APTs aren’t exactly a regimented bunch. They spring up, release a list of breached credentials, merge with other groups, disappear, and then return under suspicious circumstances. This is all par for the course, which is why it’s no surprise that the APT group known as “The Shadow Brokers” have announced that they’re going dark for the last time. These bad actors thought it would be a shame to leave without a parting gift, however.
You probably know that the Shadow Brokers were the ones responsible for hacking the NSA back in the summer of 2016. You probably also know that the tools leaked by the NSA hackers were of an extremely troubling nature—one tool was capable of compromising a Cisco VPN with a single malicious packet. As their last act, the Shadow Brokers have released a new cache of stolen material. Let’s see what it does!
Leaked Malware is a Serious Threat
Upon early analysis, the latest cache from the NSA hackers represent tools designed to help malware evade detection. This isn’t surprising—the Equation Group from which these tools were stolen specialized in stealthy long-term attacks. One tool in particular is specialized towards redacting event logs in Windows systems. This could prevent defenders with a SIEM or IDS from finding out if their machine has been breached.
Another exploit appears to target the Server Message Blog (SMB) function on Windows machines. This is a file sharing protocol, and the NSA hackers describe the exploit as a “cloaked backdoor” (which can be yours for the low, low price of 250 Bitcoins). This description suggests that the exploit subverts the SMB protocol in such a way that bad actors could use it as a channel to exfiltrate data undetected, or control a computer remotely.
Since no one has actually bought or studied this exploit, it’s unclear as to whether this is a legitimate threat. Either way, the zero day is credible enough that US-CERT has issued an alert urging administrators to disable SMB v1, and to lock all SMB traffic behind a firewall.
Have the NSA Hackers Gone Away for Good?
The Shadow Brokers have been nothing if not consistent—they’re all about the Bitcoins. Since their auction over the summer seems to have flopped, their new strategy is to leave the entirety of their ill-gotten gains up for sale, while otherwise vanishing entirely. Given that that the entire cache of leaked tools is going for about $8 million, it seems safe to say that they’ll be waiting awhile before anyone ponies up a check.
Are the NSA hackers gone for good? Probably not. As soon as the Shadow Brokers dropped off the map, a second account, “Guccifer 2.0,” returned from dormancy. The timing seems a bit suspicious—if you’ll recall, Guccifer 2.0 was the same account which leaked reams of stolen documents from the DNC during the 2016 election. Is Guccifer 2.0 a member of the Shadow Brokers? Are they a competitor? Is this related to the ongoing shakeup in the Russian Intelligence Services? We live in interesting times.
In the meantime, assuming that the Shadow Brokers eventually find a buyer for their malware haul, you should probably begin to defend yourself. SentinelOne offers remote protection against Zero Day attacks—our behavioral detection algorithm automatically detects malicious behavior, so that Zero Day malware can’t escape notice even if it hasn’t been seen before in the wild. For more information on how you can protect yourself from both advanced and common malware threats, read this whitepaper on The Wicked Truths About Malware & Exploits.