The latest Shadowbrokers dump of alleged NSA tools—a cache of Windows exploits—surfaced over the weekend. And for the first time since these unannounced releases started last summer, analysts don’t have the luxury of a free set of files to dig in to.
The group is selling the database for 750 Bitcoin, or close to $608,000 USD, it said in a post to on onlyzero[.]net. From the screenshots made available on the Shadowbrokers Twitter feed, it would appear there is at least one zero-day exploit in the bunch targeting the Windows Server Message Block protocol, a network file-sharing protocol implemented in Windows.
The ShadowBrokers appeared out of thin air last August, promoting an auction of attacks against enterprise- and telco-grade network gear allegedly belonging to the Equation Group, an APT thought to be associated with the NSA.
Researcher Jacob Williams looked at the screenshots and surmised the zero day by the price the ShadowBrokers are asking.
“Note that most of the tools have apparently been through multiple revisions, adding apparent legitimacy to the claim that these exploits are real,” Williams said. “Though another screenshot hints at a possible zero day SMB exploit, there’s no indication of which exploit names involve SMB (or any other target service).”
Williams also speculated that one of the tools listed called EventLogEdit should be of interest for forensics investigators.
“While we understand that event logs can be cleared and event logging stopped, surgically editing event logs is usually considered to be a very advanced capability (if possible at all). We’ve seen rootkit code over the years (some was published on the now defunct rootkit.com) that supported this feature, but often made the system unstable in the process,” Williams said. “Knowing that some attackers apparently have the ability to edit event logs can be a game changer for an investigation. If Shadow Brokers release this code to the world (as they’ve done previously), it will undermine the reliability of event logs in forensic investigations.”
The screenshots also show a laundry list of plugins labeled DanderSpritz, which Heimdal Security researchers said were listed in some of the documents made public by NSA whistleblower Edward Snowden. The DanderSpritz plugins are available for 250 Bitcoin, while another host of exploits aimed at fuzzing Windows machines is available for 650 Bitcoin. The cache also includes remote access tools, remote code execution exploits for a number of Windows protocols and services such as IIS, RDP and SMB, as well as a SMB backdoor.
In October, the group posted links to downloads of lists of hacked Sun Solaris and Linux servers allegedly compromised by the Equation Group. The servers listed were old, some compromised 15 years ago, and mostly in Iran, Russia, China and Pakistan.
In December, researchers at Flashpoint said an insider with access to an intelligence agency code repository was the likely source of the leak. Their research pointed away from an attack against NSA infrastructure and toward an insider or two.
Researcher Matt Suiche wrote a piece immediately after the first leaks last August speculating that the Shadowbrokers were likely an NSA insider as well. Suiche’s article lists a handful of reasons debunking claims that the files in possession of the Shadowbrokers were mistaken left on a staging server.