Inside the hackers' supermarket part 2: Zero-day exploits

In the second of this series exploring cybercrime tools for sale on the dark web, we look at how hackers are making money by selling details of previously unknown - or zero-day - vulnerabilities in software.

By Andy McCue

Tue 8 Aug 2017 @ 16:07

Zero-day exploits may not be the most common type of security threat, but their very nature means they can have a huge impact.

Take the infamous Stuxnet malware, for example. Back in 2010, it used four zero-day exploits to infect the industrial control systems of an Iranian nuclear facility and caused its centrifuges to spin out of control.

In the hands of a malicious black-hat hacker, a zero-day exploit is clearly a dangerous threat and a valuable cybercrime tool. Hackers can use the critical time gap between a vulnerability in a piece of software being discovered, and a patch being issued to fix it, to their advantage. During that window, every organisation and individual running that software is potentially vulnerable to attack. The clock is ticking.

D-day for zero-day exploits

Recent security research predicts that the vast amounts of new software being released, coupled with a thriving cybercrime economy on the dark web, will see zero-day exploits increase from one per week in 2015 to one per day by 2021.

In response to this threat, the big software vendors are increasing the rewards they offer to people finding and notifying them of bugs in their software, before those vulnerabilities can be exploited. Such bounties, however, are small change compared to the potential profits that can be made by selling details of the vulnerabilities on the dark web - but more of those prices later.

There's also something of a halfway house between known bugs and zero-day ones. According to the Hackers' Bazaar report, "half-day" exploits are far more common. These are where the software vendor knows about the vulnerability and has issued a patch, but few users are aware of the flaw and have yet to implement the fix.

As we looked at in part 1 of this series on cybercrime tools, the dark web is the place where zero-day exploits are traded. With a pocket full of bitcoin and the Tor browser, dark web markets such as AlphaBay and Dream Market emulate the browsing, searching and buying features of popular legitimate e-commerce and auction websites.

On the Dark web, however, the items on the virtual shelves are very different and include almost every kind of tool a cybercriminal could want.

Unlike other cybercrime tools, the price range for a zero-day varies wildly - from a few thousand dollars up to hundreds of thousands of dollars - depending on which software it exploits and the likely number of users, the severity of the vulnerability and the window of opportunity to exploit it.

Just last year a Microsoft Windows zero-day exploit was being touted for sale on an underground forum by Russian hackers for $90,000. According to a report on ZDNet, the exploit was capable of working against all Windows operating systems from Windows 2000 to Windows 10, and the buyer was promised the source code, a demo, instructions, consultancy and free updates.

The very fact that zero-day exploits target as yet unknown or unpublished vulnerabilities makes them hard for organisations to defend against. Of course, it's worth remembering the most commonly exploited security vulnerabilities are actually well-known ones that have been public for some time, and which can be addressed by keeping system patches up to date.

Fighting back

Security experts are also leading the fight back. Arizona State University has developed a machine-learning model to better track the market for zero-day exploits. The university says it is capable of finding 92 per cent of 'products' in the marketplace and over a recent four-week period it detected 16 such exploits, including a significant Android one being offered for sale at $20,000.

Ultimately, however, organisations need to treat zero-day exploits as just another type of advanced persistent threat (APT) that poses a danger today, and mitigate that through a comprehensive security information and event management (SIEM) strategy.