The ShadowBrokers, the hacking crew that has become almost a household name following the worldwide ransomware attacks of the past few days, has a new proposal for those interested in its wares.
Starting June, the group claims it will offer a new subscription service that will give members access to a data dump of exploits and stolen data every month.
The ShadowBrokers likened the service to a wine-of-the-month club that will provide subscribers a choice of Web browser, router, and handset exploits as well as tools and new exploits for Windows 10.
Also in the menu for members, according to The ShadowBrokers, are compromised network data from providers of SWIFT financial messaging services and also compromised data pertaining to the missile programs of several countries including Russia, China, Iran, and North Korea. What members do with the items they obtain from The ShadowBrokers is entirely up to them, the group said.
"With the recent WannaCry outbreak that was enabled by an exploit released by them, they’ve proven to the cybercrime market that they can deliver the goods," says Kevin Magee, global security strategist at Gigamon.
"Perhaps they are simply looking to capitalize on the media frenzy, cash in on all of this free publicity and monetize their future releases."
The ShadowBrokers' planned membership service appears to be another attempt by the hacking crew to sell the big tranche of exploits and top-secret cyber weapons that it apparently stole from the NSA-affiliated Equation Group last summer. Initially, The ShadowBrokers tried to attract buyers for the entire dataset via an underground auction where it sought the equivalent of more than $500 million in bitcoins.
But after failing in that attempt, The ShadowBrokers switched tactics and earlier this year began offering some of its stolen goods on a piecemeal basis on peer-to-peer network ZeroNet. On sale, at prices ranging from the equivalent of around $9,000 to around $225,000, were a range of Windows exploits including SMB exploits of the sort leveraged in the global WannaCry ransomware attacks this week.
The move to a monthly subscription model appears to be the result of The ShadowBrokers' singular lack of success in attracting buyers the second time around as well. In fact, barely one week after announcing its Windows exploit sale via ZeroNet in January, the hacking group announced that it had decided to call it quits, and as a parting gift released nearly 60 Windows exploit tools.
In the rambling blog announcing the monthly subscription service, The ShadowBrokers expressed puzzlement at its lack of success in finding buyers for the Equation Group tools and suggested the lack of interest may have to do with people not believing its claims.
The WannaCry attacks of the last few week may have given it precisely the credibility it lacked among potential buyers for its purloined NSA tools.
"Most of what the ShadowBrokers have released so far has been more difficult to weaponize than the SMB exploits used by WannaCry," says Chris Schraml, threat intelligence analyst at PhishLabs. "But in the wake of the outbreak, the Shadow Brokers brand is at an all-time high."
In announcing the planned launch of a subscription service for exploits in the middle of the WannaCry breakout, The Shadow Brokers has demonstrated a good understanding of how to exploit the news cycle, says Jeremy Wittkop, chief technology officer at InteliSecure.
"I think we are seeing just the beginning of the democratization of high-end cyber weapons and vulnerabilities," he says. "It's easier than ever to get your hands on weapons-grade cyber exploits, which means all defenders need to be prepared to deal with sophisticated attacks, not just those targeted by nation-states," Wittkop says.
The new service, if it launches as promised, would present an interesting dilemma for security vendors, he says. Vendors could subscribe to the service because it would give them an opportunity to develop countermeasures quickly, but in doing so they would end up supporting an adversary.
"If they do not and they remain vulnerable and their customers get exploited, it may be hard to explain why they didn't subscribe in order to have access to the information," Wittkop says.
The ShadowBrokers has only been around for less than a year. It still remains unclear how the group got its hands on the NSA cyberweapons cache, what sort of help it might have had in pulling off the theft, or what its malware development capabilities are. All of the malware tools and exploits that The ShadowBrokers has offered for sale so far have come from the NSA dataset, and the group itself has claimed that it has some 75% of the NSA's cyber arsenal in its possession.
The specific claim is hard to verify. But it is dangerous to underestimate the group says Sean Dillon, senior security researcher at RiskSense. "
"They could still be holding out on exploits such as those use in this week's attacks," Dillon says. "People shouldn't ignore The ShadowBrokers. They have proven that they do have the exploits that they claim to have."
- Shadow Brokers Calls It Quits After Failing To Get Buyers For NSA Exploits
- Shadow Brokers Offers Database Of Windows Exploits For Sale
- Researchers Investigate Possible Connection Between WannaCry & North Korean Hacker Group
- 'WannaCry' Rapidly Moving Ransomware Attack Spreads To 74 Countries