Cyber criminals have observed the success of Ransomware-as-a-Service (RaaS) programs, and new intel indicates that an Exploit-as-a-Service affiliate program may be on the horizon. The Exploit-as-a-Service model would enable threat actors to ‘lease’ zero-day exploits to interested hackers, who can then use them to conduct cyber attacks.
Hackers often hesitate to purchase zero-day vulnerabilities independently, as they tend to be the most expensive of cyber security flaws available for sale on the dark web. Research shows that zero-day exploits can fetch as much as $10 million per exploit, depending on the nature of the vulnerability and its potential for profits.
Cyber criminal zero-day flaw owners perceive the ‘Exploit-as-a-Service’ model as lucrative in the absence of definitive exploit buyers. In other words, while cyber criminals wait for a sale, they may as well rent out the bug, their thinking goes.
This model also allows potential zero-day flaw buyers to take the bug for a ‘test drive’. Buyers can get a sense of whether or not they would like to incorporate this vulnerability into their personal arsenal or into a syndicate’s collection.
For developers or other sellers leasing proof-of-concept (PoC) bugs, the question becomes ‘how can we remain as the real owners of the bugs while renting them out?’ Unlike rental cars, bugs don’t come with extensive paperwork and they aren’t registered to a central source, such as a department of motor vehicles.
Experts state that there are two methodologies that would allow developers or sellers to retain true ownership over exploits. However, both methodologies present challenges, potentially dissuading sellers from pursuing an ‘Exploit-as-a-Service’ model.
Exploit-as-a-Service: Diversified revenue
For developers or sellers, the ‘Exploit-as-a-Service’ model may offer a new means of diversifying revenue streams. But could continually leasing out a bug devalue the asset?
Continual use of a bug, as in the ‘Exploit-as-a-Service’ model, may lead to the bug’s discovery, and the development of widespread prevention and defense strategies.
Exploit-as-a-Service: Why it matters
If this modus operandi gains traction among hackers, it could lead to a sharp increase in the number of zero-day threats seen in the business setting. The more vulnerabilities under exploit, the more threat prevention and detection measures that we need to put in place.
Organizations can prevent zero day attacks by implementing threat intelligence tools, advanced technologies that allow businesses to act on intelligence, and tools that enable a coordinated threat response.
Your threat intelligence tools need to be high-quality. Opt for a threat intelligence provider that leverages artificial intelligence to inform data provided.
Your advanced threat prevention technologies should include key capabilities, such as CPU level inspection, threat emulation and extraction, malware DNA analysis, anti-bot and anti-exploit and campaign hunting.
To ensure a coordinated response to zero-day threats, consider a unified security platform, which provides visibility and control across the entire IT ecosystem.
Unsure about whether or not your system is adequately protected from zero-day threats? You can use this free security checkup service. Need more expert advice pertaining to zero-days? See this expert interview. Interested in additional timely cyber security insights? Sign up for our newsletter here.