Details about the parallel economy of vulnerability exploits occasionally emerge on underground forums, though hidden in private conversations, demonstrating the thickness of some threat actors’ wallets. Some adversaries claim multimillion-dollar budgets for purchasing zero-day exploits, however, those without such funds may still be able to use zero-days as a new ‘exploit-as-a-service’ concept becomes more common.
Conversations within cybercriminal communities about old and new vulnerabilities occasionally include offers to acquire exploits for large sums of money. One forum user offered $25,000 for a proof-of-concept (PoC) exploit code for CVE-2021-22893, a critical-severity vulnerability in Pulse Secure VPN that Chinese hackers have exploited since April 2021. Another threat actor with deeper pockets claimed a nearly $3 million budget for no-interaction remote code execution (RCE) bugs, or zero-click exploits, for Windows 10 and Linux. Additionally, the same actor offered nearly $150,000 for original solutions for “unused startup methods in Windows 10” so when the system booted, the malware would be active.
Zerodium, an exploit acquisition company, offers nearly $1 million for a zero-click RCE in Windows 10. Additionally, the broker paid nearly $2.5 million for a zero-click full-chain persistence in Android and $2 million for the iOS equivalent. Researchers from a risk protection company captured posts about the threat actors taking advantage of security weaknesses and observed conversations between threat actors about zero-day prices up to $10 million. According to the researchers, nation-state hackers are no longer the only bidders at such prices as cybercriminals, including ransomware groups, can afford multimillion-dollar sums.
On the other hand, completing a large sale is difficult and may take a long time. Developers could lose an opportunity to score big money because other competitors develop their own exploit variant resulting in lower prices. Cybercriminals are considering an “exploit-as-a-service” solution, which would allow exploit developers to rent a zero-day exploit to multiple parties. The researchers explain that while cybercriminals often wait for a definitive buyer, this solution could provide an opportunity for huge profits to zero-day exploit developers. Additionally, renting parties could test the proposed zero-day using this model and later decide to purchase the exploit on an exclusive or non-exclusive basis. Like malware-as-a-service, renting the exploits would allow less-skilled adversaries to launch more complex attacks and target more valuable organizations.
Adversaries, financially motivated cybercriminals, or state-sponsored hackers are quickly integrating new attack methods and are constantly searching for new exploit codes. Various skill-level users are sharing knowledge and tools to improve their attacks and building stronger relationships that could prove profitable over time. Because of the conversations on vulnerability exploitations, some users are standing out in these communities. Below are the seven main categories of threat actors.
- High-Rollers – Threat actors selling and buying zero-day exploits starting at $1 million and are sponsored by a nation-state or successful entrepreneurs.
- General Merchants – Sellers trading less-critical vulnerabilities, exploit kits, and databases with information on companies with unpatched vulnerabilities.
- General Buyers – Technically skilled individuals interested in buying exploits but lacking funds to purchase them. They wait until the prices drop.
- Code Communicators – Threat actors sharing and advertising PoC exploit codes on GitHub.
- Show-Offs – Highly-technical forum members discussing bugs, participating in competitions, and sharing their knowledge on performing an exploit.
- Newbies – Less-technical users learning from more knowledgeable forum members and sharing information on other forums to earn credits or community service.
- Newshounds – Contributors sharing articles and news about recently discovered vulnerabilities.
These actors aren’t necessarily searching for new vulnerabilities, they are also searching for older bugs that received little attention and could be exploited. Threat actor communities are highly active and strongly connected to the information security technical literature.
With threat actors developing new attack techniques that would allow them access to larger targets, it’s crucial for companies to stay current with the latest threat landscape and update their network’s security posture. At SpearTip, our 24/7 certified engineers are continuously monitoring your network at our Security Operations Centers for potential threats like zero-day exploits. SpearTip offers advisory services that quickly identify risks that matter in real-world attacks. Our penetration testing is done by our cybersecurity professionals to exploit vulnerabilities in your environment and reveal to your organization the possibility of how an intrusion from adversaries might occur. SpearTip can perform several types of penetration tests to examine the limits of your cybersecurity and network.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.