Zero-day exploits are essential weapons in the arsenal of nation-state actors and cybercrime groups. The increased demand for exploits is fueling a millionaire market where these malicious codes are incredibly expensive.
Researchers from Digital Shadows published an interesting research titled “Vulnerability Intelligence: Do you know where your flaws are?” that shed the light on how the vulnerability criminal industry looks.
The researchers have observed threat actors claiming that they could sell zero-day exploits for up to $10,000,000.
“This is probably why zero-day sellers have moved their auctions to cybercriminal forums: to fish in this large and wealthy pool. Zero-day exploits are incredibly pricey and we’ve observed threat actors claiming that they could go away for up to $10,000,000 during our investigations. These prices can appear enormous but there‘s a key aspect to keep in mind.” reads the paper published by Digital Shadows experts. “Whatever legitimate bug bounty programs offer (and we’ve often seen them offering multi-million dollar bounties before), cybercriminals must offer more in order to compete with them, given the risks (jail time) and additional requirements needed during illicit activity (i.e. money laundering).”
The price is enormous, but the profits and the efficiency of the attacks leveraging these vulnerabilities are much greater. Another factor to consider is that the high prices in the underground market are necessary to avoid that the developers of the exploits will disclose the vulnerabilities to the vendors through their bug bounty programs.
The study reports the case of a threat actor offering 3,000,000 USD for a 0-click Remote Code Execution (RCE) zero-day vulnerability. This bounty is greater than the payout offered by legitimate zero-day broker firms like Zerodium, which offers up to $1 million for a similar exploit working on Windows 10.
Zero-days are the most expensive flaws advertised on cybercriminal underground and hacking forums, however, older vulnerabilities remain highly valuable to crooks. The exploitation of known vulnerabilities allows threat actors to target a broad range of unpatched networks. Low-skilled attackers are interested in paying for such kinds of exploits
An interesting consideration that emerged from the report is that not only nation-state hackers are able to pay so high prices, cybercriminal organizations have also the same expense capabilities, especially ransomware gangs.
Another phenomenon analyzed for the first time by the researchers is the “Exploit-as-a-service” model. Threat actors can offer for “lease” zero-day exploits to other cybercrime organizations to conduct their hacking operations.
“In fact, while a developer can generate large profits when selling a zero-day exploit, it often takes them a significant amount of time to complete such a sale. However, this model enables zero-day developers to generate substantial earnings by renting the zero-day out while waiting for a definitive buyer.” continues the study. “Additionally, with this model, renting parties could test the proposed zero-day and later decide whether to purchase the exploit on an exclusive or non-exclusive basis.”
Digital Shadows researchers also provide a categorization of the multiple actors that contribute to the exploit market.
The experts highlight that triaging risks relying only on the CVSS scores assigned to vulnerabilities is not sufficient. The scores provide an understanding of the technical severity of a particular vulnerability,but doesn’t reflect its real-time exploitability in the wild.
The score also doesn’t consider whether compensating controls are already in place, nor how important the affected asset is. (A medium vulnerability in a critical asset should always be remediated before a critical vulnerability on a non-important system.)
The picture provided by the study suggests that the classical approach to vulnerability patching have to be improved, we need a new paradigm to stay one step ahead of threat actors.
“Incorporating vulnerability intelligence will help you prevent and quickly mitigate the most relevant threats for your specific organization. Be aware that gathering and processing massive amounts of information into precise, timely, relevant intelligence requires human skills that are hardly scalable in the classical business-y way. Sometimes in-house resources are devoted to this end, and sometimes the work is outsourced.” concludes the report.
(SecurityAffairs – hacking, zero-day exploits)