Attacks/Breaches
5/16/2017
09:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

ShadowBrokers To Launch Monthly Subscription Service for Exploits

Think of it like a wine of the month club for attack tools and new exploits threat group says.

The ShadowBrokers, the hacking crew that has become almost a household name following the worldwide ransomware attacks of the past few days, has a new proposal for those interested in its wares.

Starting June, the group claims it will offer a new subscription service that will give members access to a data dump of exploits and stolen data every month.

The ShadowBrokers likened the service to a wine-of-the-month club that will provide subscribers a choice of Web browser, router, and handset exploits as well as tools and new exploits for Windows 10.

Also in the menu for members, according to The ShadowBrokers, are compromised network data from providers of SWIFT financial messaging services and also compromised data pertaining to the missile programs of several countries including Russia, China, Iran, and North Korea. What members do with the items they obtain from The ShadowBrokers is entirely up to them, the group said.

"With the recent WannaCry outbreak that was enabled by an exploit released by them, they’ve proven to the cybercrime market that they can deliver the goods," says Kevin Magee, global security strategist at Gigamon.

"Perhaps they are simply looking to capitalize on the media frenzy, cash in on all of this free publicity and monetize their future releases."

The ShadowBrokers' planned membership service appears to be another attempt by the hacking crew to sell the big tranche of exploits and top-secret cyber weapons that it apparently stole from the NSA-affiliated Equation Group last summer. Initially, The ShadowBrokers tried to attract buyers for the entire dataset via an underground auction where it sought the equivalent of more than $500 million in bitcoins.

But after failing in that attempt, The ShadowBrokers switched tactics and earlier this year began offering some of its stolen goods on a piecemeal basis on peer-to-peer network ZeroNet. On sale, at prices ranging from the equivalent of around $9,000 to around $225,000, were a range of Windows exploits including SMB exploits of the sort leveraged in the global WannaCry ransomware attacks this week.

The move to a monthly subscription model appears to be the result of The ShadowBrokers' singular lack of success in attracting buyers the second time around as well. In fact, barely one week after announcing its Windows exploit sale via ZeroNet in January, the hacking group announced that it had decided to call it quits, and as a parting gift released nearly 60 Windows exploit tools.

In the rambling blog announcing the monthly subscription service, The ShadowBrokers expressed puzzlement at its lack of success in finding buyers for the Equation Group tools and suggested the lack of interest may have to do with people not believing its claims.

The WannaCry attacks of the last few week may have given it precisely the credibility it lacked among potential buyers for its purloined NSA tools.

"Most of what the ShadowBrokers have released so far has been more difficult to weaponize than the SMB exploits used by WannaCry," says Chris Schraml, threat intelligence analyst at PhishLabs. "But in the wake of the outbreak, the Shadow Brokers brand is at an all-time high."

News Wave

In announcing the planned launch of a subscription service for exploits in the middle of the WannaCry breakout, The Shadow Brokers has demonstrated a good understanding of how to exploit the news cycle, says Jeremy Wittkop, chief technology officer at InteliSecure.

"I think we are seeing just the beginning of the democratization of high-end cyber weapons and vulnerabilities," he says. "It's easier than ever to get your hands on weapons-grade cyber exploits, which means all defenders need to be prepared to deal with sophisticated attacks, not just those targeted by nation-states," Wittkop says.

The new service, if it launches as promised, would present an interesting dilemma for security vendors, he says. Vendors could subscribe to the service because it would give them an opportunity to develop countermeasures quickly, but in doing so they would end up supporting an adversary.

"If they do not and they remain vulnerable and their customers get exploited, it may be hard to explain why they didn't subscribe in order to have access to the information," Wittkop says.

The ShadowBrokers has only been around for less than a year. It still remains unclear how the group got its hands on the NSA cyberweapons cache, what sort of help it might have had in pulling off the theft, or what its malware development capabilities are. All of the malware tools and exploits that The ShadowBrokers has offered for sale so far have come from the NSA dataset, and the group itself has claimed that it has some 75% of the NSA's cyber arsenal in its possession.

The specific claim is hard to verify. But it is dangerous to underestimate the group says Sean Dillon, senior security researcher at RiskSense.  "

"They could still be holding out on exploits such as those use in this week's attacks," Dillon says. "People shouldn't ignore The ShadowBrokers. They have proven that they do have the exploits that they claim to have."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.