Cybercriminals discuss 'Exploit-as-a-Service' model to lower the barrier for accessing dangerous zero-day exploits

Ransomware gangs have amassed big fortunes to compete with traditional buyers of zero-days, researchers find

Cybercriminals are increasingly discussing the idea of a new "exploit-as-a-service" business model that will "inevitably lower the barrier" for accessing sophisticated zero day exploits and will enable developers to lease or rent their exploits to affiliates.

That's according to researchers at threat intelligence firm Digital Shadows, who say they recently conducted an investigation to find out how threat actors continue to exploit organisations' weaknesses.

In their whitepaper - Vulnerability intelligence: do you know where your flaws are? - the Digital Shadows team note that active zero-day bugs have now become the most expensive items marketed on cyber crime forums, with prices going up to $10 million in some cases.

Zero day security flaws are vulnerabilities that are not known to the companies developing hardware or software. Such exploits are especially sought-after by government intelligence agencies and, therefore, can fetch a high price on various marketplaces.

In May, one user on a dark web forum offered $25,000 for proof-of-concept (PoC) exploit code for CVE-2021-22893, a security flaw in Pulse Secure VPN that was rated 'critical' and was said to be exploited by Chinese hackers.

Another threat actor offered up to $3 million for 'zero click' exploits (no-interaction remote code execution bugs) in Windows 10 and Linux.

The Digital Shadows team observed some cyber actors engaged in discussions about zero day prices as high as $10 million.

Such high prices are no longer restricted to nation-state hackers, the researchers noted, as ransomware groups have amassed incredible funds in past years to compete with traditional buyers of zero days.

But completing a big zero day exploit deal is not easy. And if it takes too much time, the developer may lose the chance to generate money as rivals may come up with another variant for the exploit.

For this reason, cybercriminals are now contemplating an "exploit-as-a-service" model that would allow them to rent out a zero day exploit to multiple parties, allowing them to conduct their attacks.

This is similar to the Ransomware-as-a-Service (RaaS) affiliate model that has been adopted by some malware developers in recent years.

According to Digital Shadows, the "Exploit-as-a-Service" approach would let developers make quick money, while also potentially enabling them to continue to profit for a long time. It would also give the exploit developer the option to eventually sell their exploit if they get tired of leasing their product.

It would also benefit renting parties who could first test the offered zero day and then decide whether to buy the exploit on an exclusive or non-exclusive basis.

If the business model proves viable in future, it would certainly increase the number of financially motivated threat actors with their hands on dangerous tools, according to the researchers.