Shadow Brokers launch subscription service for stolen exploits, zero-day leaks

The cyberattackers are demanding $23,000 every month for access to the cache of stolen vulnerabilities.
Written by Charlie Osborne, Contributing Writer

While the world scrambled to fight off the WannaCry ransomware which caused serious disruption to core services worldwide, the Shadow Brokers threat group were planning to cash in on the market for exploits used to deliver such malware.

Shadow Brokers, a threat actor group which hit the spotlight after stealing a cache of exploits, zero-day vulnerabilities, and hacking tools from the US National Security Agency (NSA)'s elite Equation Group, has been largely ignored in the past.

The group attempted to sell the full dump in August last year, of which the price was set at an astounding one million Bitcoin, roughly $567 million at the time or approximately five percent of all Bitcoin in circulation.

Now lamenting that no buyer has been found, Shadow Brokers is turning to a subscription model to try, once more, to cash in on the theft.

On Tuesday, the group announced a subscription service, beginning this month, designed to entice anyone from individual hackers to cybersecurity firms that want to get their hands on whatever is still in the cache, whether for nefarious means or to patch systems before any potential damage occurs.

Shadow Brokers is demanding 100 ZCash coins to join per month, roughly $23,000 at the time of writing.

ZCash (ZEC) is a virtual currency, not unlike Bitcoin, which uses the Equihash as an algorithm and tight information controls to disguise transactions. However, like with any system, the group is guaranteeing nothing.

"If you caring about loosing $20k+ then not being for you," the group said. "Monthly dump is being for high rollers, hackers, security companies, OEMs, and governments. Playing "the game" is involving risks."

Shadow Brokers say they have not decided what to include in the next dump yet, but the attackers have hinted that the dump may include web browser, router, handset exploits and tools, fresh exploits for the Microsoft Windows 10 operating system, compromised network data from SWIFT users and central banks, or potentially information from Russian, Chinese, Iranian, or North Korean nukes and missile programs.

After Shadow Brokers dropped a set of Windows SMB exploits alongside tools which appear to have been used by the NSA to target banking SWIFT systems back in April, the vulnerabilities were later used by attackers to spread WannaCry ransomware, which caused chaos across businesses and healthcare providers alike.

Microsoft quietly patched the majority of the hacking tools discovered in the dump before it was released, leading to speculation that the NSA may have tipped off the Redmond giant ahead of the event.

Earlier this month, researchers discovered a vast cryptocurrency-mining botnet which infects slave PCs for the operation is also spread through an NSA-leaked exploit sourced from the Shadow Broker's dump.

"The time for "I'll show you mine if you show me yours first" is being over," the group said. "This is being wrong question. Question to be asking 'Can my organization afford not to be first to get access to theshadowbrokers dumps?'"

The first dump is expected to hit between July 1 and July 17 in a mass email to any who choose to pay up and subscribe, news which is likely to put researchers on edge.

The situation has left white-hat security researchers with a conundrum. Paying the hackers for access to whatever zero-days are released into the wild sends the wrong message, but on the other hand, no-one wants a repeat of WannaCry -- and for many businesses, a few thousand dollars is nothing in comparison to the damage such exploits may cause.

As noted by Motherboard, co-founder of cybersecurity firm HackerHouse Matthew Hickey has made his decision. Alongside another researcher, the security expert has launched a crowdfunding campaign to join the subscription list.

The pair's Patreon campaign has raised $1,175 at the time of writing, but if they do not reach their goal, the proceeds will go to charity.

"As a harm reduction exercise it is important that any compromised parties are notified, vulnerabilities in possession of criminals are patched and tools are assessed for capabilities," HackerHouse says. "We will release any and all information obtained from this once we have assessed and notified vendors of any potential 0days."

There is an ethical question here to answer -- is it ever right to pay criminals, even as a means to protect others? However, despite these concerns, the question still rests on the idea that the subscription service is genuine -- and there is no guarantee that the Shadow Brokers will hold up their end of the deal, assuming they have any dangerous exploits to offer.

As we've seen with WannaCry, keeping your systems up-to-date with security patches, but with so many businesses and organizations still running legacy and out-of-support operating systems, they are leaving themselves open to potential attacks.

See also: Beyond Stuxnet and Flame: Equation 'most advanced' cybercriminal gang recorded

Top tips to stay safe on public Wi-Fi networks

Editorial standards