A zero day vulnerability which gives attackers admin rights to any Windows system running any version of the operating system from Windows 2000 all the way to Windows 10 is currently available on the black market for $90,000.
Security experts believe that the exploit is legitimate and that it could be incredibly useful for hackers who have already found their way into an existing computer network.
The Vice President at the security research firm Trustwave, Ziv Mador, detailed how hackers could potentially use the zero day vulnerability to strengthen their attacks: “A cyber gang would be eager to use this to leverage malware and ransomware to get a much better ROI by combining exploits. Also, any nation state type APT attack would easily see this as a key tool in sophisticated network penetration.”
Trustwave also pointed out that the only way to know if a zero day exploit is actually legitimate is to purchase and test it. However, Mador noted that there are a strong number of indicators pointing to the legitimacy of the exploit including the fact that the seller is offering the use of an independent escrow agent to verify that the exploit works before the payment of $90,000 is made.
The hacker's listing of the zero day vulnerability also includes two videos which show the exploit successfully bypassing all of Windows' Enahanced Mitigation Experience Toolkit (EMET) protections for the latest version of Windows along with a second video which depicts a fully up to date Windows 10 system being successfully exploited by raising the CMD EXE process to the SYSTEM account.
Trustwave first discovered the zero day on 11 May on the underground site exploit[dot]in. A seller who goes by the handle “BuggiCorp” originally asked for $95,000 for the exploit but has lowered his initial price by $5,000.
The posting specifically states that the exploit will be sold exclusively to one buyer and until that happens it is impossible to verify if the zero day vulnerability is genuine or not.
Ben Johnson, chief security strategist, Carbon Black said: “Zero-day exploits such as this are particularly problematic, as traditional security solutions like anti-virus rely on blacklisting – they have a set of known threats that they detect, if a file doesn’t appear on their list, they let it through – so if the threat has never been seen before then this system falls down.
“This is why organisations need to stop relying on AV alone to protect their endpoints; a more sophisticated approach is needed. Whitelisting, whereby a threat is assessed against a set of policies and common characteristics to see if there is a likely issue, can help to spot this type of exploit even if it has never appeared before.
"This should then we combined with broader threat intelligence, where you can see if a particular file has ever been seen before; if it hasn’t, then it is likely to be zero day and hazardous. This allows organisations to get smarter about security and avoid falling into these sort of traps.”
Image source: Shutterstock/ GlebStock