lolloj - Fotolia

Shadow Brokers prepares zero-day subscription service

Businesses may face an onslaught of zero-day attacks soon as the group that leaked the NSA exploits used in the WannaCry ransomware attacks prepares to release more stolen code

The Shadow Brokers hacking group that released hacking tools believed to have been stolen from the US National Security Agency (NSA) appears set to offer more tools through a subscription service.

Shortly after the WannaCry ransomware attacks, the group announced that it planned to launch a subscription service in June 2017 for exploits targeting web browsers, routers, mobile phones and Windows 10, as well as compromised network data from banks and nuclear missile programmes.

This has raised concern that cyber criminals may soon be tapping into highly effective attack tools that most organisations will be unable to defend against.

Now the group has indicated that “TheShadowBrokers Monthly Dump Service” will be available for a monthly fee of 100 ZEC, the Zcash crypto currency, currently equivalent to about $23,390.

However, the group urged prospective subscriber to act quickly because there is a “good chance” that the Zcash price will rise over time.

Once payment and delivery email address are confirmed, a “mass email” will be sent between 1 and 17 July containing an link and password for the June 2017 dump, the hacking group said in a posting on Steemit.

The Shadow Brokers claims that Zcash is more secure than Bitcoin, but warns that it may not be reliable.

“If you are caring about loing $20k+ Euro then not being for you,” the group said. “Monthly dump is being for high rollers, hackers, security companies, OEMs and governments. Playing ‘the game’ is involving risks.”

The group has not yet provided any details of what subscribers can expect in the first consignment, saying it is still deciding.

It went on to say that it will be “something of value to someone”, adding: ‘The question to be asking is ‘Can my organisation afford not to be first to get access to theshadowbrokers dumps?’”

Enabled by EternalBlue and DoublePulsar leaked by The Shadow Brokers, WannaCry was able to down about 300,000 computers in 150 countries, causing disruptions.

Read more about WannaCry

  • Computers running Windows 7 accounted for the biggest proportion of machines infected with the WannaCry ransomware, while NHS suppliers are blamed for hampering patching by NHS trusts.
  • Security advisers are urging organisations to patch their Windows systems to avert a possible second wave of an unprecedented, indiscriminate ransomware attack.
  • A failure by many organisations to take cyber security seriously has long been blamed on the lack of a single significant event to shake things up.
  • WannaCry reveals some important facts about our dependence on the internet and IT.

WannaCry had a significant impact on the NHS in the UK, but security experts have pointed out that the attack could have been far more devastating in more sophisticated hands.

Although there are doubts over the truth of the claimed new leaks, the situation is “really scary”, according to Csaba Krasznay, product evangelist at security firm Balabit.

“On the one hand, if the exploits really exist and someone or multiple parties buys them, we may be faced with another WannaCry campaign as we can be sure that the buyers will monetise those exploits,” he said.

“On the other hand, if the whole story is not true, Shadow Brokers’ questionable ‘reputation’ may sufer, and it may seek to prove trustworthiness in another destructive way.

“Whatever the truth is, it is clear now that governments should handle their cyber weapons in a similar way to handling their weapons of mass destruction. Otherwise, perhaps a disgruntled privileged administrator might steal one or perhaps someone may simply forget to delete it after use in an operation. Those codes should not get to a Shadow Broker-like group, and this is a governmental responsibility.”

Various models

The Shadow Brokers appears to be trying various business models to see which one is profitable, said Mounir Hahad, senior director at Cyphort Labs.

“They have tried an auction sale, a direct sale and now a subscription model,” he said. “None of the past models has generated any revenue for them, neither from government agencies interested in offensive security, nor from security companies trying to build protections.

“I suspect this new model will have better success, given that the price tag is much lower. My concern would be with rogue entities like cyber crime groups, which now would have a more affordable access to weapons of choice. Some not-so-well-funded foreign governments may dip their toes in as well.

“I hope this approach won’t force the hands of security companies to join the feeding frenzy to avoid being the last one to know. Usually the industry is driven by a code of conduct that should prevent engaging in any shady activity and definitely not funding illegal activities.”

But Gabriel Gumbs, vice-president of product strategy at STEALTHbits Technologies, said he is sceptical. “Why would a group of hackers need to peddle exploits and the like if they have, at their disposal, the means to steal untold amount of money?” he said.

Read more on Hackers and cybercrime prevention

Data Center
Data Management