News broke yesterday that the Shadow Brokers hacking group, widely believed to have stolen NSA hacking tools including the now infamous WannaCry ransomware, have announced details of a monthly dump service. This new monthly dump service is yet another attempt from the Shadow Brokers to commercialize and sell their exploits. IT security experts from Lastline and Avast commented below.
“Shadow Brokers dump service reinforces the professional nature of cybercrime. The industry has known for a long time about underground websites where personal data and lists of stolen credit card data is for sale. But the degree to which cybercrime is a business goes far beyond this. For example, Fraud-as-a-Service has been available for years. Criminals share best practices, specialize and work together to develop sophisticated attacks. It’s good business for their local economies and what Shadow Brokers is doing is just one more piece of evidence that demonstrates the mature business model that the security industry is up against.”
Michal Salat, Director of Threat Intelligence at Avast:
“Shadow Brokers is not looking to sell the leaked exploits exclusively to Microsoft and other affected companies, so they can fix the vulnerabilities to protect their users. Shadow Brokers could have reported the zero-days to the respective bug bounty programs, but Shadow Brokers want more money than what is being offered by various companies’ bug bounty programs. They initially offered the data for a whopping $500 million, which is much higher than what is usually paid, but since no one was willing to pay, they are now offering access to a wine club type of subscription, where members would get exploits sent to them every month, rather than wine. We have noticed a crowdfunding initiative through Patreon to purchase the first monthly subscription. The two main actors claim to be security researchers who want to purchase the exploits to then analyse the data, ascertain the risks and disclose information to the appropriate parties. While they have good intentions, it’s important to question whether or not anyone should pay and thus reward Shadow Brokers for their criminal activities.
Security researchers wanting to get their hands on the exploits, before cybercriminals, sounds like a good thing. However, we have to consider that paying Shadow Brokers for the exploits would almost be like rewarding them for their criminal activities and will encourage them to continue.
It is important to note, that this initiative is something completely different than a bug bounty program. Bug bounty programs are programs where companies proactively offer to purchase bugs or vulnerabilities from the researchers or white hat hackers that discover them.
If a hacker approaches a company directly asking for compensation and in turn gives the company critical vulnerabilities that could potentially cause serious damage to the company and its customers, then yes, it is a good idea to pay hackers and fix the problem. However, in this case, paying Shadow Brokers for stolen data is not a good idea in my opinion, as it in a sense is validating what they have done and rewarding them.”
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.