Cybercriminals are started leasing our rather than just selling zero-day vulnerabilities under a potential ‘exploit-as-a-service’ model for the first time This approach would allow more capable threat actors to ‘rent out’ zero-day exploits to other cybercriminals to conduct cyber-attacks.
Zero-day vulnerabilities are the most expensive flaws advertised on cybercrime forums and other grey-area vendor sites on the clear web.
There exist two options available to any exploit developer seeking to lease their proof of concept (PoC): first, they can obfuscate their code in such a way that it is undiscoverable by the purchaser; second, they could develop their exploit into a ‘click-and-shoot’ tool, like those developed by technology firms for use by government agencies.
The first option may present increased profit margins for PoC developers. However, it would undoubtedly leave their code open to de-obfuscation by a sufficiently motivated and resourced purchaser.
The second option would require significant additional time and resources to develop the infrastructure to turn a raw exploit into a tool that can be launched from a panel by the purchaser, under the control of the exploit developer. While less vulnerable to de-obfuscation, it may still be possible to reverse-engineer such a tool.
The exploit-as-a-service model may offer malicious hackers a new means of diversifying their revenue streams, the practice of leasing or renting out a zero-day exploit to numerous parties increases the risk of ‘burning’ an asset.
Those who use the exploit against a high-profile target or a significant number of targets, would run the risk of the zero-day vulnerability (behind the exploit) being discovered, Threat actors discussing the exploit-as-a-service business model are aware of these significant issues.
If the business model proves viable, it would almost certainly increase the number of threat actors who can leverage sophisticated, and dangerous, zero-day vulnerabilities.
Researchers categorized the threat vectors in to below
- High-rollers: threat actors that sell and buy zero-day exploits for prices starting from $1,000,000, with wallets that may be sponsored by a nation-state or successful entrepreneurs
- General merchants: sellers that trade less-critical vulnerabilities, exploit kits, and databases with info (name and IPs) of companies with unpatched vulnerabilities
- General buyers: individuals with technical skills that are interested in buying exploits but rarely have the funds to make a purchase; they usually wait for the prices to go down
- Code communicators: actors that share and advertise PoC exploit code on GitHub
- Show-offs: highly technical forum members that discuss bugs, participate in competitions, and share some of their knowledge on performing an exploit
- Newbies: less-technical users that learn from more knowledgeable forum members’ they sometimes apply what they learn and share the info on other forums to earn more credit or just as a community service
- Newshounds: contributors that share articles and news about recently discovered vulnerabilities