Researchers detailed the multi-millionaire market of zero-day exploits, a parallel economy that is fueling the threat landscape.
Zero-day exploits are essential weapons in the arsenal of nation-state actors and cybercrime groups. The increased demand for exploits is fueling a millionaire market where these malicious codes are incredibly expensive.
Researchers from Digital Shadows published an interesting research titled “Vulnerability Intelligence: Do you know where your flaws are?” that shed the light on how the vulnerability criminal industry looks.
The researchers have observed threat actors claiming that they could sell zero-day exploits for up to $10,000,000.
“This is probably why zero-day sellers have moved their auctions to cybercriminal forums: to fish in this large and wealthy pool. Zero-day exploits are incredibly pricey and we’ve observed threat actors claiming that they could go away for up to $10,000,000 during our investigations. These prices can appear enormous but there‘s a key aspect to keep in mind.” reads the paper published by Digital Shadows experts. “Whatever legitimate bug bounty programs offer (and we’ve often seen them offering multi-million dollar bounties before), cybercriminals must offer more in order to compete with them, given the risks (jail time) and additional requirements needed during illicit activity (i.e. money laundering).”
The price is enormous, but the profits and the efficiency of the attacks leveraging these vulnerabilities are much greater. Another factor to consider is that the high prices in the underground market are necessary to avoid that the developers of the exploits will disclose the vulnerabilities to the vendors through their bug bounty programs.
The study reports the case of a threat actor offering 3,000,000 USD for a 0-click Remote Code Execution (RCE) zero-day vulnerability. This bounty is greater than the payout offered by legitimate zero-day broker firms like Zerodium, which offers up to $1 million for a similar exploit working on Windows 10.
Zero-days are the most expensive flaws advertised on cybercriminal underground and hacking forums, however, older vulnerabilities remain highly valuable to crooks. The exploitation of known vulnerabilities allows threat actors to target a broad range of unpatched networks. Low-skilled attackers are interested in paying for such kinds of exploits
An interesting consideration that emerged from the report is that not only nation-state hackers are able to pay so high prices, cybercriminal organizations have also the same expense capabilities, especially ransomware gangs.
Another phenomenon analyzed for the first time by the researchers is the “Exploit-as-a-service” model. Threat actors can offer for “lease” zero-day exploits to other cybercrime organizations to conduct their hacking operations.
“In fact, while a developer can generate large profits when selling a zero-day exploit, it often takes them a significant amount of time to complete such a sale. However, this model enables zero-day developers to generate substantial earnings by renting the zero-day out while waiting for a definitive buyer.” continues the study. “Additionally, with this model, renting parties could test the proposed zero-day and later decide whether to purchase the exploit on an exclusive or non-exclusive basis.”
Digital Shadows researchers also provide a categorization of the multiple actors that contribute to the exploit market.
- High-rollers: threat actors that sell and buy zero-day exploits for $1,000,000-plus. They have huge financial resources, in most of the case they are state-backed actors, sometimes successful entrepreneurs.
- General merchants: sellers of less-critical vulnerabilities, exploit kits, and databases containing of companies with unpatched vulnerabilities that could be targeted.
- General buyers: skilled individuals that are interested in buying exploits, but have limited funds, for this reason they usually wait for exploit prices to lower before buying.
- Code communicators: skilled individuals that share and advertise PoC exploit code on GitHub and hacking forums.
- Show-offs: skilled forum members that animate the discuss about vulnerabilities, participate in forum competitions, and share some of their knowledge on performing an exploit
- Newbies: Less-technically inclined users absorb information from their experienced peers and apply it; they might even recycle it on various platforms. Their intentions for sharing this information may be based on “good faith”, or they may just be looking to inflate their reputation for sharing “original” information
- Newshounds: community contributors that share articles and fresh news about recently discovered vulnerabilities.
The experts highlight that triaging risks relying only on the CVSS scores assigned to vulnerabilities is not sufficient. The scores provide an understanding of the technical severity of a particular vulnerability but doesn’t reflect its real-time exploitability in the wild.
The score also doesn’t consider whether compensating controls are already in place, nor how important the affected asset is. (A medium vulnerability in a critical asset should always be remediated before a critical vulnerability on a non-important system.)
The picture provided by the study suggests that the classical approach to vulnerability patching must be improved, we need a new paradigm to stay one step ahead of threat actors.
“Incorporating vulnerability intelligence will help you prevent and quickly mitigate the most relevant threats for your specific organization. Be aware that gathering and processing massive amounts of information into precise, timely, relevant intelligence requires human skills that are hardly scalable in the classical business-y way. Sometimes in-house resources are devoted to this end, and sometimes the work is outsourced.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine