ShadowBrokers offers CISOs zero-day details for $21,000

Bright blue code appearing on screen to denote hacking
(Image credit: Bigstock)

The criminal group responsible for leaking NSA hacking tools over the past nine months is marketing regular exploit kit notices at CISOs.

Shadow Brokers plans to charge security professionals and white hat hackers a $21,000 subscription fee for access to dumps of new zero-day exploits, giving them the opportunity to develop countermeasures to hacking tools that could otherwise prove catastrophic if released into the wild.

The person or group responsible for originally stealing and leaking NSA hacking tools has previously released data dumps that included two tools that were eventually used in the WannaCry ransomware attack, which affected over 200,000 computer systems in 150 countries.

While Shadow Brokers said it will make new hacking arsenals available for those that pay its fee, so anyone - including hackers - can sign up, its messaging appeared to target organisations trying to prepare themselves against the potential damage of a WannaCry 2.0.

"Question to be asking. 'Can my organisation afford not to be first to get access to the Shadow Brokers dumps'", Shadow Brokers' post reads.

The post makes it clear that this is a "high-roller risk", and gives little indication of what will be included in the data dump, although previous posts boast that it has 75% of the NSA toolkits, covering everything from browser exploits to compromised network data from Russian and Chinese nuclear missile programs.

Yet whether security professionals should pay to access the tools raises a moral question, as they are in effect directly funding Shadow Brokers' activities. What's more, this dump could be completely worthless.

Graham Cluley, security analyst and blogger, toldIT Prothat he believes there are too many unknowns around the data dump: "It's something I would feel uncomfortable with. If you pay malicious hackers for exploits you are creating a demand, and - in effect - encouraging them to continue to supply by doing more illegal hacking."

"Without knowing details of the exploits its hard to say how quickly they could be patched," added Cluley. "Certainly big technology companies have moved quickly in the past to resolve zero-day threats."

"But the proof of the pudding is in the eating. And this is a pudding that costs $21,000."

Pieter Antz, malware intelligence analyst at Malwarebytes, argues that simply knowing what the exploits are is not always enough to understand the damage they could cause.

"The problem is that knowing the exploits does not help white-hats, unless it is very obvious how they can be used in malware," said Antz, in an email to IT Pro. "It could help the firms that created the exploitable software however, and enable them to close the gaps and issue patches for them."

However, Antz warns that companies still run the risk of being stung by false promises: "It's the same as paying to have your files unlocked from ransomware - there's no guarantee the files will be released and you're helping to perpetuate the behaviour."

There isn't long to decide. In acryptographically signed message, published on Tuesday, the group said that if a user sends 100 ZEC (one ZEC is currently worth $237), a virtually untraceable cryptocurrency known as Zcash, to a specified z_address, they would receive an email with a link and a password when the dump is made available in June.

In broken English, the post added: "Act quickly is good chance Zcash price increasing over time."

Contributor

Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.