TheShadowBrokers Continue to Leak Exploits and Generate Profits

A few weeks ago, our team at SurfWatch Labs released its mid-year threat intelligence report, which largely focused on how leaked exploits have helped to fuel cybercrime over the first half of the year. While the leak of exploits and hacking tools is not new — 2016’s surge of IoT-powered DDoS attacks were propelled by the release of the Mirai source code, for example — several high-profile global attacks leveraging leaked exploits in 2017 have helped to once again push the conversation to the forefront.

At the heart of that conversation is a group known as TheShadowBrokers. TheShadowBrokers is best known for its April 2017 release of stolen NSA exploits such as EternalBlue, an exploit that was leveraged, along with other leaked exploits, into May’s outbreak of WannaCry and June’s outbreak of NotPetya.

However, TheShadowBrokers first made headlines nearly a year ago when it announced that it was auctioning off a cache of tools stolen from the NSA’s Equation Group:

How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. …

At this point, it remains unclear exactly how the sensitive hacking tools and exploits were stolen from the NSA, although investigators are pursuing several theories. What is clear is that multiple individuals were in possession of that data — including NSA contractor Harold T. Martin III, who was arrested two weeks after TheShadowBrokers announced its auction of NSA tools.

Timeline of NSA breach.

Although officials have not linked TheShadowBrokers and Martin, both of them were in possession of stolen NSA tools. Martin’s lawyer said that Martin’s intention was to use the data to get better at his job, not to ever release it. That is not true with TheShadowBrokers, who appear to enjoy toying with the media and have used the publicity around the WannaCry and NotPetya attacks to promote its new monthly exploit service.

What’s in TheShadowBrokers’ Monthly Exploit Service?

TheShadowBrokers claim to have released two sets of data dumps related to its monthly service so far — one for June and one for July — and each month they have continued to jack up the price of the data.

  • The June dump sold for 100 ZEC (Zcash) or 500 XMR (Monero).
  • The July dump sold for 200 ZEC or 1000 XMR.
  • The upcoming August dump is selling for 500 ZEC or 2000 XMR.

At today’s prices, that equates to more than $121,000 worth of Zcash or $101,000 worth of Monero for the August dump. Naturally, security researchers and organizations would like to know if the exploits and other data being released by the group is on par with EternalBlue, something less worrisome, or an elaborate troll job — but that’s a hefty price to pay a malicious actor just find out.

There was a brief crowdfunding effort by security researchers to purchase the exploits, but that was pulled after shortly after it was announced due to “legal reasons.”

However, at least one alleged purchaser of the June data dump was not satisfied with the 500 XMR purchase, writing under the name “fsyourmoms” on Steemit:

TheShadowBrokers ripped me off. I paid 500 XMR for their “Wine of the Month Club” and only they sent me a single tool that already requires me to have a box exploited. A tool, not even an exploit! The tool also looks to be old, and not close to what theShadowBrokers said could be in their subscription service.

An anonymous researcher that has been attempting to track Monero transactions associated with TheShadowBrokers, who posts on Steemit under the name “wh1sks,” later verified that “fsyourmoms” did, in fact, send 500 XMR to TheShadowBrokers’ June monthly dump address.

Image from “wh1sks” on Steemit.

The same researcher has confirmed that TheShadowBrokers likely received three Monero payments for its June data dump (including “fsyourmoms”) and two Monero payments for its July data dump.

“We know that TSB received no more than 2000 XMR [for its July dump],” the researcher wrote last week, although it is possible the group sent itself transactions to make it appear as though sales were occurring.

Like TheDarkOverlord, TheShadowBrokers appears to be trying to project an image of great success — perhaps to entice more people to purchase its services. As the group wrote in its August monthly dump announcement:

July is being good month for TheShadowBrokers Monthly Data Dump Service, make great benefit to theshadowbrokers. … Due to popular demand theshadowbrokers is raising prices for August to 500 ZEC or 2000 XMR.

TheShadowBrokers is also accepting Zcash, which cannot be tracked using the same methods as Monero. Therefore, it’s unclear how many transactions have been made using Zcash, and its possible that a larger number of users may have purchased the group’s data dumps.

