Cybercriminals are increasingly discussing the idea of a new "exploit-as-a-service" business model that will "inevitably lower the barrier" for accessing sophisticated zero day exploits and will enable developers to lease or rent their exploits to affiliates.
That's according to researchers at threat intelligence firm Digital Shadows, who say they recently conducted an investigation to find out how threat actors continue to exploit organisations' weaknesses.
In their whitepaper - Vulnerability intelligence: do you know where your flaws are? - the Digital Shadows team note that active zero-day bugs have now become the most expensive items marketed on cyber crime forums, with prices going up to $10 million in some cases.
Zero day security flaws are vulnerabilities that are not known to the companies developing hardware or software. Such exploits are especially sought-after by government intelligence agencies and, therefore, can fetch a high price on various marketplaces.
In May, one user on a dark web forum offered $25,000 for proof-of-concept (PoC) exploit code for CVE-2021-22893, a security flaw in Pulse Secure VPN that was rated 'critical' and was said to be exploited by Chinese hackers.
Another threat actor offered up to $3 million for 'zero click' exploits (no-interaction remote code execution bugs) in Windows 10 and Linux.
The Digital Shadows team observed some cyber actors engaged in discussions about zero day prices as high as $10 million.
Such high prices are no longer restricted to nation-state hackers, the researchers noted, as ransomware groups have amassed incredible funds in past years to compete with traditional buyers of zero days.
< ..
Support the originator by clicking the read the rest link below.
