Shadow Brokers Offers Database Of Windows Exploits For Sale

Notorious hacking crew claims tools are from NSA-affiliated Equation Group, and include plugin for tampering with event logs.

4 Min Read
Dark Reading logo in a gray background | Dark Reading

Anyone with the equivalent of around $680,000 and a hankering for breaking into other people’s computers can now purchase an entire database of exploits and toolkits for attacking Windows systems.

Shadow Brokers, the hacker crew that last year made headlines by trying to auction off a whole set of top-secret cyber weapons allegedly used by the National Security Agency (NSA), is back again, this time with a set of exploits for breaking into Windows systems.

The tools, which include a collection of fuzzers for Windows components, are available for sale on a website on ZeroNet, a decentralized network of peer-to-peer systems. The attack tools range in price from 10 Bitcoins, or around $9,000 a piece, to 250 Bitcoins, or about $228,000.

The Shadow Brokers advertised the sale on Twitter late last week and have claimed the cache of exploit tools belongs to The Equation Group, an outfit believed affiliated with the NSA.

Apart from a screenshot listing the names and the prices of individual Windows hacking tools in the data dump, little specific information is available on them, said Jacob Williams, founder of Rendition InfoSec in a blog.

The screenshot suggests that one of the exploits contains a possible Server Message Block (SMB) zero-day exploit, but there is no indication which one exactly, Williams said.

“For the price requested, one would hope it is a zero-day. The price is far too high for an exploit for a known vulnerability,” Williams said.

Most of the tools listed in the screenshot also have version numbers that suggest they have been through multiple iterations. This would appear to lend credence to claims by the Shadow Brokers of the exploits being real, Williams said.

Significantly, one of the listed plugins suggests that the Shadow Brokers have in their possession a tool for editing and tampering with the Windows event logs that incident response and forensics experts rely on during investigations. Attackers have shown the ability to clear event logs or to stop logging altogether in the past but the ability to modify event logs is considered very advanced, Williams said.

“Knowing that some attackers apparently have the ability to edit event logs can be a game changer for an investigation. If Shadow Brokers release this code to the world (as they've done previously), it will undermine the reliability of event logs in forensic investigations,” Williams cautioned.

Andra Zaharia, security evangelist at Heimdal Security, says the tools appear designed to be executed on servers and used to attack a wide range of applications designed for Windows platforms, including browsers.

“The tools can be used to exploit specific types of software built for Windows. For example, attackers can embed a Flash exploit into a tool designed to hack browsers. The Python tools in the list, for example, are designed to exploit servers that run Microsoft,” she says.

The attack tools that the Shadow Brokers have offered for sale appear to be exclusive and not available anywhere else, Zaharia added.

Some believe the Shadow Brokers are Russian operatives or people working on behalf of the Russian government. Their release last year of more than 300 GB of data on tools the NSA had developed and used over the years for breaking into adversary systems sent shock waves through the security industry and intelligence community. 

Some believed the data dump - and the threat to release data on many more tools apparently purloined from the NSA - was designed to deter the US from taking action against Russia for several election-related hacks.

Last November, the group released more information, this time on servers that the NSA had broken into and then used for hosting and distributing exploits.

The timing behind the release of the Windows attack tools does not appear to be random, according to Williams. “It’s hard to believe the timing is purely coincidental and has nothing to do with the release by US intelligence about the Russian hacking of the [Democratic National Committee].

“However, it is important to note that no tools are offered for proof of the dump this time,” he said.

Related stories:

 

About the Author

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights