Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/10/2017
06:26 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Shadow Brokers Offers Database Of Windows Exploits For Sale

Notorious hacking crew claims tools are from NSA-affiliated Equation Group, and include plugin for tampering with event logs.

Anyone with the equivalent of around $680,000 and a hankering for breaking into other people’s computers can now purchase an entire database of exploits and toolkits for attacking Windows systems.

Shadow Brokers, the hacker crew that last year made headlines by trying to auction off a whole set of top-secret cyber weapons allegedly used by the National Security Agency (NSA), is back again, this time with a set of exploits for breaking into Windows systems.

The tools, which include a collection of fuzzers for Windows components, are available for sale on a website on ZeroNet, a decentralized network of peer-to-peer systems. The attack tools range in price from 10 Bitcoins, or around $9,000 a piece, to 250 Bitcoins, or about $228,000.

The Shadow Brokers advertised the sale on Twitter late last week and have claimed the cache of exploit tools belongs to The Equation Group, an outfit believed affiliated with the NSA.

Apart from a screenshot listing the names and the prices of individual Windows hacking tools in the data dump, little specific information is available on them, said Jacob Williams, founder of Rendition InfoSec in a blog.

The screenshot suggests that one of the exploits contains a possible Server Message Block (SMB) zero-day exploit, but there is no indication which one exactly, Williams said.

“For the price requested, one would hope it is a zero-day. The price is far too high for an exploit for a known vulnerability,” Williams said.

Most of the tools listed in the screenshot also have version numbers that suggest they have been through multiple iterations. This would appear to lend credence to claims by the Shadow Brokers of the exploits being real, Williams said.

Significantly, one of the listed plugins suggests that the Shadow Brokers have in their possession a tool for editing and tampering with the Windows event logs that incident response and forensics experts rely on during investigations. Attackers have shown the ability to clear event logs or to stop logging altogether in the past but the ability to modify event logs is considered very advanced, Williams said.

“Knowing that some attackers apparently have the ability to edit event logs can be a game changer for an investigation. If Shadow Brokers release this code to the world (as they've done previously), it will undermine the reliability of event logs in forensic investigations,” Williams cautioned.

Andra Zaharia, security evangelist at Heimdal Security, says the tools appear designed to be executed on servers and used to attack a wide range of applications designed for Windows platforms, including browsers.

“The tools can be used to exploit specific types of software built for Windows. For example, attackers can embed a Flash exploit into a tool designed to hack browsers. The Python tools in the list, for example, are designed to exploit servers that run Microsoft,” she says.

The attack tools that the Shadow Brokers have offered for sale appear to be exclusive and not available anywhere else, Zaharia added.

Some believe the Shadow Brokers are Russian operatives or people working on behalf of the Russian government. Their release last year of more than 300 GB of data on tools the NSA had developed and used over the years for breaking into adversary systems sent shock waves through the security industry and intelligence community. 

Some believed the data dump - and the threat to release data on many more tools apparently purloined from the NSA - was designed to deter the US from taking action against Russia for several election-related hacks.

Last November, the group released more information, this time on servers that the NSA had broken into and then used for hosting and distributing exploits.

The timing behind the release of the Windows attack tools does not appear to be random, according to Williams. “It’s hard to believe the timing is purely coincidental and has nothing to do with the release by US intelligence about the Russian hacking of the [Democratic National Committee].

“However, it is important to note that no tools are offered for proof of the dump this time,” he said.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.
CVE-2013-2092
PUBLISHED: 2019-11-20
Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.
CVE-2013-2093
PUBLISHED: 2019-11-20
Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.
CVE-2015-3166
PUBLISHED: 2019-11-20
The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to obtain sensitive information or have other unspecified impact via unknown vectors, as d...