A nation-state hacker
The Windows zero-day exploits leaked in particular have been deemed the “mother of all exploits” by Edward Snowden iStock

On Friday (14 April), mysterious hacker group Shadow Brokers dumped a massive trove of Windows exploits, among others, which experts believe may be one of the most damaging leaks of the year. The dump caused an immediate "cyber panic" and saw the infosec community scrambling to make sense of the immediate and long-term damages that could be caused on users, with many security experts claiming that the leaks expose the true extent of NSA's surveillance.

The Windows zero-day exploits leaked in particular have been deemed the "mother of all exploits" by Edward Snowden, who along with various experts took to Twitter to comment on the magnitude of the leaks. Security researchers analysing the dump have said that the yet-to-be patched exploits affect nearly all Windows systems, including NT, 2000, 2003, 2008 and up to 2012, as well as the consumer versions XP, Vista, 7 and Windows 8.

Cris Thomas (aka Space Rogue), strategist at Tenable Network Security told IBTimes UK, "There appears to be at least several dozen exploits, including zero-day vulnerabilities in this release. Some of the exploits even offer a potential 'God Mode' on select Windows systems. A few of the products targeted include Lotus Notes, Lotus Domino, IIS, SMB, Windows XP, Windows 8, Windows Server 2003, and Windows Server 2012."

Shadow Brokers dumped $2m worth exploits for free

According to Chaouki Bekrar, founder of Zerodium that sells zero-day exploits, the leaked cyberweapons, if sold, would have likely netted the Shadow Brokers $2m (£1.6m). Instead the hacker group dumped the alleged NSA stockpile for free.

"The f*****s burned $2 millions with one zip file," Bekrar told Motherboard in an online chat. "From an offensive perspective this leak is a huge loss, from a defensive perspective the leak is a massive threat to millions of Windows systems. Let's hope MS will fix these quickly."

NSA failed to warn Microsoft about zero-day stockpile

Microsoft said that it is "reviewing the report and will take the necessary actions to protect our customers." A spokesperson told The Intercept, "At this time, other than reporters, no individual or organization has contacted us in relation to the materials released by Shadow Brokers." This indicates that the NSA chose not to contact the firm to inform them about the existence of the exploits.

Given that the Shadow Brokers have been sitting on this information since August 2016, the NSA presumably knew that the hacker group may have had access to their cyberweapons stockpile and could have alerted Microsoft, which in turn may have helped the firm issue out patches to protect users from potential attacks.

How dangerous is the Windows exploits dump?

According to Mathew Hickey, founder of UK-based Hacker House, who analysed the Shadow Brokers' latest dump, there are over 20 distinct exploits. 15 of these include an automated hacking tool called FuzzBunch.

"There are exploits here that are quite likely zero days that will let you hack into any number of servers on the internet," Hickey told Wired. "This is as big as it gets. It's internet God mode."

Meanwhile, the Shadow Brokers have hinted that they are not done yet and may leak more in the near future. "Maybe if all suviving WWIII theshadowbrokers be seeing you next week," the hacker group said. "Who knows what we having next time?


Microsoft has said that "most of the exploits" leaked by the Shadow Brokers in their latest dump have already been patched as part of a previous security update. The vulnerabilities were patched in March, indicating that the firm may have had prior knowledge of the existence of the exploits.

The firm said in a statement, "Of the three remaining exploits, "EnglishmanDentist", "EsteemAudit", and "ExplodingCan", none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk. Customers still running prior versions of these products are encouraged to upgrade to a supported offering."