A cybercriminal is offering up what may well be a valid zero-day exploit for $90,000 that supposedly is effective against almost every version of Microsoft Windows now in use.
Trustwave researchers said the criminal group's claim that the exploit works on all iterations of the Windows operating system from Windows 2000 to 10 is most likely valid and the security firm expects someone to pay the asking price. The item was first spotted on May 11 on a Russian cybercrime website with an initial price of $95,000, but this was lowered to $90,000 on May 23.
“Based on this and the prices we know about, the price here seems on the high end but still within a realistic price range, especially considering the return on investment criminals are likely to make using this exploit in any campaign,” Trustwave wrote.
The exploit is a local privilege escalation (LPE) zero day for systems running the 32-bit versions of the operating system. The LPE is particularly dangerous because when matched with other malware in can be used in almost any kind of attack.
“While the most coveted zero day would be a Remote Code Execution (RCE) exploit, Local Privilege Escalation vulnerabilities are likely next in line in popularity. Although such an exploit can't provide the initial infection vector like a Remote Code Execution would, it is still a very much needed puzzle piece in the overall infection process,” Trustwave wrote.
Since this is a case of criminals selling to criminals, the seller tries to build some level of trust into the deal by including two videos that supposedly show the exploit functioning properly. The first shows a Windows 10 system being exploited and the second shows the exploit bypassing all of Microsoft's Enhanced Mitigation Experience Toolkit (EMET) protections included in Windows 10.
Those behind the exploit say it will be sold only to a single buyer who for $90,000 will receive the source code for the exploit and the demo, free updates that will address any security improvements added to Windows, a detailed write up of the vulnerability details and complementary consultation on integrating the exploit.