New approach echoes the depressingly successful ransomware-as-a-service business model
Cybercriminals are starting to consider leasing our rather than just selling zero-day vulnerabilities under a potential ‘exploit-as-a-service’ model for the first time, according to threat intel firm Digital Shadows.
This new approach would allow more capable threat actors to ‘rent out’ zero-day exploits to other cybercriminals to conduct cyber-attacks. This is similar to the ransomware-as-a-service affiliate model that has been adopted by some malware developers.
Zero-day vulnerabilities are the most expensive flaws advertised on cybercrime forums and other grey-area vendor sites on the clear web.
Digital Shadows has observed cybercriminals discussing zero-days prices reaching up to $10 million during its investigation into vulnerability sales through dark web forums.
Another zero-day, another dollar
Given their often-critical potential impact, large profits can accrue from selling zero-day flaws – but it’s often a complex (and dangerous) business to negotiate a sale.
The leasing model might enable zero-day developers to generate substantial earnings by renting the zero-day out while waiting for a definitive buyer, said Digital Shadows.
Renting parties could test the proposed zero-day and later decide whether to purchase the exploit on an exclusive or non-exclusive basis. But how could they ensure they remain the sole owners of any zero-day exploit?
Digital Shadows told The Daily Swig that there are two options available to any exploit developer seeking to lease their proof of concept (PoC): first, they can obfuscate their code in such a way that it is undiscoverable by the purchaser; second, they could develop their exploit into a ‘click-and-shoot’ tool, similar to those developed by technology firms for use by government agencies.
Both approaches pose challenges for exploit brokers, as Digital Shadows outlined:
The first option may present increased profit margins for PoC developers. However, it would undoubtedly leave their code open to de-obfuscation by a sufficiently motivated and resourced purchaser.
The second option would require significant additional time and resources in order to develop the infrastructure to turn a raw exploit into a tool that can be launched from a panel by the purchaser, under the control of the exploit developer. While less vulnerable to de-obfuscation, it may still be possible to reverse-engineer such a tool.
Furthermore, this approach would almost certainly entail the developer having greater control and influence in the use of the exploit by the purchaser, and would rely on greater trust between the two parties.
Many eyes make all bugs shallow
The exploit-as-a-service model may offer malicious hackers a new means of diversifying their revenue streams.
However, the practice of leasing or renting out a zero-day exploit to numerous parties increases the risk of ‘burning’ a valuable asset.
“Those who use the exploit against a high-profile target or a significant number of targets, would run the risk of the zero-day vulnerability (behind the exploit) being discovered,” Digital Shadows’ photon research team told The Daily Swig.
“Threat actors discussing the exploit-as-a-service business model are well aware of these significant issues.”
“There is no consensus yet whether these obstacles may ever be overcome to the extent that the model becomes profitable for developers, who are primarily seeking to expand their revenue streams whilst waiting for an out-and-out buyer,” they added.
If the business model proves viable, it would almost certainly increase the number of threat actors who can leverage sophisticated, and dangerous, zero-day vulnerabilities.
Digital Shadows’ latest dark web study was published today (November 16) and is available online.