RENT A ZERO DAY EXPLOIT

EXPLOIT AS A SERVICE

While we all love cloud computing and its associated services acronymed SaaS, PaaS and IaaS, there are cloud services on the dark web and now pose a major threat to businesses, big and small. Two weeks ago you read about the DDos Dilemma in which Distributed-Denial-of-Service attacks on computer software, gaming/ gambling, IT, and internet companies increased by an average of 573%  in the 3rd quarter of this year compared to the previous one. And now there’s Exploit-as-a-Service (EaaS), a new trump card in the hands of sophisticated and greedy cybercriminals who are after one thing only – money!.

WHAT IS EXPLOIT AS A SERVICE?

Exploit-as-a-Service is a new business model used by cybercriminals based on the many successes of ransomware attacks and using Ransomware-as-a-Service (RaaS). EaaS would enable hackers to rent or lease zero-day exploits which can then be used to paralyze individual computers or IT networks. Why rent rather than buy? The obvious answer is cost. Research confirms that zero-day exploits can be sold for as much as $10 million on the dark web, a high price to pay for any form of malware. With most threat actors finding this sum unaffordable, renting the exploits is much more viable. It also means that the EaaS vendors make money quicker as there is often not an immediate buyer for the exploit.

WHAT IS ZERO-DAY?

Put simply, zero-day is a flaw or vulnerability in software, hardware or firmware. Zero-day can refer to the actual and unknown vulnerability or an attack that has zero days between the time the vulnerability is discovered and the first attack. In most cases when a zero-day security flaw is detected in software, an individual, company, or government agency will notify the software company who will then repair the code and distribute a patch or software update. Zhero-day issues are not immediately as industry guidelines recommend that the developer has time to patch the vulnerability. With Google Project Zero, vendors have up to 90 days to develop and implement a patch before the finder publicly discloses the flaw.

THE DANGERS OF ZERO-DAY

What makes zero-day potentially dangerous is when a hacker discovers a vulnerability first and then implements an attack and catch the victim completely off-guard. What makes this threat real is that zero-day exploits are exceptionally difficult to detect. Zero-day attacks have also been attributed to advanced persistent threat (APT) attackers, who are intent on stealing data rather than targeting an IT network. As the name suggests, APT involves a prolonged and targeted cyberattack in which the cybercriminal gains access to a PC or network, remaining undiscovered for an extensive period.

THE DANGERS OF EXPLOIT AS A SERVICE

In essence, Exploit-as-a-Service provides a cost-effective means for hackers to proliferate zero-day exploits. Cybercriminals could also test the leased exploit and decide if they will purchase it on an exclusive or non-exclusive basis. Basically, it’s a win-win scenario for EaaS vendors and hackers. As Stefano De Blasi, a cyber threat analyst at Digital Shadows explains:

“In this way, [developers] can try and monetize that zero-day before they sell it entirely to someone else  — or before the zero-day is discovered by security researchers, for example, and it’s patched and they just lose all the potential money they could have made.”

EAAS NOT AS BIG AS ZERO DAY?

The bottom line is that Exploit-as-a-Service provides one route to maximizing revenues from zero-day exploits before they are discovered. If the EaaS model takes off, it could pose serious problems for enterprise IT security teams who are often slow to patch vulnerabilities. But De Blasi believes that the threat to businesses from EaaS may well be contained and said:

“I think personally what is going to happen is that this exploits-as-a-service model will develop not as much with zero-days, but maybe with just-discovered vulnerabilities but ones that aren’t broadly patched. So they will create some custom exploits and try to rent those ones instead of zero-days, because those are quite complicated. “It will provide a lot of different actors with the capability needed to conduct some serious cyber-attacks.”

LET ME MAKE YOUR DAY

You don’t need to fret about protecting your IT network and patching and updating your systems and software. Don’t worry about zero-day vulnerabilities or EaaS. Let me make your day. I have over 20 years of experience in the provision of effective business IT solutions and am a cybersecurity expert focusing on risk mitigation. Contact me now and put your It systems and precious data in the right hands.

Leave a comment