ShadowBrokers offers CISOs zero-day details for $21,000

The NSA-leaking group goads companies into forking out for early access to exploits

code

The criminal group responsible for leaking NSA hacking tools over the past nine months is marketing regular exploit kit notices at CISOs.

Shadow Brokers plans to charge security professionals and white hat hackers a $21,000 subscription fee for access to dumps of new zero-day exploits, giving them the opportunity to develop countermeasures to hacking tools that could otherwise prove catastrophic if released into the wild.

The person or group responsible for originally stealing and leaking NSA hacking tools has previously released data dumps that included two tools that were eventually used in the WannaCry ransomware attack, which affected over 200,000 computer systems in 150 countries.

While Shadow Brokers said it will make new hacking arsenals available for those that pay its fee, so anyone - including hackers - can sign up, its messaging appeared to target organisations trying to prepare themselves against the potential damage of a WannaCry 2.0.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Question to be asking. 'Can my organisation afford not to be first to get access to the Shadow Brokers dumps'", Shadow Brokers' post reads.

The post makes it clear that this is a "high-roller risk", and gives little indication of what will be included in the data dump, although previous posts boast that it has 75% of the NSA toolkits, covering everything from browser exploits to compromised network data from Russian and Chinese nuclear missile programs.

Yet whether security professionals should pay to access the tools raises a moral question, as they are in effect directly funding Shadow Brokers' activities. What's more, this dump could be completely worthless.

Graham Cluley, security analyst and blogger, toldIT Prothat he believes there are too many unknowns around the data dump: "It's something I would feel uncomfortable with. If you pay malicious hackers for exploits you are creating a demand, and - in effect - encouraging them to continue to supply by doing more illegal hacking."

"Without knowing details of the exploits its hard to say how quickly they could be patched," added Cluley. "Certainly big technology companies have moved quickly in the past to resolve zero-day threats."

"But the proof of the pudding is in the eating. And this is a pudding that costs $21,000."

Advertisement - Article continues below

Pieter Antz, malware intelligence analyst at Malwarebytes, argues that simply knowing what the exploits are is not always enough to understand the damage they could cause.

"The problem is that knowing the exploits does not help white-hats, unless it is very obvious how they can be used in malware," said Antz, in an email to IT Pro. "It could help the firms that created the exploitable software however, and enable them to close the gaps and issue patches for them."

However, Antz warns that companies still run the risk of being stung by false promises: "It's the same as paying to have your files unlocked from ransomware - there's no guarantee the files will be released and you're helping to perpetuate the behaviour."

There isn't long to decide. In acryptographically signed message, published on Tuesday, the group said that if a user sends 100 ZEC (one ZEC is currently worth $237), a virtually untraceable cryptocurrency known as Zcash, to a specified z_address, they would receive an email with a link and a password when the dump is made available in June.

In broken English, the post added: "Act quickly is good chance Zcash price increasing over time."

Featured Resources

Digital Risk Report 2020

A global view into the impact of digital transformation on risk and security management

Download now

6 ways your business could suffer if you don’t backup Office 365

Office 365 makes it easy to lose valuable data regularly, unpredictably, unintentionally, and for good

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now

8 digital best practices for IT professionals

Don't leave anything to chance when going digital

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/security/cyber-security/354827/mcafee-researchers-trick-tesla-autopilot-with-a-strip-of-tape
cyber security

McAfee researchers trick Tesla autopilot with a strip of tape

21 Feb 2020
Visit/operating-systems/27717/how-to-fix-a-stuck-windows-10-update
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020
Visit/security/34616/the-top-ten-password-cracking-techniques-used-by-hackers
Security

The top ten password-cracking techniques used by hackers

10 Feb 2020