ShadowBrokers offers CISOs zero-day details for $21,000

The NSA-leaking group goads companies into forking out for early access to exploits

code

The criminal group responsible for leaking NSA hacking tools over the past nine months is marketing regular exploit kit notices at CISOs.

Shadow Brokers plans to charge security professionals and white hat hackers a $21,000 subscription fee for access to dumps of new zero-day exploits, giving them the opportunity to develop countermeasures to hacking tools that could otherwise prove catastrophic if released into the wild.

The person or group responsible for originally stealing and leaking NSA hacking tools has previously released data dumps that included two tools that were eventually used in the WannaCry ransomware attack, which affected over 200,000 computer systems in 150 countries.

While Shadow Brokers said it will make new hacking arsenals available for those that pay its fee, so anyone - including hackers - can sign up, its messaging appeared to target organisations trying to prepare themselves against the potential damage of a WannaCry 2.0.

Advertisement
Advertisement - Article continues below

"Question to be asking. 'Can my organisation afford not to be first to get access to the Shadow Brokers dumps'", Shadow Brokers' post reads.

The post makes it clear that this is a "high-roller risk", and gives little indication of what will be included in the data dump, although previous posts boast that it has 75% of the NSA toolkits, covering everything from browser exploits to compromised network data from Russian and Chinese nuclear missile programs.

Yet whether security professionals should pay to access the tools raises a moral question, as they are in effect directly funding Shadow Brokers' activities. What's more, this dump could be completely worthless.

Graham Cluley, security analyst and blogger, toldIT Prothat he believes there are too many unknowns around the data dump: "It's something I would feel uncomfortable with. If you pay malicious hackers for exploits you are creating a demand, and - in effect - encouraging them to continue to supply by doing more illegal hacking."

"Without knowing details of the exploits its hard to say how quickly they could be patched," added Cluley. "Certainly big technology companies have moved quickly in the past to resolve zero-day threats."

"But the proof of the pudding is in the eating. And this is a pudding that costs $21,000."

Pieter Antz, malware intelligence analyst at Malwarebytes, argues that simply knowing what the exploits are is not always enough to understand the damage they could cause.

"The problem is that knowing the exploits does not help white-hats, unless it is very obvious how they can be used in malware," said Antz, in an email to IT Pro. "It could help the firms that created the exploitable software however, and enable them to close the gaps and issue patches for them."

However, Antz warns that companies still run the risk of being stung by false promises: "It's the same as paying to have your files unlocked from ransomware - there's no guarantee the files will be released and you're helping to perpetuate the behaviour."

There isn't long to decide. In acryptographically signed message, published on Tuesday, the group said that if a user sends 100 ZEC (one ZEC is currently worth $237), a virtually untraceable cryptocurrency known as Zcash, to a specified z_address, they would receive an email with a link and a password when the dump is made available in June.

Advertisement
Advertisement - Article continues below

In broken English, the post added: "Act quickly is good chance Zcash price increasing over time."

Featured Resources

The essential guide to cloud-based backup and disaster recovery

Support business continuity by building a holistic emergency plan

Download now

Trends in modern data protection

A comprehensive view of the data protection landscape

Download now

How do vulnerabilities get into software?

90% of security incidents result from exploits against defects in software

Download now

Delivering the future of work - now

The CIO’s guide to building the unified digital workspace for today’s hybrid and multi-cloud strategies.

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/business-strategy/digital-transformation/354201/boston-dynamics-dog-like-robots-sniff-out-bombs-for
digital transformation

Boston Dynamics dog-like robots sniff out bombs for Massachusetts police

26 Nov 2019
Visit/mobile/google-android/354189/samsung-galaxy-a90-5g-review-simply-the-best-value-5g-phone
Google Android

Samsung Galaxy A90 5G review: Simply the best value 5G phone

22 Nov 2019
Visit/mobile/mobile-phones/354222/samsung-sails-past-apples-market-share-despite-smartphone-market-slump
Mobile Phones

Samsung sails past Apple's market share despite smartphone market slump

28 Nov 2019
Visit/business-strategy/mergers-and-acquisitions/354191/xerox-to-pursue-hostile-hp-takeover-after-30bn
mergers and acquisitions

Xerox to pursue hostile HP takeover after $30bn gambit fails

28 Nov 2018