Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Windows Zero-day Exploit for Sale: Bids Start at $95,000

Trustwave SpiderLabs has discovered a 0-day Windows exploit being offered for sale on an underground forum for Russian speaking cyber criminals. Although the researchers cannot be absolutely certain that the exploit is genuine, they suspect it is – and further expect that the exploit will find its way into criminal hands.

Trustwave SpiderLabs has discovered a 0-day Windows exploit being offered for sale on an underground forum for Russian speaking cyber criminals. Although the researchers cannot be absolutely certain that the exploit is genuine, they suspect it is – and further expect that the exploit will find its way into criminal hands.

Zero-day exploits regularly change hands. Criminal gangs buy them for their own use, brokers buy them for onward sale, and surveillance companies buy them for use with their own products. But it’s a difficult market that requires a degree of trust in a nefarious activity. Last year’s analysis of the emails leaked after the Hacking Team breach demonstrate some of the problems. An analysis by Vlad Tsyrklevich showed, for example, a degree of distrust between Hacking Team (buyer) and the well known, and in its own circles widely trusted, Vupen (broker).

For such reasons, the sale of 0-day exploits usually involves people who know people. It was a surprise when Trustwave’s SpiderLabs came across an alleged 0-day being offered for sale openly on an underground forum for Russian-speaking cyber criminals. The forum in question is usually used as a collaboration platform “where one can hire malware coders, lease an exploit kit, buy web shells for compromised websites, or even rent a whole botnet for any purpose,” writes SpiderLabs in a new blog post today. “However,” it adds, “finding a zero day listed in between these fairly common offerings is definitely an anomaly.”

The 0-day is described as a local privilege escalation (LPE) that works on all current versions of the Windows operating system, from XP to Windows 10. It was put on sale at offers above $95,000. SpiderLabs makes it clear that it cannot be certain that the 0-day is genuine, but adds, “the offer is likely a valid zero day, and that the asking price is likely to be met by an interested cybercriminal.”

One argument for its validity is the pains taken by the seller to present his case. This includes an extensive description of what the buyer will get that shows an understanding of the market. He demands payment in bitcoins, and for the deal to be conducted via the forum’s admin.

The original offer was posted on 11 May. It was updated on 23 May, lowering the price to $90,000 and confirming that it would be sold exclusively to one buyer. This could suggest fewer bids than anticipated on the one hand, but perhaps approaches demanding exclusivity on the other.

The seller also provided two YouTube video demonstrations of the exploit in action. “It is interesting to note,” writes Trustwave, “that the video was actually recorded on ‘Patch Tuesday’ and the author made sure the latest updates were installed.”

Trustwave points out that LPE 0-days are probably second only to remote command execution (RCE) 0-days in the value pecking order. Although an LPE exploit “can’t provide the initial infection vector like a Remote Code Execution (RCE) would, it is still a very much needed puzzle piece in the overall infection process.” Furthermore, “an LPE exploit provides the means to persist on an infected machine, which is a crucial aspect when considering APTs (Advanced Persistent Threats).”

Advertisement. Scroll to continue reading.

This particular exploit appears to have advanced potential. According to the seller, it could escape from a sandbox, enable the installation of a root kit on ring0, modify system properties to allow persistence, and download and install additional malware even where software installs are restricted to admins.

If the exploit is as good as described, and if it is bought and used sparingly in targeted attacks, then it could become a serious new menace. Once it disappears from the forum, we could easily lose track. Ziv Mador, VP of security research at Trustwave, told SecurityWeek, “In the later post the seller mentioned that the 0-day would be sold exclusively to a single buyer. Therefore, if it is removed, it may mean that it was sold.” But he doesn’t know if we will ever be able to recognize its use by criminals in the future, nor whether it is likely to disappear into the arsenal of a state-sponsored espionage group.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.