Last week, an unkown group called "Shadow Brokers" has published an archive containing tools exploiting vulnerabilities in various network devices.
Most of them were remote execution exploits.
The followings vendors have communicated about this incident:
- Cisco - http://blogs.cisco.com/security/shadow-brokers
- Fortinet - http://fortiguard.com/advisory/FG-IR-16-023
- Huawei - http://www.huawei.com/en/psirt/security-notices/huawei-sn-20160823-01-shadowbrokers-en
- Juniper - http://forums.juniper.net/t5/Security-Incident-Response/Shadow-Brokers-Release-of-Hacking-Code/ba-p/296128
- TopSec - http://www.topsec.com.cn/aqtb/aqtb1/jjtg/160820.htm (in chinese)
- Watchguard - https://www.secplicity.org/2016/08/16/nsa-equation-group-exploit-leak-mean
All of these exploits were 0-day and could have been used to reach your infrastructure without being noticed, but most of these exploits were patched before the leak.
The leaked binaries and scripts are still under investigation by affected vendors and patches are published when ready.
Hereunder is a list of currently confirmed affected devices. This list could still evolve.
-- ASA 711, 712, 721, 722, 723, 724, 802, 803, 80432, 804, 805, 821, 822, 823, 824, 825, 831, 832, 841, 842, 843, 844
-- PIX 711, 712, 721, 722, 723, 724, 804
-- Juniper Netscreen
-- Fortigate 60, 60M, 80C, 200A, 300A, 400A, 500A, 620B, 800, 5000, 1000A, 3600, 3600A
-- Firmware 4.3.8 and below, 4.2.12 and below and 4.1.10 and below
-- TOS OS: v3.2.100.010, 3.3.001.050, 3.3.002.021, 3.3.002.030,3.2.100.010.1pbc17iv3 to 3.3.005.066.1
-- No details but seems to affect RapidStream products.
- Patch all the impacted network devices and, in general, keep all your devices up-to-date.
- Check that the management interfaces are not facing the Internet and reachable from outside your infrastructure.
- If you have any doubt, change your password (use a strong password/passphrase)