ShadowBrokers Selling Windows Exploits, Attack Tools

The latest Shadowbrokers dump of alleged NSA tools—a cache of Windows exploits—surfaced over the weekend. And for the first time since these unannounced releases started last summer, analysts don’t have the luxury of a free set of files to dig in to.
The group is selling the database for 750 Bitcoin, or close to $608,000 USD, it said in a post to on onlyzero[.]net. From the screenshots made available on the Shadowbrokers Twitter feed, it would appear there is at least one zero-day exploit in the bunch targeting the Windows Server Message Block protocol, a network file-sharing protocol implemented in Windows.
Related Posts
The ShadowBrokers appeared out of thin air last August, promoting an auction of attacks against enterprise- and telco-grade network gear allegedly belonging to the Equation Group, an APT thought to be associated with the NSA.
Researcher Jacob Williams looked at the screenshots and surmised the zero day by the price the ShadowBrokers are asking.
“Note that most of the tools have apparently been through multiple revisions, adding apparent legitimacy to the claim that these exploits are real,” Williams said. “Though another screenshot hints at a possible zero day SMB exploit, there’s no indication of which exploit names involve SMB (or any other target service).”
大部分的安全管理人员都已经认识到信息安全意识的重要性,只是由于缺乏足够的最佳实践参照标准和方法而不知如何着手开始工作,而让信息安全意识培训落入到一个尴尬的境地。
Williams also speculated that one of the tools listed called EventLogEdit should be of interest for forensics investigators.
“While we understand that event logs can be cleared and event logging stopped, surgically editing event logs is usually considered to be a very advanced capability (if possible at all).  We’ve seen rootkit code over the years (some was published on the now defunct rootkit.com) that supported this feature, but often made the system unstable in the process,” Williams said. “Knowing that some attackers apparently have the ability to edit event logs can be a game changer for an investigation.  If Shadow Brokers release this code to the world (as they’ve done previously), it will undermine the reliability of event logs in forensic investigations.”
The screenshots also show a laundry list of plugins labeled DanderSpritz, which Heimdal Security researchers said were listed in some of the documents made public by NSA whistleblower Edward Snowden. The DanderSpritz plugins are available for 250 Bitcoin, while another host of exploits aimed at fuzzing Windows machines is available for 650 Bitcoin. The cache also includes remote access tools, remote code execution exploits for a number of Windows protocols and services such as IIS, RDP and SMB, as well as a SMB backdoor.
北京市下架11种不合格食品保健品
In October, the group posted links to downloads of lists of hacked Sun Solaris and Linux servers allegedly compromised by the Equation Group. The servers listed were old, some compromised 15 years ago, and mostly in Iran, Russia, China and Pakistan.
In December, researchers at Flashpoint said an insider with access to an intelligence agency code repository was the likely source of the leak. Their research pointed away from an attack against NSA infrastructure and toward an insider or two.
Researcher Matt Suiche wrote a piece immediately after the first leaks last August speculating that the Shadowbrokers were likely an NSA insider as well. Suiche’s article lists a handful of reasons debunking claims that the files in possession of the Shadowbrokers were mistaken left on a staging server.

黑客们不断想法设法破解各类验证码,这无疑带动了人工智能的发展,验证码每一次被破解就表示人工智能又向前发展了一步,验证码系统也要不断升级,安全是敌我双方不断博弈的过程。

猜您喜欢

首席信息官面临的三个云计算咒语
1分钟的信息安全意识动画教程,包括信息安全注意事项及十字安全歌谣,白板动漫,让信息安全知识变得更有趣味。
支持中国创新!快速了解EHS意识在线教育方案
真正的教养是对弱者的态度
SKU FOOD-COMBINING-DIET
安卓智能机劫持飞机案件引发航空恐慌