State Sponsored Hackers and The Above Ground Exploit Market
I just finished reading a pretty good article from Kaspersky’s ThreatPost.com website. The article was about how Nation State Attackers target Adobe products (PDF reader, flash, shockwave, etc). I especially liked the part about the article where Dennis Fisher, the article writer describes the evolution of a zero-day working its way down to crimeware attack packs (note – where Arkin is mentioned below – the author is referring to Brad Arkin, the senior director of product security and privacy at Adobe):
“..when a new attack involving a zero-day bug in one of Adobe’s products starts, it typically will begin with attacks against a select group of high-profile organizations. That usually means defense contractors, government agencies or large financial services companies. Once the security teams at those organizations find and analyze the threat, Arkin said his team will begin getting a flurry of calls within an hour or two as the campaign hits.
From there, the attack will often then move down the ladder to other large enterprises and then smaller ones as the new exploit shows up in crimeware packs and automated attack tools. By that time, it’s likely an entirely different set of attackers using the exploit. But it’s the well-funded and highly skilled attackers who are doing the real heavy lifting in terms of finding new bugs and designing methods to exploit them.
“These samples trickle downhill really quickly and show up in crime packs,” Arkin said. “The actual exploits it turns out are very, very expensive and difficult to build. Finding the flaw is a lot easier than writing the exploit.
This is really good, and it is something that isn’t very well understood in my opinion. I do however think that there is another wrinkle here and that is the actual sale of zero-day exploits. A good PDF zero-day exploit for example can be worth over $50,000 dollars.
Charlie Miller wrote a good whitepaper about the legitimate buying and selling of exploits while he was working at Independent Security Evaluators.In one of Charlie’s presentations at AuCert2008 security conference his presentation had a chart with a price breakdown for the various exploit types commonly sold. Although the presentation was given in 2008, the pricing still holds fairly well today as a reference. Note everywhere in the chart that you see Vista, just mentally replaace it with Windows 7.
Security.StackExchange.com has the question “Which companies facilitate payment in return for vulnerability disclosure?” answered and they provide a very good list of companies that actually purchase zero-day exploits from security researchers and exploit developers.
Certain companies like Mozilla and Google have established bug bounty programs – they buy vulnerabilities of their software themselves. These bug bounty programs are generally paying anywhere from few hundred to a few thousand dollars.
A ripple in the pond of exploits for sale is the buying and selling of non-zero day exploits. Now off hand you’d probably think these types of exploits don’t have any real value because there is already a known fix for them, but au contraire mon frere, check out ExploitHub. They’ve even gotten some decent press as well: