Brother
Professional
- Messages
- 2,590
- Reaction score
- 539
- Points
- 113
The essence of the new business model is that exploit developers can rent them out to several partners at once.
Mostly hidden in personal correspondence, the economics of exploits on cybercrime forums sometimes seeps into the outside world, shedding light on the thickness of the cybercriminals' wallet. Some groups even claim they have multimillion dollar sums at their disposal, which they are willing to shell out for zero-day vulnerabilities. However, hackers on smaller budgets may be able to exploit such vulnerabilities if exploit-as-a-service becomes a reality.
Very often potential buyers are willing to pay exorbitant sums for vulnerabilities, both new and old. For example, in early May 2021, one of the users of the cybercriminal forum announced that he was ready to pay $ 25,000 for a PoC exploit for a critical vulnerability in Pulse Secure VPN (CVE-2021-22893). Another buyer offered up to $ 3 million for remote code execution vulnerabilities in Windows 10 and Linux, the exploitation of which does not require any action on the part of the victim (the so-called zero-click).
The same user also offered up to $ 150K for an ingenious solution that would allow malware to run after every Windows 10 restart.
By comparison, exploit resale company Zerodium is offering up to $ 1 million for a zero-click vulnerability in Windows 10. The largest amount it is willing to pay is $ 2.5 million for a full chain of zero-click vulnerabilities in Android. For the same chain for iOS, the company agrees to give $ 2 million.
Buyers of exploits on the black market came to the attention of researchers of the information security company Digital Shadows, who decided to study this issue in more detail. In the course of their research, they met buyers willing to buy zero-day vulnerabilities at a price of $ 10 million. Moreover, such money is now offered not only by government-funded hackers, but also by self-employed cybercriminals who are hungry for profit, including ransomware operators.
Be that as it may, the conclusion of such a large deal may take too long, and during this period other developers may offer their own exploits, which will ultimately lead to a decrease in price. Therefore, cybercriminals began to discuss the concept of "exploit as a service". Its essence is to allow exploit developers to rent out their tools to several partners at once. Such a solution would allow them to make good profits until a worthy buyer appears. In turn, potential buyers will have the opportunity to test the tool and decide whether to buy it or not.
As with the malware-as-as-service business model, the new service will allow less experienced hackers to carry out more sophisticated attacks.
Mostly hidden in personal correspondence, the economics of exploits on cybercrime forums sometimes seeps into the outside world, shedding light on the thickness of the cybercriminals' wallet. Some groups even claim they have multimillion dollar sums at their disposal, which they are willing to shell out for zero-day vulnerabilities. However, hackers on smaller budgets may be able to exploit such vulnerabilities if exploit-as-a-service becomes a reality.
Very often potential buyers are willing to pay exorbitant sums for vulnerabilities, both new and old. For example, in early May 2021, one of the users of the cybercriminal forum announced that he was ready to pay $ 25,000 for a PoC exploit for a critical vulnerability in Pulse Secure VPN (CVE-2021-22893). Another buyer offered up to $ 3 million for remote code execution vulnerabilities in Windows 10 and Linux, the exploitation of which does not require any action on the part of the victim (the so-called zero-click).
The same user also offered up to $ 150K for an ingenious solution that would allow malware to run after every Windows 10 restart.
By comparison, exploit resale company Zerodium is offering up to $ 1 million for a zero-click vulnerability in Windows 10. The largest amount it is willing to pay is $ 2.5 million for a full chain of zero-click vulnerabilities in Android. For the same chain for iOS, the company agrees to give $ 2 million.
Buyers of exploits on the black market came to the attention of researchers of the information security company Digital Shadows, who decided to study this issue in more detail. In the course of their research, they met buyers willing to buy zero-day vulnerabilities at a price of $ 10 million. Moreover, such money is now offered not only by government-funded hackers, but also by self-employed cybercriminals who are hungry for profit, including ransomware operators.
Be that as it may, the conclusion of such a large deal may take too long, and during this period other developers may offer their own exploits, which will ultimately lead to a decrease in price. Therefore, cybercriminals began to discuss the concept of "exploit as a service". Its essence is to allow exploit developers to rent out their tools to several partners at once. Such a solution would allow them to make good profits until a worthy buyer appears. In turn, potential buyers will have the opportunity to test the tool and decide whether to buy it or not.
As with the malware-as-as-service business model, the new service will allow less experienced hackers to carry out more sophisticated attacks.