If we take “fsyourmoms” at his or her word — who is the only individual to have publicly confirmed a purchase from TheShadowBrokers, as far as I can tell — we know that the June dump contained only one tool, but we don’t know what that tool even was. Was it worth more than $20,000 worth of cryptocurrency? At least one buyer says no. It remains unclear what was in the July dump, and what will be included in the upcoming August dump.

A lot remains unanswered when it comes to TheShadowBrokers, but it appears likely that other users have purchased or will purchase TheShadowBrokers’ data dumps. That means more dangerous tools and exploits could make their way into the hands of malicious actors in the near future, which is bad news for organizations. As we noted in our mid-year report, the impact of these leaked tools and exploits is often more dangerous and has a longer-lasting effect than perhaps any other type of cyber incident.

Weekly Cyber Risk Roundup: Chipotle and Kmart Announce POS Breaches

Payment card breaches were back in the news this week as both Chipotle and Kmart announced point-of-sale breaches affecting a number of locations.

2017-06-02_ITT

The Chipotle incident, which was first disclosed on April 25, appears to be the larger of the two breaches. A recent company update on the breach said it now includes most of the company’s 2,250 locations. The restaurants were affected by point-of-sale malware for various periods of time between March 24 and April 18.

The infection was made worse by Chipotle’s decision not to adopt EMV payment technology due to concerns that the upgrades would “slow down customer lines,” according to a recent class-action lawsuit filed over the breach.

The Kmart investigation is currently ongoing, so it’s unclear how many of the company’s 735 locations are affected; however, it may be less impactful than a similar point-of-sale malware infection in 2014 since all of Kmart’s stores were EMV ‘Chip and Pin’ technology enabled during the time of the most recent breach, the company said in its press release.

“We believe certain credit card numbers have been compromised,” Kmart’s parent company Sears Holdings said in a statement. “Nevertheless, in light of our EMV compliant point-of-sale systems, which rolled out last year, we believe the exposure to cardholder data that can be used to create counterfeit cards is limited. There is also no evidence that kmart.com or Sears customers were impacted.”

2017-06-02_ITTGroups

Other trending cybercrime events from the week include:

  • Top Secret information exposed to public: Top Secret information related to the U.S. National Geospatial-Intelligence Agency (NGA), a combat support and intelligence agency housed within the Department of Defense (DoD), was exposed to the public via an unsecured Amazon Web Services “S3” bucket that required no credentials to gain access. Security researcher Chris Vickery and other Upguard researchers said the now-secured data set points to NGA contractors Booz Allen Hamilton (BAH) and industry peer Metronome. The data discovered included information that would ordinarily require a Top Secret-level security clearance from the DoD as well as plaintext credentials that granted administrative access to at least one data center’s operating system and what appeared to be Secure Shell (SSH) keys of a BAH engineer.
  • Healthcare breaches due to unauthorized sites, third-parties: Children’s Mercy said that patient information was compromised due to an unauthorized website operated by a physician that was created as an educational resource but did not have proper security controls in place. Adventist Health Tehachapi Valley said that 714 patients who used its vendor Fast Health to pay bills online to Tehachapi Valley Healthcare District and Adventist Health may have had their payment card details compromised due to unauthorized code on a server that was designed to capture payment card information.
  • Extortion attacks continue: A hacking group calling themselves “Tsar Team” has published more than 25,000 private photos and other personal data from patients of the Grozio Chirurgija clinic in Lithuania. The hackers broke into the servers of the cosmetic surgery clinic earlier this year and demanded ransoms from the clinic’s clients in more than 60 countries around the world. The blackmail ranged between €50 and €2,000 worth of bitcoin, authorities said, with nude photos, passport scans, and other sensitive data being used to ramp up the ransom demands. A hacking group known as “RavenCrew” has claimed responsibility for the hack of customer data from the ticketing platform Qnect and subsequent SMS messages that were sent to the company’s customers urging them to pressure co-founder Ryan Chen and chief technology officer Ruslan Starikov into paying the ransom. It’s believed the hackers may have exploited a security hole recently noticed by a customer.
  • Other notable breaches: OneLogin, a company that allows users to manage logins to multiple sites and apps all at once, announced it had experienced a breach that impacts all customers served by the company’s U.S. data center. Old Mutual said the personal information of “a relatively small group” of customers in South Africa was compromised due to unauthorized access to one of its systems. Camberwell High School in Melbourne announced a data breach due to a student gaining unauthorized access to the school management software Compass and accessing the personal information of families. The incident is similar to a breach at Blackburn High School involving the Compass system that occurred two weeks ago. Augusta University said that a phishing attack led to unauthorized access to faculty email accounts and that as a result less than one percent of patients had their personal information exposed.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-06-02_ITTNew

