Hackers claim to have discovered Windows a zero-day exploits that can be yours for $90,000 (in Bitcoin – the hacker currency of choice)
Security vendor Trustwave has just discovered what could be some significant Windows zero-day exploits that are going for US$90,000 on the underground cyber-crime market. Its SpiderLabs security researchers found a post from a cyber criminal on underground forums claiming these zero-day exploits could affect almost all Windows machines on the planet.
If the cybercriminal’s claims are true, the local privilege escalation (LPE) vulnerability exists in all versions of Windows starting from Windows 2000, potentially impacting over 1.5 billion Windows users.
If zero day exploits are used, the vulnerability allows attackers to upgrade any Windows user-level account to an administrator account, giving them access to install malicious software, gain access to other machines, change user settings and an array of other potentially damaging acts.
Criminals are organizing their efforts online on a scale it has not seen before. Capitalizing on the anonymity of private forums, cryptocurrency, and anonymous networks, cyber criminals have evolved their techniques and tactics tremendously.
“We’ve seen small malware campaigns become malware-as-a-service where malware can equal instant revenue through ransomware. Single ‘drive-by’ malicious websites have become distributed exploit kits.” Crime as a service – CaaS.
These zero-day exploits offering is a little different. “A zero-day being offered for sale stood out among the other offerings in an underground market for Russian-speaking cyber-criminals. This specific forum serves as a collaboration platform where one can hire malware coders, lease an exploit kit, buy web shells for compromised websites, or even rent a whole botnet for any purpose.
“However, finding a zero-day listed in between these fairly common offerings is an anomaly. It goes to show that zero-days are coming out of the shadows and are fast becoming a commodity for the masses, a worrying trend indeed.”
Trustwave sums it up. “All software has bugs. This is the base assumption of any person who has ever worked with code, security professional or developer. Security experts say the zero-day exploits look legitimate and in the wrong hands could be an extremely effective tool for hackers who already have a foothold in an existing computer network. Trustwave SpiderLabs has worked with Microsoft for many years, and we know first-hand the amazing lengths Microsoft goes to prevent zero-days, from embracing independent research and bug bounty programs to establishing the MAPP program with transparency into their patching process. Unfortunately, it’s occasionally the case where criminals find those bugs before the ‘good guys’.”
“A cyber gang would be eager to use this to leverage malware and ransomware to get a much better ROI by combining exploits,” said Ziv Mador VP of security research at Trustwave in an interview with Threatpost. “Also, any nation state type APT attack would easily see this as key tool in sophisticated network penetration.” Trustwave underscores there is no way to know with absolute certainty if the zero day is legitimate without purchasing the exploit. However, Mador said there are a number of strong indicators that the exploit is legit, such as the seller offering the use of an independent escrow agent to verify the exploit works before payment is made.
The zero day was spotted by Trustwave on May 11 on the underground site exploit in by a seller using the handle “BuggiCorp”. The exploit will be sold exclusively to one buyer, according to the posting. Originally the seller offered to sell the zero day for $95,000, but has since dropped the price to $90,000. “For this type of capability $95,000 USD does sound reasonable. These are relatively rare, and take a degree of expertise to develop, thus they are valuable to attackers and defenders alike,” said Logan Brown, president Exodus Intelligence, that runs its own vulnerability purchasing program, among other offerings.
A cyber security strategist with Microsoft Jeff Jones pointed out that Microsoft has a bug bounty program that is offering a reward of between $50,000 and $100,000 for an exploit capable of bypassing its EMET safeguards (something that this exploit does).