Businesses running their infrastructure on Microsoft Windows are advised to take extra care over the coming weeks, as the individual or individuals known as the Shadow Brokers announce their retirement from the cybercrime industry, with the release of a treasure-trove of security-bypassing tools allegedly obtained from the archives of the US National Security Agency (NSA).
Powerful Tools in Worrying Hands
The Shadow Brokers first appeared on the security scene last year with a headline-grabbing promise: a cache of security tools created by and for the US security services, purloined in an attack on National Security Agency servers and now up for sale to the highest bidders.While questions were raised about the legitimacy of the archive, analyses by security and networking firms including Kaspersky Labs, Fortinet, Cisco and others pointed towards not only the genuine existence of the tools but their link to a branch of the NSA known as the Equation Group responsible for bypassing security systems in the name of national defense.
A Silent Auction
However despite the tools appearing genuine this didn’t cause a stampede of bidders. Why? The Shadow Brokers found their unusual demand to sell the software in an auction format unsuccessful as those placing bids would lose their money regardless of whether or not they were successful. You can imagine this was less that appealing. A switch of tactic followed. The group described it as a "crowdfunding" approach: if the community supplied 10,000 Bitcoins (approximately £6.9 million or $8.3 million at current market price) into a specified address, the password for the archive would be made public.
This approach, too, proved a failure: only 10 Bitcoins (around £6,900 or $8,300 at current market price) were ever provided, far short of the group's goal. Interestingly, the cryptocurrency raised as part of the group's campaign remains untouched in the wallet to which it was deposited. Afterwards there were no signs in the months that followed of its new owners making any use of the funds.
A Disappearing Act
"So long, farewell peoples" the group's most recent message begins, in the tell-tale broken English that has become the Shadow Brokers' signature "Continuing being much risk and bullshit, not many bitcoins. TheShadowBrokers is deleting accounts and moving on so don't be trying communications." This choice of syntax even suggested perhaps the group had Russian ties but that’s yet to be proven.
Claiming that "it [was] always being about bitcoins for TheShadowBrokers" and calling previous free 'sample' data dumps and political posturing as "being for marketing attention," the group announced its retirement. Sadly, that's not good news for the technology industry: as a parting gift, the Shadow Brokers released a total of 58 individual security-breaking tools seemingly developed by the NSA's Equation Group and targeting the Windows operating system.These files are now available to all, and one thing is certain: they're going to be used. Where the tools had previously been under lock and key, theoretically used only for matters of national importance by one of the world's largest and most secretive government agencies, they're now available for anybody to use for any purpose whatsoever.
Protecting Your Business
The good news is that the public release of the files from the Shadow Brokers' archive has done much to neuter their potential impact. While attackers, criminals, and other digital ne'er-do-wells can download the files for nefarious purposes, security companies are free to do the same with a more positive goal in mind: analyzing them in order to patch the security holes they exploit and add support to anti-virus and other malware-detection systems.
All 58 of the attack tools are now detected by the major anti-virus tools on the market, meaning that step one to protecting your business from the Shadow Brokers' stash is simple: make sure you have up-to-date anti-virus protection running across all systems on or with access to your network. This includes those at the periphery: targeted attacks on remote workers' laptops are all-too-common. This takes advantage of relatively lax security before penetrating the corporate network the next time the system is connected locally or via virtual private network (VPN).
As the vulnerabilities in the tools are analyzed, patches from software vendors will appear. Make sure that you have a patch process in place and keep yourself informed about the latest security updates. This is true for both for the Windows operating system itself and for any and all software running on top. If you're running outdated software for which security updates have ceased, let the Shadow Brokers' release be the kick you need to spend the time and capital upgrading. This will mean you won't spend far more of both in the near future undoing serious damage to your network and its precious data.
Lurking in the Shadows
Sadly, this may not be the last we hear of the Shadow Brokers. The group is continuing its effort to raise funds by asking its 'fans' to continue contributing Bitcoin to its coffers, with the promise that if the original goal of 10,000 Bitcoins is hit they will return with a gift: the remaining Windows-targeting tools. Not only this but a batch of software allegedly developed by the Equation Group targeting GNU/Linux, the most common server-side operating system. You have been warned!