ShadowBrokers offers CISOs zero-day details for $21,000

The NSA-leaking group goads companies into forking out for early access to exploits

code

The criminal group responsible for leaking NSA hacking tools over the past nine months is marketing regular exploit kit notices at CISOs.

Shadow Brokers plans to charge security professionals and white hat hackers a $21,000 subscription fee for access to dumps of new zero-day exploits, giving them the opportunity to develop countermeasures to hacking tools that could otherwise prove catastrophic if released into the wild.

The person or group responsible for originally stealing and leaking NSA hacking tools has previously released data dumps that included two tools that were eventually used in the WannaCry ransomware attack, which affected over 200,000 computer systems in 150 countries.

While Shadow Brokers said it will make new hacking arsenals available for those that pay its fee, so anyone - including hackers - can sign up, its messaging appeared to target organisations trying to prepare themselves against the potential damage of a WannaCry 2.0.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Question to be asking. 'Can my organisation afford not to be first to get access to the Shadow Brokers dumps'", Shadow Brokers' post reads.

The post makes it clear that this is a "high-roller risk", and gives little indication of what will be included in the data dump, although previous posts boast that it has 75% of the NSA toolkits, covering everything from browser exploits to compromised network data from Russian and Chinese nuclear missile programs.

Yet whether security professionals should pay to access the tools raises a moral question, as they are in effect directly funding Shadow Brokers' activities. What's more, this dump could be completely worthless.

Graham Cluley, security analyst and blogger, toldIT Prothat he believes there are too many unknowns around the data dump: "It's something I would feel uncomfortable with. If you pay malicious hackers for exploits you are creating a demand, and - in effect - encouraging them to continue to supply by doing more illegal hacking."

"Without knowing details of the exploits its hard to say how quickly they could be patched," added Cluley. "Certainly big technology companies have moved quickly in the past to resolve zero-day threats."

"But the proof of the pudding is in the eating. And this is a pudding that costs $21,000."

Advertisement - Article continues below

Pieter Antz, malware intelligence analyst at Malwarebytes, argues that simply knowing what the exploits are is not always enough to understand the damage they could cause.

"The problem is that knowing the exploits does not help white-hats, unless it is very obvious how they can be used in malware," said Antz, in an email to IT Pro. "It could help the firms that created the exploitable software however, and enable them to close the gaps and issue patches for them."

However, Antz warns that companies still run the risk of being stung by false promises: "It's the same as paying to have your files unlocked from ransomware - there's no guarantee the files will be released and you're helping to perpetuate the behaviour."

There isn't long to decide. In acryptographically signed message, published on Tuesday, the group said that if a user sends 100 ZEC (one ZEC is currently worth $237), a virtually untraceable cryptocurrency known as Zcash, to a specified z_address, they would receive an email with a link and a password when the dump is made available in June.

In broken English, the post added: "Act quickly is good chance Zcash price increasing over time."

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020