Security Experts:

"Shadow Brokers" Put NSA Exploits Up for Direct Sale

After a failed attempt to sell stolen exploits from the National Security Agency at an auction just months ago, the hacker group calling itself Shadow Brokers has decided to sell them directly via a new website.

In August, the group leaked 300 Mb of firewall exploits, implants and other tools allegedly stolen from the NSA-linked Equation Group, and decided to cash in on a second batch of files, which supposedly include exploits, vulnerabilities, RATs, persistence mechanisms and data collection tools. They launched an all-pay auction that raised less than two Bitcoin, so they switched to crowdfunding in October.

The goal was to raise 10,000 Bitcoins (roughly $7.8 million) through crowdfunding, but the hacker group apparently decided to attempt a new approach: selling the stolen exploits directly for only 1,000 Bitcoins (~$780,000). This new attempt comes weeks after the group released a batch of files at the end of October, saying that the IPs mentioned in the files correspond to machines used by the Equation Group.

A possible connection between the Equation Group and the NSA was made in Feb. 2015, and the Shadow Brokers leak appeared to consolidate that assumption. The leaked files appeared to come from the NSA-linked actor and were said to target a large number of devices from popular brands such as Fortinet, TOPSEC, Cisco, Juniper Networks, WatchGuard, and others.

Now, the Shadow Brokers apparently took it to ZeroNet, a platform for hosting websites using blockchain and BitTorrent technology, to come up with a site on which to sell the stolen exploits. Interested parties can pay 1,000 Bitcoins for the entire batch of files, or can purchase individual exploits that are priced at between 1 and 100 Bitcoins each.

The group decided to sort the available files by type, including implant, Trojan, and exploit, and also provide visitors with a selection of screenshots and files related to each item. One of the files is signed with a PGP key featuring a fingerprint matching that of the original dump from August, Motherboard reported.

Information about the new site initially appeared in a Medium post that also explained how interested parties could make purchases. They need to email a Shadow Brokers member, who responds with a Bitcoin address. After payment is made, the seller sends a link to the desired file, along with the decryption password.

After looking at the files that the Shadow Brokers group leaked in August, some vendors discovered exploits that were targeting their products, such as Juniper. Cisco identified an ASA software zero-day and started patching it only days later, but in September the company discovered yet another zero-day linked to the Shadow Brokers leak, and revealed that over 840,000 devices were affected by the issue.

Related: Industry Reactions to Shadow Brokers Leak: Feedback Friday

view counter