While security admins struggle to address the significant risks from unpatched vulnerabilities, adversaries are becoming more advanced and finding new ways to exploit security flaws. Cybercriminal groups usually search for unpatched vulnerabilities to exploit and compromise the targeted devices. And they continue to trade information on security vulnerabilities and exploits on various darknet forums.
Vulnerability Industry on Dark Web
As per a report from Digital Shadows, several cybercriminal groups and state-sponsored actors are increasingly willing to purchase information on vulnerabilities and exploits from various cybercrime affiliates on the dark web. The market for zero-day vulnerabilities is reportedly high as many ransomware operators are interested in buying them. Digital Shadows claim that the price range of zero-day flaws could go up to $10 million.
“This environment is bursting with a variety of widespread actors who boast a whole range of technical expertise and motives. The technical discussions of this eclectic underground cohort have actually contributed to a pretty cohesive, crowd-sourced body of knowledge about vulnerabilities and exploits. The top of the cybercriminal pyramid is represented by the market for zero-days. This market is an extremely expensive and competitive one, and it’s usually been a prerogative of state-sponsored threat groups,” the researchers said in the report.
Exploit as a Service Model
The research also found several cybercriminals discussing ideas on the Exploit-as-a-Service business model to attract adversaries who are unwilling to spend more money. The exploit-as-a-service model allows threat actors to lease zero-day exploits to perform their criminal activities. Along with zero-day vulnerabilities, the cybercriminal community also shares insights on old vulnerabilities that have not been properly patched.
“We don’t know how long this model will remain viable. Zero-day exploit developers can certainly generate large profits by selling to government-backed threat actors, but this process can eat up time and drive the developers to seek alternative revenue sources. And that’s when exploit-as-a-service becomes viable ― generating their desired income from various interested parties. The result? More and more financially motivated threat actors with their hands on dangerous tools,” the researchers added.
CISA’s Order on Unpatched Vulnerabilities
The threat of unpatched vulnerabilities has become one of the pressing security issues for organizations worldwide. The Cybersecurity and Infrastructure Security Agency (CISA) recently issued a Binding Operational Directive (BOD) to reduce the risk of actively exploited vulnerabilities. The new Directive, which applies to all software and hardware found on federal information systems, requires federal civilian agencies to remediate such vulnerabilities within specific timeframes.