In this article we will learn about Zero-Day Exploits in the Dark.
Introduction to Zero-Day Exploits in the Dark:
Black markets deployed on anonymizing networks like Tor and I2P offer all kinds of illegal products, including drugs and weapons. They are a pillar of the criminal ecosystem, as these black markets are privileged places to obtain illegal goods and services by preserving the anonymity of both sellers and buyers and making it difficult to trace payment transactions conducted through virtual currencies such as Bitcoin.
Most people ignore that one of the most attractive products in the underground market are zero-day exploits, malicious code that could be used by hackers to exploit unknown vulnerabilities in any kind of software.
The availability of zero-day exploits is a key element for a successful attack. Most state-sponsored attacks that go undetected for years rely on exploiting an unknown flaw in popular market products and SCADA systems.
Zero-day exploits: A rare commodity
Security experts have discussed on several occasions the importance of using zero-days to design malicious software that could target any kind of application. Zero-day exploits are among the most important components of all cyber weapons, and for this reason they are always present in the cyber arsenals of governments.
Zero-day exploits could be used by threat actors for sabotage or cyber espionage purposes, or could be used to target a specific category of software (ie, mobile OS for surveillance, SCADA applications in critical infrastructure). In some cases, security experts discovered large-scale operations that infected thousands of computers by exploiting zero-day vulnerabilities in common applications (eg, the Java platform, Adobe software).
A few days ago, for example, security experts from FireEye revealed a new highly targeted attack led by the APT28 hacking crew, which used two zero-day flaws to compromise an “international government entity”. In this case, APT28 exploited zero-day vulnerabilities in the Adobe Flash software (CVE-2015-3043) and the Windows operating system (CVE-2015-1701).
Zero-day exploits are commodities in the underground economy. Governments are the primary buyers in the growing zero-day market. Governments are not the only buyers, but non-governmental actors are also acquiring exploit kits including zero-day. In 2013, it was estimated that the market was capable of providing 85 exploits per day, a worrying figure for the security industry, and the situation could be worse today.
It is estimated that zero-day hunters develop a combined 100 exploits each year, resulting in 85 privately known exploits, and this estimate does not include data related to independent hacker groups whose activities are little known.
Zero-day hunters are independent hackers or security firms that analyze every kind of software looking for vulnerabilities. Then that knowledge is offered on black markets to the highest bidder, whether it’s a private company that wants to use it against a competitor or a government that wants to use it to target an adversary’s critical infrastructure.
A 2013 study by experts at NSS labs called “The Known Unknowns” reported that every day during a three-year monitoring period, high-paying buyers had access to at least 60 vulnerabilities targeting common software produced by Adobe, Apple, Microsoft and Oracle.
“NSS Labs analyzed ten years of data from two major vulnerability buying programs, and the results show that every day over the past three years, privileged groups had access to at least 58 vulnerabilities targeting Microsoft, Apple, Oracle, or Adobe. . Furthermore, these vulnerabilities were found to remain private for an average of 151 days. These numbers are considered a minimum estimate of the “known unknowns” because it is unlikely that cybercriminals, brokers or government agencies would ever share data about their operations.
Specialized companies offer zero-day vulnerabilities for subscription fees that are within budget. A determined attacker (for example, 25 zero days per year for $2.5 million); this broke the monopoly that nation-states had historically held over the possession of the latest cyber weapons technology. Combined, half a dozen boutique exploit providers have the capacity to offer more than 100 exploits per year.”
On the black market, a zero-day exploit for the Windows operating system sells for up to $250,000, according to BusinessWeek, which is a good incentive for hackers to focus their efforts on exposing this category of vulnerability. The price could increase significantly if the bugs affect critical systems and the buyer is a government that intends to use it for information warfare.
What is very concerning is that in many cases, the professionals who discover a zero-day, in order to maximize gains, offer their knowledge to hostile governments who use it also to persecute dissidents or to attack adversary states.
The zero-day market follows its own rules, commodities are highly perishable, transactions are instantaneous, and agreement between buyers and sellers is critical.
“According to a recent article in The New York Times, firms such as VUPEN (France), ReVuln (Malta), Netragard, Endgame Systems and Exodus Intelligence (USA) advertise that they sell knowledge of security vulnerabilities for cyber espionage. The average price is between $40,000 and $160,000. Although some firms restrict their clientele, either based on country of origin or by choosing to sell only to a specific government, the ability to circumvent this restriction through agents appears to be entirely possible for determined cybercriminals. Based on service brochures and public reports, these providers may deliver at least 100 exclusive exploits per year,” the report said.
