SpiderLabs, a team of ethical hackers that fights cybercrime, recently posted a blog about a recent zero day offer to attack Windows that demonstrates how such offerings are marketed and becoming more common.
Zero day is a disclosed software vulnerability that hackers can exploit to attack computer programs, data, additional computers or a network, according to Wikipedia. SpiderLabs is a part of Trustwave, a company that helps businesses fight cybercrime, protect data and reduce security risk.
SpiderLabs notified Microsoft about the zero day offering and continues to monitor the situation. The blog is titled, “Zero Day Auction for the Masses.”
Cyber Crime Evolves
By way of background, the blog noted cyber criminals have evolved from individuals and small groups to big networks. Small malware campaigns have become malware-as-a-service that can deliver instant revenue in the form of ransomware.
Criminal enterprises have splintered. Groups used to develop malware, seek victims, launch a campaign, and monetize the stolen data. Nowadays, they prosper by focusing on one thing and selling it as a service.
The underground malware market is profitable and the development of zero days has become a bigger part of it.
Zero Day Pays Big
Hacking blogger Vlad Tsyrklevich noted in a post on the zero day market that a Eugene Ching received $80,000 USD for a working zero day offering. The payment was split into a contract fee and a delivery bonus.
Zerodium, a cyber security company that pays premium rewards to security researchers to acquire their original and previously unreported zero-day exploits affecting major operating systems, will pay $5,000 to $500,000 USD.
Last year, Angler Exploit Kit introduced four zero-day exploits as a part of its offering, and because of the continuously refreshed list of new exploits, it became the most popular exploit kit last year, representing 40% of all exploit kit-related incidents observed.
A Current Offer
A zero day being offered for sale stood out to SpiderLabs among the other offerings in an underground market for Russian-speaking cyber criminals. The forum serves as a collaboration platform for hiring malware coders, leasing exploit kits, buying web shells for compromised websites, or renting botnets. Finding a zero day listed in between these fairly common offerings is an anomaly, the blog noted. It indicates zero days are becoming a commodity for the masses.
The zero day claims to be a Local Privilege Escalation (LPE) vulnerability in Windows. Below is a screen shot of the original offer, posted on May 11, 2016:
The offer refers to a vulnerability in the incorrect handling of Windows objects. The exploit is implemented for all OS architectures from Windows XP up to current variants of Windows 10. The exploit successfully escapes all existing protection mechanisms.
What Is Offered
The buyer will receive:
1. Source code with all the source code of the exploit and a demo for the exploit.
2. Free updates to address any Windows version the exploit might not work.
3. A detailed write up of the vulnerability details.
4. Complementary consultation on integrating the exploit.
5. On request – convert the source code project to a different MSVC version.
The seller was willing to accept offers starting from $95,000 [USD]
The seller insisted on doing the deal using the forum’s admin as the escrow. In an update on May 23, the seller said the exploit will be sold exclusively to a single buyer.
The seller provided two proof videos for potential buyers who might be concerned with the offer’s validity. The first one showed an updated Windows 10 machine being successfully exploited successfully.
The second one showed the exploit bypassing all of Microsoft’s protections for the latest version of the product.
Despite indications of the offer’s authenticity, there’s no way to be certain without purchasing the exploit or waiting for it to appear.
Local Privilege Escalation (LPE) vulnerabilities are likely next in line in popularity, even though the most coveted zero day would be a Remote Code Execution (RCE) exploit.
An LPE exploit paired with a client-side RCE exploit can enable an attacker to escape an application that deploys sandbox protection, such as Adobe Reader, Google Chrome, etc. An LPE exploit provides a way to persist on an infected machine, a crucial aspect when considering advanced persistent threats. Such an exploit can be leveraged in nearly every kind of attack.
What This Zero Day Can Do
The possible capabilities presented to an attacker purchasing this exploit are as follows:
1. Escape from sandbox if the initial compromise vector is an RCE for a sandboxed app, e.g., Adobe Reader, Google Chrome, etc. – converting a limited RCE exploit into a functional takeover tool.
2. Because this zero day exploit offers a way to execute code in ring0, the purchaser will be able to use it to install a root kit on the victim’s machine, shielding itself more efficiently. This enables the attacker to escape detection and prolong control of the infected system.
3. The seller noted the exploit was tested on Windows Server OS versions. This allows a new possibility should an attacker already have a type of limited control over a web server (SQLi, web shell with restricted privileges – as all modern web servers run under a designated user account with limited privileges).
4. Modify system properties allowing persistence on the system. An example posted by FireEye demonstrates how criminals used a zero day LPE for Windows to persist on POS systems and rob credit card data.
5. Install more malicious software – a privilege that is reserved for administrative accounts on OSs, including Windows.
There are not many public records of what the price of such exploit should be. But one can consider the prices offered by Zerodium and discussed by Vlad Tsyrklevich. While the price of the zero day was lowered 12 days following the initial post, it was only lowered 5.3% from $95,000 to $90,000. On June 6, it was lowered again, to $85,000.
Based on what prices are known, this price seems high but within a realistic range, particularly considering the return on investment buyers are likely to make using this exploit.
A base assumption for anyone who has worked with code is that all software has bugs. Trustwave SpiderLabs, having worked with Microsoft years, recognizes the lengths Microsoft takes to prevent zero days. This includes independent research, bug bounty programs and establishing the MAPP program with transparency of its patching process. Criminals sometimes find those bugs before the “good guys” do.
What Can Be Done About It?
Given all the unknowns connected with zero days, it’s difficult to give protection advice. There are use lessons learned from previous cases to provide general guidance:
1. Keep software up-to-date. LPE is one of several components that constitute a successful compromise. Break one link in the chain and you will likely thwart the attack. Consider the scenario where this LPE exploit occurs in tandem with an RCE exploit to break out of a sandbox. A machine may not be patched against the zero day LPE, but it may be patched against the RCE component.
2. A chain link can be broken in different parts of security infrastructure. Deploy a full stack of security products to improve the odds of breaking a link.
3. Use common sense. Many attacks rely on user interaction, like clicking a link or opening an attachment. Avoid suspicious links or attachments sent from unsolicited sources.
The company will update the blog with new developments.
Featured image from Shutterstock.