Monday, October 22, 2018

Pay-Per-Exploit Acquisition Vulnerability Programs - Pros and cons?

As ZERODIUM starts paying premium rewards to security researchers to acquire their previously unreported zero-day exploits affecting multiple operating systems software and/or devices a logical question emerges in the context of the program's usefulness the potential benefits including potential vulnerabilities within the actual acquisition process - how would the program undermine the security industry and what would be the eventual outcome for the security researcher in terms of fueling growth in the cyber warfare market segment?

In this post I'll discuss the market segment for pay-per-exploit acquisition programs and discuss in-depth the current exploit-acquisition methodology utilized by different vendors and provide in-depth discussion on various over-the-counter acquisition methodologies applied by malicious attackers on their way to monetize access to malware-infected hosts while compromising the confidentiality availability and integrity of the targeted host including an active discussion on the ongoing and potential weaponization of zero day vulnerabilities int the context of today's cyber warfare world.

Having greatly realized the potential of acquiring zero day vulnerabilities for the purpose of actively exploiting end users malicious actors have long been aware of the over-the-counter acquisition market model further enhancing their capabilities when launching malicious campaigns. Among the most widely spread myth about zero day vulnerabilities is the fact that zero day vulnerabilities arethe primary growth factor of the cybercrime ecosystem further resulting in a multi-tude of malicious activity targeting end users.

With vendors continuing to establish the foundations for active vulnerability and exploit acquisition programs third-party vendors and research organizations continue successfully disintermediating the vendor's major vulnerability and exploit acquisition programs successfully resulting in the launch and establishment of third-party services and products further populating the security-industry with related products and services potentially acquiring "know-how" and relevant vulnerability and exploit information from major vendors further launching related companies and services potentially empowering third-party researchers vendors and individuals including nation-state actors with potential weaponization capabilities potentially leading to successful target-acquisition practices on behalf of third-party researchers and individuals.


Becoming a target in the widespread context of third-party vendors and researchers might not be the wisest approach when undermining potential research and in-house research and benchmarking activities in terms of evaluating and responding to vulnerabilities and exploits. Vendors looking for ways to efficiently improve the overall security and product performance in terms of security should consider basic internal benchmarking practices and should also consider a possible incentive-based type of vulnerability and exploit reward-type of revenue-sharing program potentially rewarding company employees and researchers with the necessary tools and incentives to find and discover and report security vulnerabilities and exploits.

Something else worth pointing out in terms of vulnerability research and exploit discovery is a process which can be best described as the life-cycle of a zero day vulnerability and exploit which can be best described as a long-run process utilized by malicious and fraudulent actors successfully utilizing client-side exploits for the purpose of successfully dropping malicious software on the hosts of the targeted victims which often rely on outdated and patched vulnerabilities and the overall misunderstanding that zero day vulnerabilities and exploits are the primary growth factor of the security-industry and will often rely on the fact that end users and enterprises are often unaware of the basic fact that cybercriminals often rely on outdated and patched vulnerabilities successfully targeting thousands of users globally on a daily basis.

What used to be a market-segment dominated by DIY (do-it-yourself) exploit and malware-generating tools is today's modern market-segment dominated by Web malware-exploitation kits successfully affecting thousands of users globally on a daily basis. In terms of Web-malware exploitation kits among the most common misconceptions regarding the utilization of such type of kits is the fact that the cybercriminals behind it rely on newly discovered exploits and vulnerabilities which in fact rely on outdated and already patched security vulnerabilities and exploits for the purposes of successfully enticing thousands of users globally into falling victim into social-engineering driven malicious and fraudulent campaigns.

Despite the evident usefulness from a malicious actor's point of view when launching malicious campaigns malicious actors continue utilizing outdated vulnerabilities for the purpose of launching malicious campaigns further utilizing a multi-tude of social engineering attack vectors to enhance the usefulness of the exploitation vector. Another crucial aspect of the pay-per-exploit acquisition vulnerability model is, the reliance on outdated and unpatchted vulnerabilities for the purpose of launching malicious campaigns further relying on the basic fact that on the majority of occasions end users fail to successfully update their third-party applications often exposing themselves to a variety of successful malicious campaigns utilizing outdated and unpatched vulnerabilities.

We expect to continue observing an increase in the pay-per-exploit acquisition model with, related acquisition model participants continuing to acquire vulnerabilities further fueling growth into the market segment. We expect that malicious actors will adequately respond through over-the-counter acquisition models including the utilization of outdated and unpatched vulnerabilities. End users are advised to continue ensuring that their third-party applications are updated to build a general security awareness and to ensure that they're running a fully patched antivirus solution.

Consider going through the following related posts:
Researchers spot new Web malware exploitation kit
Web malware exploitation kits updated with new Java exploit
Which are the most commonly observed Web exploits in the wild?
Report: Patched vulnerabilities remain prime exploitation vector
Report: malicious PDF files becoming the attack vector of choice
Malvertising campaigns at multiple ad networks lead to Black Hole Exploit Kit
56 percent of enterprise users using vulnerable Adobe Reader plugins
Report: third party programs rather than Microsoft programs responsible for most vulnerabilities
Report: malicious PDF files becoming the attack vector of choice
Malvertising campaigns at multiple ad networks lead to Black Hole Exploit Kit
56 percent of enterprise users using vulnerable Adobe Reader plugins
Report: third party programs rather than Microsoft programs responsible for most vulnerabilities
Report: 64% of all Microsoft vulnerabilities for 2009 mitigated by Least Privilege accounts
Secunia: popular security suites failing to block exploits
37 percent of users browsing the Web with insecure Java versions
Which are the most commonly observed Web exploits in the wild?
Report: Malicious PDF files comprised 80 percent of all exploits for 2009
Secunia: Average insecure program per PC rate remains high