Cisco reveals new vulnerability used by hackers to conduct first real-world cyberattack from leaked NSA cyber tools

Hackers have allegedly targeted some Cisco customers using a new vulnerability from leaked NSA cyber tools, which were released in August by a mysterious hacker group called Shadow Brokers. The new vulnerability used by hackers is the third known vulnerability to come out of the leaked cyber arsenal of the NSA's elite hacking team, Equation Group.

The breach, which according to Cisco impacts firewalls, routers and switches made by the firm, is reportedly the first real-world cyberattack to be conducted by cybercriminals leveraging the leaked NSA hacking tools. It is still unclear as to which organisations and/or individuals were hacked and/or spied upon in these latest attacks, as Cisco refrained from revealing the identities of those affected, citing a company policy on non-disclosure of client information.

"Cisco Product Security Incident Response Team (PSIRT) is aware of exploitation of the vulnerability for some Cisco customers who are running the affected platform," the firm said in a security advisory. The vulnerability was found in the IKEv1 (Internet Key Exchange version 1) packet processing code and affects various Cisco products running the internal IOS software, including "Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software". Hackers can use this vulnerability to drain "memory contents", which in turn can lead to disclosure of critical and confidential information.

"The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests," the firm said.

Cisco is yet to issue a software update adding that there are currently 'no workarounds that address this vulnerability'.

Cisco previously uncovered two other vulnerabilities found in the Shadow Brokers' dump, soon after the exploits were first made public and confirmed to have come from the Equation Group. Both vulnerabilities were remote code execute flaws and affected the firm's devices generally used to protect data centres and networks. The exploits allowed hackers to conduct attacks from any location across the globe.

The latest vulnerability targeting all Cisco IOS and PIX is called "BENIGNCERTAIN" and consists of three binaries, each of which is a separate step in the exploit process, which can be leveraged by attackers to acquire VPN configuration and RSA private key data.

Cisco told Threatpost: "Cisco remains committed to transparency and helping our customers protect their networks. If a new vulnerability is found, we disclose it in line with our well-established processes, and that is what we did here."