Cyber Risk Trends From the Past Week

2017-06-02_RiskScoresTheShadowBrokers continued to make headlines over its new subscription exploit service this past week. The hacking group said that it will release its first “dump” of planned monthly exploits and/or data to its subscribers in early July – for approximately $24,000.

Those who want to join the dump service must pay 100 ZEC (Zcash) by the end of June. The group said it has not yet decided what will be in its first dump, although it previously teased that such dumps could include:

  • web browser, router, and handset exploits and tools,
  • select items from newer Ops Disks, including newer exploits for Windows 10,
  • compromised network data from more SWIFT providers and central banks,
  • and compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs.

The group wrote that the monthly dump service is “for high rollers, hackers, security companies, OEMs, and governments.”

After TheShadowBrokers’ announcement, a crowdfunding campaign was started to help researchers and organizations purchase the upcoming July exploit dump; however, two days later the researchers behind the effort, England-based security researcher Matthew Hickey (aka Hacker Fantastic) and the French security researcher known as x0rz, cancelled the campaign citing legal reasons.

“What we tried with @hackerfantastic was a bet we could somehow get early access to help vendors and open-source software fix the bugs before any public release, that means making the 0days a little less toxic that it could have been if released (from 0day to 1day, still powerful but less efficient),” x0rz wrote. “I guess now we should only spectate what will happen next, like we did before. It’s unfortunate but that’s the way it ought to be.”

x0rz believes that TheShadowBrokers may still publicly release the dump because the group is “not here for the money and are really just seeking media coverage.” However, we’ll all have to wait until next month and see exactly what the group has to offer and – if it follows through on its promise – how damaging its monthly exploit and data dumps can potentially be for organizations.

Weekly Cyber Risk Roundup: WannaCry Updates and Sensitive Leaks Continue

WannaCry remained as the week’s top trending cybercrime target as organizations continued to deal with the fallout from being infected and researchers uncovered more information on the ransomware. On Friday, a Kaspersky Lab researcher tweeted that machines running Windows 7 were the most impacted by WannaCry, accounting for more than 97 percent of total infections observed by the firm. Other firms observed Windows 7 infection rates as low as 67 percent; however, both numbers contradict the initial focus on outdated systems such as Windows XP, which Kaspersky dismissed as having an “insignificant” number of infections.

2017-05-19_ITT.PNG

As Reuters reported, computers running older versions such as Windows XP were individually vulnerable to attack, but they appear incapable of spreading infections and played a far smaller role in last week’s attack.

In addition, the past week saw a variety of manufacturers issue warnings about WannaCry potentially impacting their products. Siemens warned customers that some of its Healthineers products may be affected by the vulnerabilities exploited by WannaCry, and the Health Information Trust Alliance said that medical devices manufactured by Bayer were also vulnerable. Medical device manufacturer Becton, Dickinson and Company as well as Swiss robotics and automation firm Rockwell Automation and ABB also issued more general WannaCry advisories to their customers.

It is also worth noting that a small portion of WannaCry infections have been successfully decrypted. A French security researcher discovered a flaw in the WannaCry ransomware that allowed him to successfully decrypt several Windows XP computers using a tool called “WannaKey,” and a separate pair of French researchers then adapted the decryption tool to work for Windows 7 computers with a tool called “WannaKiwi.” If users left their computer untouched after the infection and did not reboot, they may be able to access parts of the memory and regenerate a key; however, the researcher warned it won’t work every time even in that situation.

