News broke yesterday that the Shadow Brokers hacking group, widely believed to have stolen NSA hacking tools including the now infamous WannaCry ransomware, have announced details of a monthly dump service. This new monthly dump service is yet another attempt from the Shadow Brokers to commercialize and sell their exploits. IT security experts from Lastline and Avast commented below.
John Cloonan, Director of Product at Lastline:
“Shadow Brokers dump service reinforces the professional nature of cybercrime. The industry has known for a long time about underground websites where personal data and lists of stolen credit card data is for sale. But the degree to which cybercrime is a business goes far beyond this. For example, Fraud-as-a-Service has been available for years. Criminals share best practices, specialize and work together to develop sophisticated attacks. It’s good business for their local economies and what Shadow Brokers is doing is just one more piece of evidence that demonstrates the mature business model that the security industry is up against.”
Michal Salat, Director of Threat Intelligence at Avast:
“Shadow Brokers is not looking to sell the leaked exploits exclusively to Microsoft and other affected companies, so they can fix the vulnerabilities to protect their users. Shadow Brokers could have reported the zero-days to the respective bug bounty programs, but Shadow Brokers want more money than what is being offered by various companies’ bug bounty programs. They initially offered the data for a whopping $500 million, which is much higher than what is usually paid, but since no one was willing to pay, they are now offering access to a wine club type of subscription, where members would get exploits sent to them every month, rather than wine. We have noticed a crowdfunding initiative through Patreon to purchase the first monthly subscription. The two main actors claim to be security researchers who want to purchase the exploits to then analyse the data, ascertain the risks and disclose information to the appropriate parties. While they have good intentions, it’s important to question whether or not anyone should pay and thus reward Shadow Brokers for their criminal activities.
Security researchers wanting to get their hands on the exploits, before cybercriminals, sounds like a good thing. However, we have to consider that paying Shadow Brokers for the exploits would almost be like rewarding them for their criminal activities and will encourage them to continue.
It is important to note, that this initiative is something completely different than a bug bounty program. Bug bounty programs are programs where companies proactively offer to purchase bugs or vulnerabilities from the researchers or white hat hackers that discover them.
If a hacker approaches a company directly asking for compensation and in turn gives the company critical vulnerabilities that could potentially cause serious damage to the company and its customers, then yes, it is a good idea to pay hackers and fix the problem. However, in this case, paying Shadow Brokers for stolen data is not a good idea in my opinion, as it in a sense is validating what they have done and rewarding them.”