Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Shadow Brokers Now Selling Windows, AV Exploits in New ZeroNet Marketplace

The group calling itself “Shadow Brokers” has apparently decided to start selling Windows exploits and what appear to be anti-virus bypass tools on a BitTorrent-powered ZeroNet peer to peer web platform.

The group calling itself “Shadow Brokers” has apparently decided to start selling Windows exploits and what appear to be anti-virus bypass tools on a BitTorrent-powered ZeroNet peer to peer web platform.

Last year, the mysterious group leaked a series of firewall exploits, implants and other tools that they supposedly had stolen from the NSA-linked Equation Group. In an attempt to cash in on a set of other exploits, vulnerabilities, RATs, persistence mechanisms and data collection tools, the group announced an all-pay auction, but failed to reach the targeted goal.

The group also tried to make money through crowdfunding, setting a goal at 10,000 Bitcoins (rougly $7.8 million at the time), but later decided to sell the exploits directly, for a total of only 1,000 Bitcoins (currently ~$805,000). The group also offered interested parties the option of buying individual exploits. In October, the group released a batch of files supposedly linked to the Equation Group.

Starting last month, the group began directing interested buyers to a website hosted on ZeroNet, where the stolen exploits were put up for sale priced between 1 and 100 Bitcoins (BTC) each (or 1,000 BTC for the entire batch). Files were sorted by type, and buyers were encouraged to contact a Shadow Brokers member to make a purchase.

The group is now advertising what they claim to be Windows exploits and toolkits, including a series of tools that appear to have been designed specifically for anti-virus bypass purposes, Jacob Williams has discovered. This is the first time the group has advertised the Windows exploits, with only UNIX-targeting hacking tools released before.

Screenshots the group posted on Twitter suggest the tools were split into two packages, with one of them, called FuzzBunch, containing what appear to be remote code execution (RCE) exploits for IIS servers, the RDP, RPC, and SMB (Server Message Block) protocols, along with supposedly a zero-day exploit for SMB.

The entire batch is advertised for 750 BTC (~ $600,000), while the FuzzBunch package can be bought separately for 650 BTC. The exploits can be bought for 250 BTC. The zero-day for SMB is priced at 250 BTC as well.

Additionally, the group also appears to be selling bypass tools for “Personal Security Products” from leading anti-virus vendors, including Avast, Avira, ESET, Kaspersky Lab, McAfee, Microsoft, Panda, and Symantec, among others. These, however, haven’t been confirmed as of now.

Advertisement. Scroll to continue reading.

Previously, the group had released some working tools, which suggests that their claims could be true. According to a Flashpoint report released in December last year, the data was stolen in July 2013, although timestamps have been modified, most likely to hinder analysis.

The security researchers also suggested that the files have been copied from an internal system or a code repository, based on the extensive use of Markdown, a markup language commonly used in code repositories. Flashpoint said it had “medium confidence” that a rogue insider was involved in the theft.

“Insiders with access to sensitive information can cause extensive damage, as Edward Snowden proved in June 2013. While the timeline of events shows that this is not directly related to Snowden, the close proximity of events raises the question if there were multiple insiders acting independently during 2013,” Flashpoint said last month.

Related: “Shadow Brokers” Put NSA Exploits Up for Direct Sale

Related: Over 840,000 Cisco Devices Affected by NSA-Linked Flaw

Related: Industry Reactions to Shadow Brokers Leak

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.