Light Dark
January 23, 2017 By Douglas Bonderud 2 min read

In August 2016, a group known as the Shadow Brokers began auctioning off what it claimed were National Security Agency (NSA) hacking tools lifted from the spy agency itself. Now these cybercriminals are at it again, this time selling what appears to be a zero-day Windows exploit, which, according to Softpedia, may target the Server Message Block (SMB) function on Windows machines and permit the compromise of sensitive information.

While there’s no hard evidence that the Shadow Brokers actually have this software, the threat is substantial enough to warrant a warning from the U.S. Computer Emergency Readiness Team (US-CERT) for users to address potential SMB issues or, at the very least, update their Windows install.

Real Windows Exploit or Empty Threat?

As noted by Threatpost, this isn’t the first time the Shadow Brokers have dumped Windows exploits onto the web for profit, but they are using new tactics this time around. Instead of offering analysts a small handful of files to verify, these fraudsters are asking for a 750 bitcoin payout upfront, which translates to over $600,000, with only a few screenshots as proof.

While this could point to a bait-and-switch situation, security researcher Jacob Williams suggested that the tools, judging by the screenshots, may have gone through multiple revisions. This lends credence to claims that they’re actually legitimate exploits.

Despite the US-CERT warning, there’s not much in the way of hard and fast detail when it comes to the Windows exploit itself. The screenshots suggest that it centers on the SMB function. US-CERT said that since this function is available on all Windows systems, compromise could mean the loss of sensitive information.

As a precaution, the agency recommended that users and admins disable SMB v1 and block Transmission Control Protocol (TCP) ports 445 and 139, as well as UDP ports 137-138 for all boundary devices. However, the advisory noted that “disabling or blocking SMB may create problems by obstructing access to shared files, data or devices.” This may be a case of the cure being worse than the disease.

Critical Update

It’s worth noting that — so far — there’s no confirmation of any SMB zero-day in Windows, and Microsoft has no reports of unpatched vulnerabilities in the wild. As Threatpost noted, it’s possible that the Shadow Brokers are actually NSA insiders, meaning they could have access to high-level exploits on the cutting edge of software compromise. Still, per the US-CERT warning, there’s no harm in updating Windows 10 to the latest version.

According to TechTarget, Microsoft claimed that the new OS security measures are so effective they may even be able to stop some unpatched zero-day vulnerabilities. Windows 7 users, meanwhile, face “enormous dangers” because of the software’s “long-outdated security architectures.”

The Shadow Brokers are back, selling something they claim is akin to a zero-day Windows exploit kit for big money online. US-CERT agreed that a potential threat exists, but without definitive proof, blocking SMB may offer more problems than protection. An update to the latest version of Windows 10, meanwhile, gives Microsoft a chance to walk the talk and deliver on zero-day defenses.

 |  |  |  |  | 
Douglas Bonderud
Freelance Writer

More from

March 4, 2025

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

February 21, 2025

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

February 14, 2025

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature