The recent surge in zero-day vulnerabilities has been driven by a thriving global trade in zero-day vulnerabilities and exploits – and they are legal, unregulated, and sometimes openly advertised. Today, there’s more zero-day exploits coming up for sale by groups that have democratized the attack vector and placed them within reach of less sophisticated attackers.
With a range of bad actors using and stockpiling zero-days, from state-sponsored groups to ransomware gangs, companies need a clear security strategy that takes these prolific and hard-to-detect threats into account.
Defining a zero-day
These zero-day vulnerabilities are previously unknown software, hardware, or firmware vulnerability for which no mitigating patch currently exists. Security pros are typically not aware of a zero-day until/unless it gets detected “in the wild” having been exploited by a security researcher who may have reported it to a vendor or it’s reported through legitimate channels like Mitre’s CVE Program. The CVE program has been designed to identify, define, and catalog publicly-disclosed cybersecurity vulnerabilities.
Sometimes zero-day vulnerabilities are discovered accidentally. But mostly they’re found by specialist hackers or research teams who look for them either as a “public service” or to monetize their efforts through a vendor’s bug bounty program, a zero-day broker, or direct to a third-party.
Buyers and sellers
Who’s buying zero-days? Not just cybercriminals, but also governments and private companies looking to gain a competitive advantage, stockpile “deterrents” or to use them as a cyberweapon. It’s well-known that code vulnerabilities figure prominently in espionage and cyber warfare and are part of the new cyberwar environment. Also, part of the zero-day marketplace are the many bug bounty programs offered by major software vendors, as well as vendor-neutral bug bounties.
Who’s selling? Often, it’s zero-day brokers like Zerodium. Brokers are “middlemen” who advertise they will pay security researchers (white-hat or otherwise) millions of dollars for details of a zero-day vulnerability that has a proof of concept exploit. The highest bidder the broker may sell to could be the vulnerable software’s vendor looking to patch their code, or it’s often a nation state looking for a new weapon in the global cyber war.
Cybercriminals have also begun packaging zero-days in exploit-as-a-service kits sold on the “dark web.” This business model lets skilled hackers “lease” zero-day exploits to other threat actors to conduct cyber-attacks on their targets of choice. Presumably, zero-days are among the priciest such offerings because of their higher probability of success.
What zero-days sell for
According to a source at Zerodium, the researchers who first published the recent Follina vulnerability in Microsoft Office 365 could have sold it to a zero-day broker for something like $250,000. Per their website: “Bounties for eligible zero-day exploits range from $2,500 to $2,500,000 per submission. The amounts Zerodium pays to researchers for their original zero-day exploits depend on the popularity and security level of the affected software/system, as well as the quality of the submitted exploit: full or partial chain, supported versions/systems/architectures, reliability, bypassed exploit mitigations, default vs. non-default components, and process continuation.
Black market prices for zero-days are often higher than what white market of bug bounty programs offer because of the greater overhead (money laundering) and risks (arrest and criminal prosecution) associated with going that route.
Why we see more zero-day attacks
Today, many zero-day research teams are finding more zero-day vulnerabilities for a combination of factors, including:
- Software proliferation: More software and systems are being created, which produces an ever-growing attack surface with more vulnerabilities to exploit.
- Better reporting and more resources available and involved: For example, 2021 was the first year that Android and Apple publicly disclosed zero-days they knew about, which added 12 to the list.
- Rise of third-party brokers: More third-party brokers taking advantage of increased demand for zero-days.
- Expansion of ransomware groups: An increase in financially-motivated development of zero-day exploits as part of ransomware business models. As established ransomware gangs become increasingly wealthy, they can afford to pay highly skilled hackers to find or sell them zero-days.
What to do about zero-days
With zero-day attacks on the rise and more types of threat actors using them, organizations need to improve their ability to mitigate threats from these unknown vulnerabilities.
Security teams can start by deploying advanced threat detection that uses cloud-based sandboxing, which works by executing and analyzing suspect files in a contained environment. These prevention-focused tools help to block unknown threats, including ransomware, before they can spread to networks, endpoints or users. When combined with human expertise an advanced threat detection program helps companies to stay ahead of threats and prevent them before they show up on the doorstep.
So even after a security team patches a vulnerability, businesses are still at risk until they apply the patch. That’s why security experts repeatedly emphasize the importance of a strong patch management program to block the exploitation against known vulnerabilities.
Tony Anscombe, chief security evangelist, ESET
