploit: an initial implant loaded in memory, which is lost when the device is rebooted, and a persistent implant that remains through a reboot. In order to load the initial implant, the attacker must be logged into ScreenOS with administrative credentials and use a pair of debugging commands that are only available to the administrator.
To address this issue, Juniper has released an updated version of ScreenOS, version 6.3.0r23, that disables the two debugging commands used to load the initial implant. Once installed, this release blocks future attempts to load the initial implant; it does not remove persistent implants that may have been previously loaded into the device.
Our analysis continues and new information will again be shared in this blog when available.