Security experts have warned that the market for zero days is increasingly going mainstream on the cybercrime underground, after discovering a Windows vulnerability being sold on a Russian online forum for $95,000.
Trustwave’s SpiderLabs research team claimed in a new blog post that zero days “have long been sold in the shadows.”
“In this business you usually need to ‘know people who know people’ in order to buy or sell this kind of commodity. This type of business transaction is conducted in a private manner, meaning either direct contact between a potential buyer and the seller or possibly mediated by a middle man,” it explained.
However, the Trustwave team recently discovered a zero day for sale on a Russian site better known as a forum for hiring malware coders, renting botnets, leasing exploit kits and so on.
“Finding a zero day listed in between these fairly common offerings is definitely an anomaly,” it warned. “It goes to show that zero days are coming out of the shadows and are fast becoming a commodity for the masses, a worrying trend indeed.”
There’s no definite confirmation that the seller is legitimate, but all signs seem to indicate that this zero day is for real.
It’s a Local Privileged Escalation (LPE) flaw in Windows, complete with two videos to prove its authenticity.
In fact, the seller appears to have made a special effort to appear trustworthy; for example by choosing only to use the site’s admin as escrow.
As Trustwave explained, an LPE bug in itself wouldn’t provide the initial infection vector like a remote code execution flaw, but would nevertheless could be used in almost any scenario as a “very much needed puzzle piece in the overall infection process.”
For IT teams the advice remains to keep all software-up-to-date to stand the best chance of breaking the infection chain: ie there may be no protection from a zero day, but another vulnerability being exploited in an attack may have a patch available.
As always, users should be trained to avoid clicking on suspicious links or opening attachments from unsolicited sources.
Carbon Black chief security strategist, Ben Johnson, argued that zero days are particularly dangerous as most traditional AV relies on the blacklisting of known threats.
“Whitelisting, whereby a threat is assessed against a set of policies and common characteristics to see if there is a likely issue, can help to spot this type of exploit even if it has never appeared before,” he added.
“This should then be combined with broader threat intelligence, where you can see if a particular file has ever been seen before; if it hasn’t, then it is likely to be zero day and hazardous. This allows organizations to get smarter about security and avoid falling into these sort of traps.”