Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/10/2017
06:26 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Shadow Brokers Offers Database Of Windows Exploits For Sale

Notorious hacking crew claims tools are from NSA-affiliated Equation Group, and include plugin for tampering with event logs.

Anyone with the equivalent of around $680,000 and a hankering for breaking into other people’s computers can now purchase an entire database of exploits and toolkits for attacking Windows systems.

Shadow Brokers, the hacker crew that last year made headlines by trying to auction off a whole set of top-secret cyber weapons allegedly used by the National Security Agency (NSA), is back again, this time with a set of exploits for breaking into Windows systems.

The tools, which include a collection of fuzzers for Windows components, are available for sale on a website on ZeroNet, a decentralized network of peer-to-peer systems. The attack tools range in price from 10 Bitcoins, or around $9,000 a piece, to 250 Bitcoins, or about $228,000.

The Shadow Brokers advertised the sale on Twitter late last week and have claimed the cache of exploit tools belongs to The Equation Group, an outfit believed affiliated with the NSA.

Apart from a screenshot listing the names and the prices of individual Windows hacking tools in the data dump, little specific information is available on them, said Jacob Williams, founder of Rendition InfoSec in a blog.

The screenshot suggests that one of the exploits contains a possible Server Message Block (SMB) zero-day exploit, but there is no indication which one exactly, Williams said.

“For the price requested, one would hope it is a zero-day. The price is far too high for an exploit for a known vulnerability,” Williams said.

Most of the tools listed in the screenshot also have version numbers that suggest they have been through multiple iterations. This would appear to lend credence to claims by the Shadow Brokers of the exploits being real, Williams said.

Significantly, one of the listed plugins suggests that the Shadow Brokers have in their possession a tool for editing and tampering with the Windows event logs that incident response and forensics experts rely on during investigations. Attackers have shown the ability to clear event logs or to stop logging altogether in the past but the ability to modify event logs is considered very advanced, Williams said.

“Knowing that some attackers apparently have the ability to edit event logs can be a game changer for an investigation. If Shadow Brokers release this code to the world (as they've done previously), it will undermine the reliability of event logs in forensic investigations,” Williams cautioned.

Andra Zaharia, security evangelist at Heimdal Security, says the tools appear designed to be executed on servers and used to attack a wide range of applications designed for Windows platforms, including browsers.

“The tools can be used to exploit specific types of software built for Windows. For example, attackers can embed a Flash exploit into a tool designed to hack browsers. The Python tools in the list, for example, are designed to exploit servers that run Microsoft,” she says.

The attack tools that the Shadow Brokers have offered for sale appear to be exclusive and not available anywhere else, Zaharia added.

Some believe the Shadow Brokers are Russian operatives or people working on behalf of the Russian government. Their release last year of more than 300 GB of data on tools the NSA had developed and used over the years for breaking into adversary systems sent shock waves through the security industry and intelligence community. 

Some believed the data dump - and the threat to release data on many more tools apparently purloined from the NSA - was designed to deter the US from taking action against Russia for several election-related hacks.

Last November, the group released more information, this time on servers that the NSA had broken into and then used for hosting and distributing exploits.

The timing behind the release of the Windows attack tools does not appear to be random, according to Williams. “It’s hard to believe the timing is purely coincidental and has nothing to do with the release by US intelligence about the Russian hacking of the [Democratic National Committee].

“However, it is important to note that no tools are offered for proof of the dump this time,” he said.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28466
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
CVE-2021-27364
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
CVE-2021-27365
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...
CVE-2021-27363
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system...
CVE-2021-26294
PUBLISHED: 2021-03-07
An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a data/settings/settings.xml file containing admin panel credentials), as demonstrated by dav/server.php/files/personal/%2e%2e when using the caldav_public_...