Details on the parallel economy of vulnerability exploits on underground forums occasionally emerge from private talks, indicating just how deep certain threat actors’ pockets are.
Some adversaries claim to have multi-million dollar budgets for purchasing zero-day exploits, however individuals without such funds may still be able to deploy zero-day exploits if a new ‘exploit-as-a-service’ concept becomes a reality.
Budgets for exploit acquisition are large.
On cybercriminal forums, discussions on vulnerabilities, both old and new, sometimes include offers to acquire exploits for large sums of money.
In early May, one forum user offered $25,000 for proof-of-concept (PoC) exploit code for CVE-2021-22893, a critical-severity vulnerability in Pulse Secure VPN that Chinese hackers had been exploiting since at least April.
In comparison, Zerodium, an exploit acquisition firm, will pay up to $1 million for a zero-click RCE in Windows 10. The broker’s largest reward is up to $2.5 million for a zero-click full-chain persistence in Android, followed by $2 million for iOS.
Researchers at risk protection firm Digital Shadows spotted the posts while looking at threat actors’ attempts to exploit security flaws.
They observed several actors discussing zero-day pricing as high as $10 million during the study.
However, completing a large sale is difficult and time-consuming. If it takes too long, developers may miss out on a lucrative opportunity since competitors may produce an exploit variant, lowering the price.
As a result, hackers are mulling over a “exploit-as-a-service” option, which would allow exploit authors to rent out a zero-day exploit to numerous parties.
According to the researchers, this alternative might create large earnings for zero-day exploit creators as they wait for a decisive buyer.
Renting out exploits, similar to malware-as-a-service, would allow less-skilled adversaries to launch more complicated attacks and target more lucrative targets.