Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/16/2017
09:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

ShadowBrokers To Launch Monthly Subscription Service for Exploits

Think of it like a wine of the month club for attack tools and new exploits threat group says.

The ShadowBrokers, the hacking crew that has become almost a household name following the worldwide ransomware attacks of the past few days, has a new proposal for those interested in its wares.

Starting June, the group claims it will offer a new subscription service that will give members access to a data dump of exploits and stolen data every month.

The ShadowBrokers likened the service to a wine-of-the-month club that will provide subscribers a choice of Web browser, router, and handset exploits as well as tools and new exploits for Windows 10.

Also in the menu for members, according to The ShadowBrokers, are compromised network data from providers of SWIFT financial messaging services and also compromised data pertaining to the missile programs of several countries including Russia, China, Iran, and North Korea. What members do with the items they obtain from The ShadowBrokers is entirely up to them, the group said.

"With the recent WannaCry outbreak that was enabled by an exploit released by them, they’ve proven to the cybercrime market that they can deliver the goods," says Kevin Magee, global security strategist at Gigamon.

"Perhaps they are simply looking to capitalize on the media frenzy, cash in on all of this free publicity and monetize their future releases."

The ShadowBrokers' planned membership service appears to be another attempt by the hacking crew to sell the big tranche of exploits and top-secret cyber weapons that it apparently stole from the NSA-affiliated Equation Group last summer. Initially, The ShadowBrokers tried to attract buyers for the entire dataset via an underground auction where it sought the equivalent of more than $500 million in bitcoins.

But after failing in that attempt, The ShadowBrokers switched tactics and earlier this year began offering some of its stolen goods on a piecemeal basis on peer-to-peer network ZeroNet. On sale, at prices ranging from the equivalent of around $9,000 to around $225,000, were a range of Windows exploits including SMB exploits of the sort leveraged in the global WannaCry ransomware attacks this week.

The move to a monthly subscription model appears to be the result of The ShadowBrokers' singular lack of success in attracting buyers the second time around as well. In fact, barely one week after announcing its Windows exploit sale via ZeroNet in January, the hacking group announced that it had decided to call it quits, and as a parting gift released nearly 60 Windows exploit tools.

In the rambling blog announcing the monthly subscription service, The ShadowBrokers expressed puzzlement at its lack of success in finding buyers for the Equation Group tools and suggested the lack of interest may have to do with people not believing its claims.

The WannaCry attacks of the last few week may have given it precisely the credibility it lacked among potential buyers for its purloined NSA tools.

"Most of what the ShadowBrokers have released so far has been more difficult to weaponize than the SMB exploits used by WannaCry," says Chris Schraml, threat intelligence analyst at PhishLabs. "But in the wake of the outbreak, the Shadow Brokers brand is at an all-time high."

News Wave

In announcing the planned launch of a subscription service for exploits in the middle of the WannaCry breakout, The Shadow Brokers has demonstrated a good understanding of how to exploit the news cycle, says Jeremy Wittkop, chief technology officer at InteliSecure.

"I think we are seeing just the beginning of the democratization of high-end cyber weapons and vulnerabilities," he says. "It's easier than ever to get your hands on weapons-grade cyber exploits, which means all defenders need to be prepared to deal with sophisticated attacks, not just those targeted by nation-states," Wittkop says.

The new service, if it launches as promised, would present an interesting dilemma for security vendors, he says. Vendors could subscribe to the service because it would give them an opportunity to develop countermeasures quickly, but in doing so they would end up supporting an adversary.

"If they do not and they remain vulnerable and their customers get exploited, it may be hard to explain why they didn't subscribe in order to have access to the information," Wittkop says.

The ShadowBrokers has only been around for less than a year. It still remains unclear how the group got its hands on the NSA cyberweapons cache, what sort of help it might have had in pulling off the theft, or what its malware development capabilities are. All of the malware tools and exploits that The ShadowBrokers has offered for sale so far have come from the NSA dataset, and the group itself has claimed that it has some 75% of the NSA's cyber arsenal in its possession.

The specific claim is hard to verify. But it is dangerous to underestimate the group says Sean Dillon, senior security researcher at RiskSense.  "

"They could still be holding out on exploits such as those use in this week's attacks," Dillon says. "People shouldn't ignore The ShadowBrokers. They have proven that they do have the exploits that they claim to have."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.