Zero-day exploits increasingly commodified, say researchers

Access to, and exploitation of, “valid” zero-day vulnerabilities increasingly demonstrates that threat actors  have access to money rather than hacking skills, in another sign that the cyber criminal underworld is becoming increasingly commodified, according to Kathleen Metrick, Parnian Najafi and Jared Semrau of FireEye Threat Intelligence.

Zero-days – flaws in firmware, hardware or software unknown to those responsible for patching or fixing it – can refer either to vulnerabilities themselves, or attacks with zero-days between the discovery of the vulnerability and the first recorded attack exploiting it.

In new research published this week, FireEye said it had documented more zero-day exploitations in 2019 than in the previous three years, and although not every attack could be pinned on a known and tracked group, a wider range of tracked actors do seem to have gained access to these capabilities.

The researchers said they had seen a significant uptick, over time, in the number of zero-days being leveraged by threat actors who they suspect of being “customers” of private companies that supply offensive cyber capabilities to governments or law enforcement agencies.

“We surmise that access to zero-day capabilities is becoming increasingly commodified based on the proportion of zero-days exploited in the wild by suspected customers of private companies,” they said.

“Private companies are likely to be creating and supplying a larger proportion of zero-days than they have in the past, resulting in a concentration of zero-day capabilities among highly resourced groups.

“Private companies may be increasingly providing offensive capabilities to groups with lower overall capability and/or groups with less concern for operational security, which makes it more likely that usage of zero-days will be observed.”

The researchers added: “It is likely that state groups will continue to support internal exploit discovery and development. However, the availability of zero-days through private companies may offer a more attractive option than relying on domestic solutions or underground markets.

“As a result, we expect that the number of adversaries demonstrating access to these kinds of vulnerabilities will almost certainly increase and will do so at a faster rate than the growth of their overall offensive cyber capabilities – provided they have the ability and will to spend the necessary funds.”

As an example, FireEye referred back to a number of attacks using malware developed by NSO Group, an Israel-based provider of cyber intelligence – or spyware – capabilities, ostensibly for government agencies.

One of the more prolific cyber crime groups, known as Stealth Falcon or FruityArmour, has been extensively targeting journalists and political activists across the Middle East using malware sold by NSO which leveraged three Apple iOS zero-days. FireEye said this group had used more zero-days than any other between 2016 and 2019.

Another customer of NSO, dubbed SandCat, is suspected to be linked to Uzbek state intelligence, and has also been using NSO-developed tools against targets in the Middle East.

FireEye also noted examples of zero-day exploits that were unattributed to tracked groups, but seem to be using tools developed by offensive security companies. These include a 2019 buffer overflow vulnerability in WhatsApp (CVE-2019-3568) that was used to distribute NSO-developed spyware, while activity targeting a Russian healthcare body that used a 2018 Adobe Flash vulnerability (CVE-2018-15982) may be linked to leaked source code developed at Hacking Team, an Italian provider of intrusive cyber tools, which again more usually sells into governments and law enforcement.

Meanwhile, state-linked groups, including China’s APT3, North Korea’s APT37 and Russia’s APT28 and Turla seem to be developing an increased capacity to exploit zero-days very soon after they are disclosed.

“In multiple cases, groups linked to these countries have been able to weaponise vulnerabilities and incorporate them into their operations, aiming to take advantage of the window between disclosure and patch application,” said the research team.

FireEye’s full research can be read online here.