2017-05-19_ITTGroup

Other trending cybercrime events from the week include:

  • Another large point-of-sale breach: A POS breach at Brooks Brothers locations lasted for more than a year and affected more than 300 locations, the company announced. Customers who made purchases at approximately 320 different Brooks Brothers and Brooks Brothers Outlet retail locations in the U.S. and Puerto Rico between April 4, 2016 and March 1, 2017, may have had their payment card data stolen. An unauthorized individual was able to gain access to and install POS malware on the stores’ POS systems, the company said. Online purchases were not impacted.
  • Hollywood targeted by extortionists: The upcoming Pirates of the Caribbean movie has been stolen by hackers who demanded “an enormous” amount of money in ransom to not release the movie. The Hollywood Reporter reported that talent agencies UTA, ICM, and WME have been targeted by hackers attempting to steal sensitive information, and the attacks are so common that their frequency has overwhelmed the FBI’s Los Angeles field office. At least one unnamed Hollywood company has paid a ransom. In addition, TheDarkOverlord said that more of the group’s previously stolen shows from Larson Studios will be released soon since “none of the affected parties has paid the ransom.”
  • Third-party breach leads to source code theft: The app maker Panic said the source code for several of its apps was stolen due to downloading a malware-infested version of HandBrake during a three-day window when that company was compromised and serving up a Trojanized update to its users. The attacker then sent an email demanding a large bitcoin ransom to prevent the release of the source code, but Panic did not pay that ransom. The company is warning its users to beware of any unofficial versions of their apps, as they will likely be versions using the company’s old code but with malware added.
  • Other notable cybercrime news: Zomato announced that 17 million user records were compromised by a grey-hat hacker. The font sharing website DaFont was hacked and the usernames, email addresses, and hashed passwords of 699,464 user accounts were stolen. Bell Canada said that a hacker managed to access the email addresses of approximately 1.9 million customers, and 1,700 customers also had their names and phone numbers accessed. The University of New Mexico Foundation is notifying approximately 23,000 donors, annuitants, foundation employees, and vendors that their personal and financial information may have been compromised. The Clinton County Board of Developmental Disabilities and Walnut Place announced they were the victims of ransomware attacks. The National University of Singapore and the Nanyang Technological University in Singapore were targeted by sophisticated hackers who broke into the school’s IT systems in an attempt to steal sensitive government and research data. A former employee of Carolina Neurosurgery & Spine Associates has been charged with selling the information of more than 150 patients to an identity thief for $10 each. United Airlines said that information regarding its flight deck access security procedures “may have been compromised” and that “some cockpit door access information may have been made public.” However, the possible public release of the security procedures was not due to a hack or data breach, CBS News reported.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-05-19_ITTNew

Cyber Risk Trends From the Past Week

2017-05-19_RiskScoresAs WannaCry continues to dominate cybercrime news, the past week saw even more leaks of government-created malware and promises of additional leaks to come in the future. WikiLeaks has continued to dump files allegedly stolen from the CIA, and TheShadowBrokers group has announced a new monthly service providing various data dumps and exploits to its customers.

WikiLeaks has dumped stolen CIA documents every Friday for the past eight weeks, and the two most recent dumps include:

  • AfterMidnight, which is a malware framework that “allows operators to dynamically load and execute malware payloads on a target machine” and “disguises as a self-persisting Windows Service DLL.”
  • Assassin, which is a malware framework similar to AfterMidnight that “is an automated implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system.”
  • Athena, which “provides remote beacon and loader capabilities on target computers running the Microsoft Windows operating system (from Windows XP to Windows 10).”

In addition to the continuing leaks of sensitive CIA material from WikiLeaks, TheShadowBrokers is using the attention around WannaCry to promote a monthly exploit service that it is launching in June. TheShadowBrokers have previously dumped stolen exploits allegedly developed by the NSA, including the EternalBlue exploit recently leveraged by WannaCry.  “TheShadowBrokers Data Dump of the Month” service provides subscribers with various cybercrime tools and data for a monthly fee. According to TheShadowBrokers rambling blog post, these monthly dumps could include:

  • web browser, router, and handset exploits and tools
  • select items from newer Ops Disks, including newer exploits for Windows 10
  • compromised network data from more SWIFT providers and central banks
  • compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

The group said that more details will be announced in June. It’s unclear if the group has more sensitive data and exploits they’re willing to publish, or if they are using their fifteen minutes of WannaCry fame in an attempt to generate some income. Either way, WannaCry serves as a reminder that organizations need to monitor the leak of government tools as they can cause serious damage when they fall into the wrong hands.