Cybersecurity Alert: Shadow Brokers Group Allegedly Obtains NSA Code; Could Be Used to Exploit Cisco Firewalls

August 18, 2016

Threat Summary

On August 15, 2016, Cisco became aware that the "Shadow Brokers," a mysterious group that emerged last weekend, claim to have obtained source code from the National Security Agency ("NSA") that could be used to exploit Cisco's multi-vendor devices. The Shadow Brokers announced intentions to auction off the code in exchange for up to one million Bitcoins.

Affected Cisco Products

The sample of allegedly stolen files released by the Shadow Brokers contains code that is dated 2013 or older and references the following Cisco products:

  • Cisco ASA
  • Cisco PIX
  • Cisco Firewall Services 

For more information on the Cisco products and vulnerabilities that could be exploited by this code, see the following security advisories from the Cisco Product Security Incident Response Team (PSIRT):

Cisco's security blog contains additional details about the released data.

ACA Aponix Guidance

Popular Cisco ASA devices are at risk. Cisco's release of patches adds legitimacy to the Shadow Group's claim of leaked or hacked NSA data. The leaked data also includes numerous Cisco vulnerabilities that reference vulnerabilities that were corrected in 2011. These factors together indicate that these exploits have been available and used undetected for the past 5 years by governments and potentially by the individuals who obtained this information from the NSA.

We urge clients to apply patches to impacted Cisco devices as soon as possible.

If you have any questions, please contact your ACA Aponix consultant or email us at