Implant leaked by Shadow Brokers targets Juniper’s NetScreen firewalls

Juniper Networks has become the latest company to acknowledge that one of the implants leaked by the Shadow Brokers targets some of their products.

Cisco and Fortinet did the same a few days earlier.

NetScreen firewalls

“Juniper Networks is investigating the recent release of files reported to have been taken from the so-called Equation Group,” Juniper employee Derrick Scholl explained in a post.

“As part of our analysis of these files, we identified an attack against NetScreen devices running ScreenOS. We are examining the extent of the attack, but initial analysis indicates it targets the boot loader and does not exploit a vulnerability on ScreenOS devices. We will continue to evaluate exactly what level of access is necessary in order to execute the attack, whether it is possible to detect the attack, and if other devices are susceptible.”

As a reminder: last December Juniper found and patched a critical vulnerability affecting ScreenOS on its NetScreen devices, which allowed unauthorized remote administrative access to the device over SSH or telnet and could have allowed a knowledgeable attacker to decrypt encrypted VPN traffic.

At the time, speculation was that the vulnerability arising from unauthorized code in ScreenOS created two backdoors, deliberately inserted by a state-sponsored intruder (or more of them). It was thought that at least one was the work of the NSA, as the NSA documents leaked by Edward Snowden showed that the NSA had the ability to backdoor Juniper’s network equipment.

The exploits and implants leaked by the Shadow Brokers are almost certainly the work of the NSA, i.e. their (formal or informal) hacking “arm” the Equation Group.

It is still unknown who the Shadow Brokers are. Snowden believes they might be state-sponsored Russian hackers, and the leak a way to urge the US government not to be hasty in denouncing Russia as the source of the DNC hack.

According to Shlomo Argamon, professor and director of the Master of Data Science Program at the Illinois Institute of Technology, the text that accompanied the leaked data points to the “Shadow Broker” most likely being a native English speaker trying to appear non-native.

“In the (quite unlikely) event that the writer is, in fact, not a native English speaker, their native tongue is much more likely to be a Slavic language (e.g., Russian or Polish) than either a Germanic or Romance language,” he added.

This opinion seems to prop a theory by former NSA staffers, who said that the “naming convention of the file directories, as well as some of the scripts in the dump” point to the attacker being an insider.

Don't miss