The Equation Group’s exploit ExtraBacon works on newer Cisco ASA

Security experts have improved the ExtraBacon exploit included in the NSA Equation Group arsenal to hack newer version of CISCO ASA appliance.

The data dump leaked online by ShadowBrokers is a treasure for security experts and hackers that are analyzing every tool it contains.

Cisco and Fortinet have confirmed their network appliance are vulnerable to the exploits listed in the leaked dump.

Recently security researchers tested the BENIGNCERTAIN tool included in the precious archive belonging to the NSA Equation Group that allows attackers to extract VPN passwords from certain Cisco devices.

Now the Hungary-based security consultancy SilentSignal has focused his analysis on another exploit that could be used against the newer models of Cisco’s Adaptive Security Appliance (ASA).

The security firm has demonstrated that the NSA-linked Cisco exploit dubbed ExtraBacon poses a bigger threat than previously thought.

Initially, the ExtraBacon exploit was restricted to versions 8.4.(4) and earlier of the CISCO ASA boxes and has now been expanded to 9.2.(4).

An attacker who has already gained a foothold in a targeted network could use the zero-day exploit to take full control of a firewall.

In an e-mail sent to ArsTechnica, SilentSignal researcher Balint Varga-Perke wrote:

“We first started to work on the exploit mainly to see how easy it would be to add support for other (newer) versions. Turns out it is very easy, that implies two things:

The leaked code is not as poor quality as some might suggest
The lack of exploit mitigation techniques in the target Cisco software makes the life of attackers very easy”

Experts from the IT vendor Juniper also confirmed that one of the exploits in the Equation Group archive could be used to hack the Juniper NetScreen firewalls, they also confirmed that are conduction further investigation on the exploit.

The tool codenamed FEEDTROUGH and ZESTYLEAK could be used by attackers to target Juniper Netscreen firewalls, the company is investigating their efficiency.

“As part of our analysis of these (Equation Group) files, we identified an attack against NetScreen devices running ScreenOS,” explained the company incident response director Derrick Scholl.

“We are examining the extent of the attack, but initial analysis indicates it targets the boot loader and does not exploit a vulnerability on ScreenOS devices.”

“We will continue to evaluate exactly what level of access is necessary in order to execute the attack, whether it is possible to detect the attack, and if other devices are susceptible.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CISCO ASA, ExtraBacon exploit)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.