HomeNewsHow well is the vulnerability exploit business booming?

How well is the vulnerability exploit business booming?


We independently research, test, review, and recommend the best products—learn more about our process. If you buy something through our links, we may earn a commission. learn more

Last Updated on 22/11/2021 by TheDigitalHacker

Details on the parallel economy of vulnerability exploits on underground forums occasionally emerge from private talks, indicating just how deep certain threat actors’ pockets are.

Some adversaries claim to have multi-million dollar budgets for purchasing zero-day exploits, however individuals without such funds may still be able to deploy zero-day exploits if a new ‘exploit-as-a-service’ concept becomes a reality.

How well is the vulnerability exploit business booming? 1

Budgets for exploit acquisition are large.

On cybercriminal forums, discussions on vulnerabilities, both old and new, sometimes include offers to acquire exploits for large sums of money.

In early May, one forum user offered $25,000 for proof-of-concept (PoC) exploit code for CVE-2021-22893, a critical-severity vulnerability in Pulse Secure VPN that Chinese hackers had been exploiting since at least April.

In comparison, Zerodium, an exploit acquisition firm, will pay up to $1 million for a zero-click RCE in Windows 10. The broker’s largest reward is up to $2.5 million for a zero-click full-chain persistence in Android, followed by $2 million for iOS.

How well is the vulnerability exploit business booming? 2

Researchers at risk protection firm Digital Shadows spotted the posts while looking at threat actors’ attempts to exploit security flaws.

They observed several actors discussing zero-day pricing as high as $10 million during the study.

However, completing a large sale is difficult and time-consuming. If it takes too long, developers may miss out on a lucrative opportunity since competitors may produce an exploit variant, lowering the price.

As a result, hackers are mulling over a “exploit-as-a-service” option, which would allow exploit authors to rent out a zero-day exploit to numerous parties.

According to the researchers, this alternative might create large earnings for zero-day exploit creators as they wait for a decisive buyer.

Renting out exploits, similar to malware-as-a-service, would allow less-skilled adversaries to launch more complicated attacks and target more lucrative targets.

Nidhi Khandelwal
Nidhi Khandelwal
Nidhi is a tech news/research contributor at TheDigitalHacker. She publishes about techno geopolitics, privacy, and data breach.
- Advertisment -

Must Read

Data Science Drives Personalized Marketing and Customer Engagement to New Heights...

Personalized marketing and customer engagement are crucial for businesses to thrive in the current digital era. Because data science makes it possible for marketers...