New criminal tactics: exploit-as-a-service and buying zero-day flaws

Ransomware gangs raised funds to buy zero-day flaws and move to advanced exploit-as-a-service operations

Developers of malicious exploits might rent out the zero-day flaws as a services

Malicious actors started to consider buying, leasing, selling zero-day vulnerabilities.^[1] Malware and cybersecurity researchers state that the new exploit-as-a-service model can now be used by criminals.^[2] Virus developers raised enough to consider different techniques, and underground forums revealed the possible exploitation and business plans. Zero-day flaws^[3] are commonly used to deliver attacks related to nation-states. Now, attackers are willing to get vulnerabilities and exploits for the opportunity to get more profit.

If the particular flaw obtained is new and researchers haven't discovered the issue it is more profitable since the security updates are not protecting victims against such exploit campaigns. Some of the promotional ads in underground forums and other platforms show that multi-million dollar budgets can be raised by the attacker for acquiring such zero-day exploits.

These flaws are often exploited by advanced attackers, mainly state-backed criminals. However, recent reports show that the increased amount of discussions on dark web message boards show that there is a market for these exploitation methods. Making an exploit-as-a-service possible new idea that can become a reality.

Large sums for valuable exploitation methods

Criminals can offer large sums, $25,000 for example, for the proof-of-concept exploit code for the critical-severity flaws. The concrete example is the CVE-2021-22893 vulnerability in Pulse Secure VPN. This flaw was already exploited and used by Chinese hackers.^[4]

Another hacker claimed a budget as big as $3 million for the remote code execution bugs that require no interaction and can be called zero-click exploits. This bug can be used on Linux and Windows machines. The particular user offered $150,000 for the malware persistence solution that can launch a threat with each system boot.

These findings were publicized by the researchers from the Digital Shadows risk protection company.^[5] Their investigation into the actor's attempts to take advantage of security flaws revealed that prices could go up to millions and as high as ten million for a piece. Unfortunately, ransomware gangs have such funds ant the issue with such exploits can become serious.

This market is an extremely expensive and competitive one, and it’s usually been a prerogative of state-sponsored threat groups. However, certain high-profile cybercriminal groups have amassed incredible fortunes in the past years and can now compete with the traditional buyers of zero-day exploits.

Zero-day vulnerabilities used more commonly already

The exploit-as-a-service option can come up as the option for the criminals who want to rent the zero-day exploit. Malware-as-a-service, ransomware-as-a-service shows how successful such attacks can be for the threat actors. The large payments can lead to the consequence that malware developers cannot make money for a long time. This option would help zero-day developers to make profits. The software can be tested this way, and later purchases might come easier because of this.

However, exploits get used pretty often, even though this technique is still unknown. These reports come weeks after the recent exploitation campaigns. Microsoft Exchange vulnerabilities got disclosed this year, and cybercriminals managed to leverage them. Hackers attempted to target various organizations that haven't applied released patches to obtain access to systems and carry out various malicious attacks.

There are various users in such underground forums that the discussions got noticed by researchers. The skill level of threat actors also varies and unfortunately for victims get to improve. Such communities are active and deeply connected, so new attack methods can increase attacks and campaigns against bigger targets.