Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/16/2017
09:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

ShadowBrokers To Launch Monthly Subscription Service for Exploits

Think of it like a wine of the month club for attack tools and new exploits threat group says.

The ShadowBrokers, the hacking crew that has become almost a household name following the worldwide ransomware attacks of the past few days, has a new proposal for those interested in its wares.

Starting June, the group claims it will offer a new subscription service that will give members access to a data dump of exploits and stolen data every month.

The ShadowBrokers likened the service to a wine-of-the-month club that will provide subscribers a choice of Web browser, router, and handset exploits as well as tools and new exploits for Windows 10.

Also in the menu for members, according to The ShadowBrokers, are compromised network data from providers of SWIFT financial messaging services and also compromised data pertaining to the missile programs of several countries including Russia, China, Iran, and North Korea. What members do with the items they obtain from The ShadowBrokers is entirely up to them, the group said.

"With the recent WannaCry outbreak that was enabled by an exploit released by them, they’ve proven to the cybercrime market that they can deliver the goods," says Kevin Magee, global security strategist at Gigamon.

"Perhaps they are simply looking to capitalize on the media frenzy, cash in on all of this free publicity and monetize their future releases."

The ShadowBrokers' planned membership service appears to be another attempt by the hacking crew to sell the big tranche of exploits and top-secret cyber weapons that it apparently stole from the NSA-affiliated Equation Group last summer. Initially, The ShadowBrokers tried to attract buyers for the entire dataset via an underground auction where it sought the equivalent of more than $500 million in bitcoins.

But after failing in that attempt, The ShadowBrokers switched tactics and earlier this year began offering some of its stolen goods on a piecemeal basis on peer-to-peer network ZeroNet. On sale, at prices ranging from the equivalent of around $9,000 to around $225,000, were a range of Windows exploits including SMB exploits of the sort leveraged in the global WannaCry ransomware attacks this week.

The move to a monthly subscription model appears to be the result of The ShadowBrokers' singular lack of success in attracting buyers the second time around as well. In fact, barely one week after announcing its Windows exploit sale via ZeroNet in January, the hacking group announced that it had decided to call it quits, and as a parting gift released nearly 60 Windows exploit tools.

In the rambling blog announcing the monthly subscription service, The ShadowBrokers expressed puzzlement at its lack of success in finding buyers for the Equation Group tools and suggested the lack of interest may have to do with people not believing its claims.

The WannaCry attacks of the last few week may have given it precisely the credibility it lacked among potential buyers for its purloined NSA tools.

"Most of what the ShadowBrokers have released so far has been more difficult to weaponize than the SMB exploits used by WannaCry," says Chris Schraml, threat intelligence analyst at PhishLabs. "But in the wake of the outbreak, the Shadow Brokers brand is at an all-time high."

News Wave

In announcing the planned launch of a subscription service for exploits in the middle of the WannaCry breakout, The Shadow Brokers has demonstrated a good understanding of how to exploit the news cycle, says Jeremy Wittkop, chief technology officer at InteliSecure.

"I think we are seeing just the beginning of the democratization of high-end cyber weapons and vulnerabilities," he says. "It's easier than ever to get your hands on weapons-grade cyber exploits, which means all defenders need to be prepared to deal with sophisticated attacks, not just those targeted by nation-states," Wittkop says.

The new service, if it launches as promised, would present an interesting dilemma for security vendors, he says. Vendors could subscribe to the service because it would give them an opportunity to develop countermeasures quickly, but in doing so they would end up supporting an adversary.

"If they do not and they remain vulnerable and their customers get exploited, it may be hard to explain why they didn't subscribe in order to have access to the information," Wittkop says.

The ShadowBrokers has only been around for less than a year. It still remains unclear how the group got its hands on the NSA cyberweapons cache, what sort of help it might have had in pulling off the theft, or what its malware development capabilities are. All of the malware tools and exploits that The ShadowBrokers has offered for sale so far have come from the NSA dataset, and the group itself has claimed that it has some 75% of the NSA's cyber arsenal in its possession.

The specific claim is hard to verify. But it is dangerous to underestimate the group says Sean Dillon, senior security researcher at RiskSense.  "

"They could still be holding out on exploits such as those use in this week's attacks," Dillon says. "People shouldn't ignore The ShadowBrokers. They have proven that they do have the exploits that they claim to have."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19807
PUBLISHED: 2019-12-15
In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for ...
CVE-2014-8650
PUBLISHED: 2019-12-15
python-requests-Kerberos through 0.5 does not handle mutual authentication
CVE-2014-3536
PUBLISHED: 2019-12-15
CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration
CVE-2014-3643
PUBLISHED: 2019-12-15
jersey: XXE via parameter entities not disabled by the jersey SAX parser
CVE-2014-3652
PUBLISHED: 2019-12-15
JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.