Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/10/2017
06:26 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Shadow Brokers Offers Database Of Windows Exploits For Sale

Notorious hacking crew claims tools are from NSA-affiliated Equation Group, and include plugin for tampering with event logs.

Anyone with the equivalent of around $680,000 and a hankering for breaking into other people’s computers can now purchase an entire database of exploits and toolkits for attacking Windows systems.

Shadow Brokers, the hacker crew that last year made headlines by trying to auction off a whole set of top-secret cyber weapons allegedly used by the National Security Agency (NSA), is back again, this time with a set of exploits for breaking into Windows systems.

The tools, which include a collection of fuzzers for Windows components, are available for sale on a website on ZeroNet, a decentralized network of peer-to-peer systems. The attack tools range in price from 10 Bitcoins, or around $9,000 a piece, to 250 Bitcoins, or about $228,000.

The Shadow Brokers advertised the sale on Twitter late last week and have claimed the cache of exploit tools belongs to The Equation Group, an outfit believed affiliated with the NSA.

Apart from a screenshot listing the names and the prices of individual Windows hacking tools in the data dump, little specific information is available on them, said Jacob Williams, founder of Rendition InfoSec in a blog.

The screenshot suggests that one of the exploits contains a possible Server Message Block (SMB) zero-day exploit, but there is no indication which one exactly, Williams said.

“For the price requested, one would hope it is a zero-day. The price is far too high for an exploit for a known vulnerability,” Williams said.

Most of the tools listed in the screenshot also have version numbers that suggest they have been through multiple iterations. This would appear to lend credence to claims by the Shadow Brokers of the exploits being real, Williams said.

Significantly, one of the listed plugins suggests that the Shadow Brokers have in their possession a tool for editing and tampering with the Windows event logs that incident response and forensics experts rely on during investigations. Attackers have shown the ability to clear event logs or to stop logging altogether in the past but the ability to modify event logs is considered very advanced, Williams said.

“Knowing that some attackers apparently have the ability to edit event logs can be a game changer for an investigation. If Shadow Brokers release this code to the world (as they've done previously), it will undermine the reliability of event logs in forensic investigations,” Williams cautioned.

Andra Zaharia, security evangelist at Heimdal Security, says the tools appear designed to be executed on servers and used to attack a wide range of applications designed for Windows platforms, including browsers.

“The tools can be used to exploit specific types of software built for Windows. For example, attackers can embed a Flash exploit into a tool designed to hack browsers. The Python tools in the list, for example, are designed to exploit servers that run Microsoft,” she says.

The attack tools that the Shadow Brokers have offered for sale appear to be exclusive and not available anywhere else, Zaharia added.

Some believe the Shadow Brokers are Russian operatives or people working on behalf of the Russian government. Their release last year of more than 300 GB of data on tools the NSA had developed and used over the years for breaking into adversary systems sent shock waves through the security industry and intelligence community. 

Some believed the data dump - and the threat to release data on many more tools apparently purloined from the NSA - was designed to deter the US from taking action against Russia for several election-related hacks.

Last November, the group released more information, this time on servers that the NSA had broken into and then used for hosting and distributing exploits.

The timing behind the release of the Windows attack tools does not appear to be random, according to Williams. “It’s hard to believe the timing is purely coincidental and has nothing to do with the release by US intelligence about the Russian hacking of the [Democratic National Committee].

“However, it is important to note that no tools are offered for proof of the dump this time,” he said.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...