Attacks/Breaches
1/10/2017
06:26 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Shadow Brokers Offers Database Of Windows Exploits For Sale

Notorious hacking crew claims tools are from NSA-affiliated Equation Group, and include plugin for tampering with event logs.

Anyone with the equivalent of around $680,000 and a hankering for breaking into other people’s computers can now purchase an entire database of exploits and toolkits for attacking Windows systems.

Shadow Brokers, the hacker crew that last year made headlines by trying to auction off a whole set of top-secret cyber weapons allegedly used by the National Security Agency (NSA), is back again, this time with a set of exploits for breaking into Windows systems.

The tools, which include a collection of fuzzers for Windows components, are available for sale on a website on ZeroNet, a decentralized network of peer-to-peer systems. The attack tools range in price from 10 Bitcoins, or around $9,000 a piece, to 250 Bitcoins, or about $228,000.

The Shadow Brokers advertised the sale on Twitter late last week and have claimed the cache of exploit tools belongs to The Equation Group, an outfit believed affiliated with the NSA.

Apart from a screenshot listing the names and the prices of individual Windows hacking tools in the data dump, little specific information is available on them, said Jacob Williams, founder of Rendition InfoSec in a blog.

The screenshot suggests that one of the exploits contains a possible Server Message Block (SMB) zero-day exploit, but there is no indication which one exactly, Williams said.

“For the price requested, one would hope it is a zero-day. The price is far too high for an exploit for a known vulnerability,” Williams said.

Most of the tools listed in the screenshot also have version numbers that suggest they have been through multiple iterations. This would appear to lend credence to claims by the Shadow Brokers of the exploits being real, Williams said.

Significantly, one of the listed plugins suggests that the Shadow Brokers have in their possession a tool for editing and tampering with the Windows event logs that incident response and forensics experts rely on during investigations. Attackers have shown the ability to clear event logs or to stop logging altogether in the past but the ability to modify event logs is considered very advanced, Williams said.

“Knowing that some attackers apparently have the ability to edit event logs can be a game changer for an investigation. If Shadow Brokers release this code to the world (as they've done previously), it will undermine the reliability of event logs in forensic investigations,” Williams cautioned.

Andra Zaharia, security evangelist at Heimdal Security, says the tools appear designed to be executed on servers and used to attack a wide range of applications designed for Windows platforms, including browsers.

“The tools can be used to exploit specific types of software built for Windows. For example, attackers can embed a Flash exploit into a tool designed to hack browsers. The Python tools in the list, for example, are designed to exploit servers that run Microsoft,” she says.

The attack tools that the Shadow Brokers have offered for sale appear to be exclusive and not available anywhere else, Zaharia added.

Some believe the Shadow Brokers are Russian operatives or people working on behalf of the Russian government. Their release last year of more than 300 GB of data on tools the NSA had developed and used over the years for breaking into adversary systems sent shock waves through the security industry and intelligence community. 

Some believed the data dump - and the threat to release data on many more tools apparently purloined from the NSA - was designed to deter the US from taking action against Russia for several election-related hacks.

Last November, the group released more information, this time on servers that the NSA had broken into and then used for hosting and distributing exploits.

The timing behind the release of the Windows attack tools does not appear to be random, according to Williams. “It’s hard to believe the timing is purely coincidental and has nothing to do with the release by US intelligence about the Russian hacking of the [Democratic National Committee].

“However, it is important to note that no tools are offered for proof of the dump this time,” he said.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.