Security Experts:

Shadow Brokers Promise More Exploits for Monthly Fee

The hacker group calling itself Shadow Brokers claims to possess even more exploits stolen from the NSA-linked Equation Group, and anyone can have them by paying a monthly “membership” fee.

The Shadow Brokers have been in the news over the past days after unknown threat actors leveraged two of the exploits they leaked to deliver WannaCry ransomware to hundreds of thousands of systems worldwide.

The attackers have used an exploit called EternalBlue, which leverages an SMB vulnerability in Windows, to distribute the ransomware without user interaction. Microsoft patched the flaw in March and over the weekend it made available fixes even for outdated versions of Windows.

Some people blamed Shadow Brokers for the devastating WannaCry attacks, arguing that the ransomware could not have spread so easily without the exploits they leaked. Others believe the existence of the vulnerability would have come to light at some point even without them leaking the exploit.

The Shadow Brokers insist that their main goal is to make money and to demonstrate that they are a “worthy opponent” of the Equation Group.

The hackers claimed Microsoft postponed its February security updates to address the EternalBlue and other Eternal exploits. However, they pointed out that they had waited for 30 days after Microsoft rolled out the fixes before releasing the exploits.

The WannaCry attacks led to Microsoft president and chief legal officer Brad Smith renewing his call for governments to stop stockpiling vulnerabilities and disclose them to affected vendors.

Shadow Brokers, however, claims the NSA and Microsoft are “BFFs,” with contracts of “millions or billions of USD each year.” Their other conspiracy theories include an agreement between the NSA and Microsoft over not patching vulnerabilities until they are publicly disclosed, and Microsoft fixing the recent SMB flaw in secret after the NSA lied about the exploits it had been using.

Shadow Brokers claims to possess much more data and exploits, and in June the group plans on launching a subscription-based “service.”

According to the hackers, people willing to pay a monthly fee will receive exploits for browsers, routers, mobile devices, and Windows (including Windows 10). The offer also includes SWIFT network data and information on Russian, Chinese, Iranian and North Korean nuclear and missile programs.

Judging by the group’s previous offers to sell the data for thousands and even tens of thousands of bitcoins, the membership fee will likely not be small.

However, if someone offers to buy the remaining exploits and data from the Shadow Brokers, the group said it will go dark permanently as it will no longer have any financial incentive to continue taking risks.

In January, after failed attempts to make money via auctions, crowdfunding and direct sales, Shadow Brokers announced that it was retiring. With the renewed interest in the exploits it possesses, the group has apparently come up with yet another strategy for making a profit.

Related: "Shadow Brokers" Data Obtained From Insider

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.