Download our in-depth report: The Ultimate Guide to IT Security Vendors
The high-profile hacker group the Shadow Brokers, responsible for leaking the exploit stolen from the NSA that was responsible for last month's WannaCry ransomware campaign, recently announced a new "Monthly Dump Service," offering to provide undisclosed exploits on a regular basis in exchange for a monthly fee of 100 ZCash (ZEC), currently worth approximately $23,500.
"If you caring about loosing $20k+ Euro then not being for you," the hackers wrote in cartoonishly fractured English. "Monthly dump is being for high rollers, hackers, security companies, OEMs, and governments."
As to what will be available in the next dump, the hackers wrote, "TheShadowBrokers is not deciding yet. Something of value to someone. See theshadowbrokers' previous posts. ... Question to be asking 'Can my organization afford not to be first to get access to theshadowbrokers dumps?'"
In a previous post, however, the hackers had claimed the monthly dump could include the following:
- Web browser, router, handset exploits and tools
- Select items from newer Ops Disks, including newer exploits for Windows 10
- Compromised network data from more SWIFT providers and Central banks
- Compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs
Balabit product evangelist Csaba Krasznay told eSecurity Planet by email that no matter how real the threat is from the group, the situation is general is scary. "On one hand, if the exploits are really existing and someone (or multiple parties) buys them, we may be faced with another WannaCry campaign as we can be sure that the buyer(s) will monetize those exploits," he said. "On the other hand, if the whole story is not true, Shadow Brokers' questionable 'reputation' may suffer, and it may seek to prove trustworthiness in another destructive way."
"Whatever the truth is, it is clear now that governments should handle their cyber weapons in ways similar to the handling of their weapons of mass destruction," Krasznay added. "Otherwise, perhaps a disgruntled privileged administrator might steal one, or perhaps someone may simply forget to delete it after use in an operation. Those codes shouldn't get to a Shadow Broker-like group, and this is a governmental responsibility."
Cybercrime Business Models
Cyphort Labs senior director Mounir Hadad said by email that the Shadow Brokers' actions over the past year indicate that they're trying various business models to see what works. "They have tried an auction sale, a direct sale and now a subscription model," he said. "None of the past models has generated any revenue for them, neither from government agencies interested in offensive security nor from security companies trying to build protections."
With the new announcement, Hadad said he hopes security companies won't take the bait in an effort to avoid being the last to learn of new exploits. "Usually the industry is driven by a code of conduct that should prevent engaging in any shady activity and definitely not funding illegal activities," he said.
Lastline director of product John Cloonan said the group's launch of a monthly service reinforces the increasingly professional nature of cybercrime. "Criminals share best practices, specialize and work together to develop sophisticated attacks," he said. "It's good business for their local economies, and what Shadow Brokers is doing is just one more piece of evidence that demonstrates the mature business model that the security industry is up against."
Still, STEALTHbits Technologies vice president of product strategy Gabriel Gumbs said the group's motives deserve far more scrutiny. "Of the list of items that the Shadow Brokers have suggested would be a part of their monthly data and exploit dump service, compromised SWIFT network data is of the most value to both black hat hackers and the impacted organizations," he said.
Compromised SWIFT networks, Gumbs noted, were what led to last year's theft of over $81 million. "So why would a group of hackers need to peddle exploits and the like if they have, at their disposal, the means to steal untold amounts of money? I for one am very skeptical of the group and their motives," he said.