Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/16/2017
09:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

ShadowBrokers To Launch Monthly Subscription Service for Exploits

Think of it like a wine of the month club for attack tools and new exploits threat group says.

The ShadowBrokers, the hacking crew that has become almost a household name following the worldwide ransomware attacks of the past few days, has a new proposal for those interested in its wares.

Starting June, the group claims it will offer a new subscription service that will give members access to a data dump of exploits and stolen data every month.

The ShadowBrokers likened the service to a wine-of-the-month club that will provide subscribers a choice of Web browser, router, and handset exploits as well as tools and new exploits for Windows 10.

Also in the menu for members, according to The ShadowBrokers, are compromised network data from providers of SWIFT financial messaging services and also compromised data pertaining to the missile programs of several countries including Russia, China, Iran, and North Korea. What members do with the items they obtain from The ShadowBrokers is entirely up to them, the group said.

"With the recent WannaCry outbreak that was enabled by an exploit released by them, they’ve proven to the cybercrime market that they can deliver the goods," says Kevin Magee, global security strategist at Gigamon.

"Perhaps they are simply looking to capitalize on the media frenzy, cash in on all of this free publicity and monetize their future releases."

The ShadowBrokers' planned membership service appears to be another attempt by the hacking crew to sell the big tranche of exploits and top-secret cyber weapons that it apparently stole from the NSA-affiliated Equation Group last summer. Initially, The ShadowBrokers tried to attract buyers for the entire dataset via an underground auction where it sought the equivalent of more than $500 million in bitcoins.

But after failing in that attempt, The ShadowBrokers switched tactics and earlier this year began offering some of its stolen goods on a piecemeal basis on peer-to-peer network ZeroNet. On sale, at prices ranging from the equivalent of around $9,000 to around $225,000, were a range of Windows exploits including SMB exploits of the sort leveraged in the global WannaCry ransomware attacks this week.

The move to a monthly subscription model appears to be the result of The ShadowBrokers' singular lack of success in attracting buyers the second time around as well. In fact, barely one week after announcing its Windows exploit sale via ZeroNet in January, the hacking group announced that it had decided to call it quits, and as a parting gift released nearly 60 Windows exploit tools.

In the rambling blog announcing the monthly subscription service, The ShadowBrokers expressed puzzlement at its lack of success in finding buyers for the Equation Group tools and suggested the lack of interest may have to do with people not believing its claims.

The WannaCry attacks of the last few week may have given it precisely the credibility it lacked among potential buyers for its purloined NSA tools.

"Most of what the ShadowBrokers have released so far has been more difficult to weaponize than the SMB exploits used by WannaCry," says Chris Schraml, threat intelligence analyst at PhishLabs. "But in the wake of the outbreak, the Shadow Brokers brand is at an all-time high."

News Wave

In announcing the planned launch of a subscription service for exploits in the middle of the WannaCry breakout, The Shadow Brokers has demonstrated a good understanding of how to exploit the news cycle, says Jeremy Wittkop, chief technology officer at InteliSecure.

"I think we are seeing just the beginning of the democratization of high-end cyber weapons and vulnerabilities," he says. "It's easier than ever to get your hands on weapons-grade cyber exploits, which means all defenders need to be prepared to deal with sophisticated attacks, not just those targeted by nation-states," Wittkop says.

The new service, if it launches as promised, would present an interesting dilemma for security vendors, he says. Vendors could subscribe to the service because it would give them an opportunity to develop countermeasures quickly, but in doing so they would end up supporting an adversary.

"If they do not and they remain vulnerable and their customers get exploited, it may be hard to explain why they didn't subscribe in order to have access to the information," Wittkop says.

The ShadowBrokers has only been around for less than a year. It still remains unclear how the group got its hands on the NSA cyberweapons cache, what sort of help it might have had in pulling off the theft, or what its malware development capabilities are. All of the malware tools and exploits that The ShadowBrokers has offered for sale so far have come from the NSA dataset, and the group itself has claimed that it has some 75% of the NSA's cyber arsenal in its possession.

The specific claim is hard to verify. But it is dangerous to underestimate the group says Sean Dillon, senior security researcher at RiskSense.  "

"They could still be holding out on exploits such as those use in this week's attacks," Dillon says. "People shouldn't ignore The ShadowBrokers. They have proven that they do have the exploits that they claim to have."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.