Cyber criminals are becoming more advanced as they continue to find new ways to deliver attacks, and some are now willing to buy zero-day vulnerabilities, something more traditionally associated with nation-states.
Knowledge about vulnerabilities and exploits can command a high price on underground forums, because being able to take advantage of them can be very profitable for cyber criminals. That’s especially if this involves a zero-day vulnerability that’s not known about by cybersecurity researchers, because attackers know potential victims won’t have had the chance to apply security updates to protect against it.
For example, in the weeks after Microsoft Exchange vulnerabilities were disclosed earlier this year, cyber criminals rushed to take advantage of them as quickly as possible, in order to benefit from the ability to carry out attacks before the security patches were widely applied.
Zero-day vulnerabilities are usually deployed by well-resourced, nation-state backed hacking operations – but analysis by cybersecurity researchers at Digital Shadows details how there’s increasingly chatter on dark web message boards about the criminal market for zero-days.
“This market is an extremely expensive and competitive one, and it’s usually been a prerogative of state-sponsored threat groups. However, certain high-profile cybercriminal groups (read: ransomware gangs) have amassed incredible fortunes in the past years and can now compete with the traditional buyers of zero-day exploits,” said Digital Shadows.
“States can purchase zero-day exploits in a legal way from companies that are solely dedicated to creating these tools,” Stefano De Blasi, threat researcher at Digital Shadows told ZDNet.
“However, when these tools are developed by cybercriminals outside of the law, it is likely easier to identify clientele from the cybercriminal world; there is however only a handful of cybercriminal actors who could afford the cost of a zero-day exploit”.
SEE: A winning strategy for cybersecurity (ZDNet special report)
Vulnerabilities like this can cost even millions of dollars, but that’s a price that could be affordable for a successful ransomware group which makes millions from every successful ransomware attack – and they could easily make what they spend back if the vulnerability works as intended by providing a reliable means of infiltrating networks.
But there’s another method of making money from vulnerabilities being explored, and it’s one which could place them into the hands of less-sophisticated cyber criminals – something known as “exploit-as-a-service”.
Instead of selling the vulnerability outright, the cyber criminal who discovered it can lease this out to others. It potentially starts making them money quicker than it would if they went through the complex process to sell it, and they could continue to make money from it for a long time. They also have the option of eventually selling the zero-day if they tire of leasing it.
“This model enables zero-day developers to generate substantial earnings by renting the zero-day out while waiting for a definitive buyer. Additionally, with this model, renting parties could test the proposed zero-day and later decide whether to purchase the exploit on an exclusive or non-exclusive basis,” said the report.
Selling to government-backed hacking groups is still the preferred option for some zero-day developers for now, but a growing interest in exploits like this on underground forums indicates how some cyber criminal groups are approaching the level of state-backed operations.
“The rise of the exploit-as-a-service business model confirms that the cyber criminal environment is consistently growing both in terms of sophistication and professionalization. Some high-profile criminal groups can now compete in terms of technical skills with state-sponsored actors; many prominent ransomware groups in particular have now amassed enough financial resources to purchase zero-days advertised in illicit environments,” De Blasi explained.
The nature of zero-day vulnerabilities means defending networks against them is a difficult task but cybersecurity practices like applying critical security updates as soon as they’re released can stop cyber criminals having a lengthy window to take advantage of vulnerabilities. Organisations should also have a plan for what to do if they discover they’ve been breached.
“Well drilled and documented incident response strategies can provide crucial in responding to any attacker that may have gained access to a target’s environment,” said De Blasi.
MORE ON CYBERSECURITY