Zero-days: The next element of the service-based cyber economy?

The concept of zero-days as a service (ZDaaS) could be on the verge of racing up the CISO agenda, according to new research from Digital Shadows, which has found that cyber criminals are increasingly discussing the potential of a model whereby zero-day exploits are leased or rented to affiliates.

In their whitepaper Vulnerability intelligence: do you know where your flaws are?, the Digital Shadows team found that of late, active zero-day vulnerabilities have become the most expensive items advertised on dark web cyber crime forums, with prices reaching up to $10m in some cases.

They said that while exploit developers clearly now feel they can generate a substantial return on their labour, it can take them a long time to find someone willing or able to stump up such a hefty premium.

Therefore, renting the zero-day out may be a more attractive model because it lets the developer generate some income while they wait for a sale, and also gives the lessee a chance to try before they buy, said the team.

Digital Shadows’ research comes hot on the heels of research papers published by Sophos and Trend Micro, which detailed the growing scale of cyber crime-as-a-service models, which began with ransomware and are trickling down into other areas of the underground economy.

This is a problem, said Digital Shadows threat researcher Stefano De Blasi, because if the ZDaaS model is taken up with enthusiasm – and there is no reason why it shouldn’t be – there will be a good deal more financially motivated threat actors with dangerous tools in their back pockets, causing an even bigger problem for defenders.

“The team’s investigation into the cyber criminal community active around vulnerabilities has also painted a picture of a bursting, diverse and well-organised environment of threat actors with varying motivations and capabilities,” said De Blasi. “The zero-day market is fascinating due to the presence of high-profile actors, sophisticated developers and capable vendors.”

However, this was likely to be just the tip of the iceberg, he said. “Most of this environment is characterised by a high degree of cooperation and resource sharing among lower-skilled cyber criminals. Older vulnerabilities, vulnerability scanning tools and proof-of-concept codes constitute the bare bones of this complex market.”

Indeed, on a day-to-day basis, the Digital Shadows team’s research found that older and more overlooked vulnerabilities are still highly valuable to cyber criminals because they offer a cheap and efficient way into victim environments and can be exploited by those with lower skills.

This chimes with other views on the subject – earlier in 2021 the US’s CISA agency revealed that some of the most exploited vulnerabilities were very old, highlighting one, CVE-2012-0158, a Microsoft bug that is approaching its 10th “birthday”.

According to De Blasi, these factors are combining to make effective patch management a real headache for security teams, many of which he said were “ill-prepared” to defend against a “tidal wave” of vulnerabilities.

Poor management support, ineffective triaging strategies and incomplete asset management practices are further complicating the entangled IT environment that security teams are required to defend, he told Computer Weekly.

“The vulnerability threat landscape is characterised by newly disclosed flaws and overlooked unpatched bugs that often intertwine into a chaotic environment,” he said. “Vulnerability intelligence provides the additional details that allow a company to take a risk-based approach to vulnerability remediation.

“In my opinion, the most important takeaway from this research is that context is vital when informing decision-making processes. While severity ratings can give an idea of the importance of a vulnerability, security teams need to have access to tailored intelligence to prioritise the right actions and plan mitigation strategies.”