Cybercriminals discuss new business model for zero-day exploits

A new business model for threat actors may level the playing field among cybercriminals and pose more trouble for enterprise security teams.

While gathering vulnerability intelligence through dark web forums, Digital Shadows researchers observed discussions on the emergence of exploit as a service, which would "inevitably lower the barrier for accessing sophisticated exploits." In this scenario, rather than sell a zero-day exploit to one threat actor, the developer would rent it out to as many people as possible in a controlled way as not to burn it.

Over the past few months, Digital Shadows researchers have been monitoring these discussions, which have been gaining attention and responses from a variety of users. The threat intelligence vendor released findings in a blog post and research paper this week. Stefano De Blasi, cyber threat analyst at Digital Shadows, told SearchSecurity they have observed a sort of cooperation within the cybercrime ecosystem.

The potential new service is a product of the highly profitable zero-day market, where researchers have seen multimillion-dollar price tags for exploits. For De Blasi, it's another sign of the "lowering of the professionalization and sophistication needed to conduct certain attacks." 

"Traditionally, zero-days have always been a prerogative of state-sponsored actors because, of course, they were the ones with the most financial and technical resources. But in the last few years, the professionalization and sophistication of cybercrime has also led cybercriminal groups to compete with state-sponsored actors for buying these zero-days," De Blasi said.

However, from a developer perspective, De Blasi said the current business model is not always viable.

Though there are legitimate, legal ways to purchase exploits, Digital Shadows' research focuses on the illegal marketplace. In that market, when a malware developer discovers a zero-day vulnerability and creates a tool for it, they will try and auction it on a cybercriminal forum, according to De Blasi. While prices can reach several millions of dollars, it is not always the case and there is not always an immediate buyer. That's where an exploit-as-a-service model comes in.

"In this way, [developers] can try and monetize that zero-day before they sell it entirely to someone else  -- or before the zero-day is discovered by security researchers, for example, and it's patched and they just lose all the potential money they could have made," De Blasi said.

It also benefits the cybercriminals who, according to the research blog, "could test the proposed zero day and later decide whether to purchase the exploit on an exclusive or non-exclusive basis."

Though the business model has potential for both parties, it also poses risks such as multiple actors using the same zero-day. As soon as the zero-day is detected and it is clear someone is exploiting it, De Blasi, said it will lose the zero status and much of its value.

One possible solution he proposed was the organization of a series of attacks from all parties that rented the zero-day to maximize the zero-day status. It could work, said De Blasi, if the attackers that rent the zero-day exploits are sophisticated enough to obfuscate the traces and conduct cyberespionage campaigns, for example, rather than a ransomware attack, which may draw more attention.

"On the other hand, I think personally what is going to happen is that this exploits-as-a-service model will develop not as much with zero-days, but maybe with just-discovered vulnerabilities but ones that aren't broadly patched. So they will create some custom exploits and try to rent those ones instead of zero-days, because those are quite complicated," De Blasi said.

Cybercriminals are also addressing complications of the new business model. According to De Blasi's research, the discussions are "active and ongoing every day" as they try and find a solution to the problem of maximizing the revenues before zero-day exploits are detected and patched.

If this model takes off, De Blasi said it could cause serious issues for enterprise security teams, who could face more zero-day threats. Additionally, it could take advantage of unpatched vulnerabilities, which is already a main concern for enterprises because many are slow to patch.

"It will provide a lot of different actors with the capability needed to conduct some serious cyber attacks," De Blasi said.