The threat posed by the first wave of ShadowBrokers leaks of Equation Group hacking tools was relatively benign. Some vendors had to scramble to patch zero days in older versions of products, but for the most part, the leaks and accompanying auction were more of a novelty.
That obviously changed with the most recent dump of offensive hacking tools targeting Windows that included the SMB exploits that spawned WannaCry and still have researchers on edge.
The unknowns behind the ShadowBrokers compounded the industry’s anxiety two weeks ago when in the midst of the WannaCry outbreak, they announced a monthly subscription service for new exploits. Today, the group began marketing its Monthly Dump Service in earnest, announcing a price (100 Zcash, or approximately $23,000 USD) and instructions on how to subscribe.
The first dump is expected between July 1 and July 17 in a mass email to be sent to all confirmed subscribers. Zcash, meanwhile, is a cryptocurrency that claims to fully protect the privacy of a transaction, and has been appealing to criminals who have already been infecting computers with mining software, according to Kaspersky Lab report from December.
“If you caring about loosing $20k+ Euro then not being for you. Monthly dump is being for high rollers, hackers, security companies, OEMs, and governments,” the ShadowBrokers said in today’s announcement. “Playing ‘the game’ is involving risks.”
On the heels of the weaponized NSA exploits for SMB vulnerabilities being made public, experts were nervous about what could be in these monthly dumps moving forward. The ShadowBrokers hinted at a number of possibilities from browser, routers and mobile exploits, to attacks targeting Windows 10 machines, to the release of data stolen from SWIFT providers, central banks, and Russian, Chinese, Iranian or North Korean nuclear and missile programs.
The group’s initial leak came last August when a cache of Equation Group attacks were released online and an auction seeking 1 million Bitcoin was started for the rest of the attacks in the ShadowBrokers’ possession. Most of the attacks were against routers and firewalls from Cisco, Juniper, Fortinet and others, and most were time-stamped at least three years prior.
No one met the ShadowBrokers’ price and the leaks intensified, peaking with April’s dump of Windows attacks and evidence the NSA had access to SWIFT Service Bureaus in the Middle East, affording the intelligence agency access to data from financial institutions in the region.
As it turned out, Microsoft had already patched the Windows vulnerabilities and evidence mounted that the company was tipped off in advance of the leak by the NSA, the Washington Post reported. Nonetheless, many organizations failed to heed warnings to patch immediately, in particular MS17-010, the SMB patch that experts cautioned would rival the longevity of the Conficker vulnerability patched in MS08-067. It was the SMB exploit that was allegedly used by North Korean APT the Lazarus Group to spread WannaCry ransomware worldwide.
At that point, the months of old exploits and rants against the Trump administration written in broken English ceased to be amusing.
“I think it’s impossible not to take them seriously,” KPN CISO Jaya Baloo told Threatpost in a recent podcast.
The ShadowBrokers today said they had not decided what will leaked first to subscribers, only saying that it will be “something of value to someone.”
“The time for ‘I’ll show you mine if you show me yours first’ is being over. Peoples is seeing what happenings when theshadowbrokers is showing theshadowbrokers’ first,” they wrote. “This is being wrong question. Question to be asking ‘Can my organization afford not to be first to get access to theshadowbrokers dumps?'”