Related article:Silent Crypto Miner v3.1.0 ETH ETC XMR RTM 2023
In particular, the American supplier Endgame Systems reportedly offers customers 25 exploits per year for $2.5 million.
The unchecked and unregulated zero-day exploit market is a real threat to every industry. For this reason, security experts and government agencies are constantly monitoring its development.
Zero Day Market on the Deep Web: “TheRealDeal” Marketplace.
Zero-day exploits have been available on several underground Deep Web marketplaces for a long time, and it’s not hard to find malicious code and exploit kits on various black markets or hacker forums. Recently, a new black market called TheRealDeal appeared on the Deep Web. The platform was designed to provide both sellers and buyers with a privileged environment for the commercialization of rare goods.
Last month, TheRealDeal (http://trdealmgn4uvm42g.onion) emerged and focuses on commercializing zero-day exploits. The unique marketplace is hosted on the popular Tor network to protect the anonymity of actors involved in the sale of the rare commodity.
The market offers zero-day exploits related to still unknown bugs and one-day exploits that have already been published but are modified to be undetectable by defensive software.
Operators also offer one-day private exploits with known CVEs, but the code for which has never been released. They also assumed that a vendor specializing in exploits for the GSM platform would soon offer a list of very interesting hardware.
Who is behind TheRealDeal?
The website ‘deepdotweb’ published an interview with one of the black market administrators, who explained that the project is run by four cyber experts with significant experience in the field of “clearnet, in terms of zero-day exploit code, databases and so on.” .”
The administrator explained that the biggest risk in commercializing zero-day exploits is that in most cases the code doesn’t work or the sellers are simply scammers.
Another factor that convinced the administrators to launch the zero-day marketplace TheRealDeal is the consideration that places where rare goods can be found are not always easily accessible. There are some IRC servers that are not easy to find or that require an invite. Otherwise, TheRealDeal wants to be an “open market” focused on zero-days.
Four experts decided to launch a hidden service to create a marketplace where people can trade zero-day exploits without falling victim to a scam while remaining completely anonymous.
“We started out using BitWasp, fully aware of its history and shortcomings, but with years of hands-on experience in the security industry and not much in web design, we decided it would be a good platform because we can do our own security assessments and patches, while the whole multi-sig works perfectly. We also wanted to avoid bringing other people into the project for obvious reasons, and that was another reason not to hire a web designer etc… although we might hire one from the darknet soon, just to improve the UI a bit,” said one of the admins.
Below is a list of products available on TheRealDeal Marketplace:
0-Day exploits (4)
- FUD Exploits (4)
- 1Day Private Exploits (1)
- Money (36)
- Source Code (4)
- Spam (3)
- Accounts (7)
Other Tools (3)
- RATs (1)
- Hardware (2)
- Misc (6)
- Pharmacy (12)
- Cannabis (5)
- LSD (1)
- Shrooms (2)
- MDMA (6)
- Speed (5)
- Hot (1)
- Cold (6)
Analyzing the list of TheRealDeal Market products, it is possible to notice the availability of zero-day exploits, which are source codes that could be used by hackers in cyber attacks, and of course any kind of hacking tool. The list is still short, as the market is still in its infancy, but the policy of its directors is clear.
“Welcome…We originally opened this market to be a ‘code market’ – where rare information and code can be obtained,” reads a message from the site’s anonymous administrator. “Avoid scams completely and enjoy real code, real information and real products.”
Among the products is a new method of hacking Apple iCloud accounts and exploit kits that could be used to compromise WordPress-based websites and both mobile and desktop OSes (i.e. Android and Windows).
The price tag of the iCloud hack is $17,000, and as the seller explained, any account can be compromised. The buyer could pay in bitcoins to make it difficult to identify them.
“Any account can be obtained using a malicious request from a proxy account,” reads the description of the hack available on TheRealDeal marketplace. “Please set up a demo using my list of services to hack the account of your choice.”
The list also includes an Internet Explorer attack that is being offered for $8,000 in bitcoins, as reported by Wired in a blog post:
“Others include a technique to hack the configuration of multiple WordPress sites, an exploit against the Android Webview web browser, and an Internet Explorer attack that claims to work on Windows XP, Windows Vista, and Windows 7, available for around $8,000 in Bitcoin… Found before 2 months of fuzzing,” the seller writes, referring to an automated method of testing the program against random samples of junk data to see when it crashes. “0 day but it could be exposed, can’t really say without risking a lot of money,” adds the seller. “You want to show a demo in the usual ways, write me, but don’t waste time!”
The product list was recently updated. It also includes an exploit for MS15-034 Microsoft IIS Remote Execution Code vulnerability, a bug that is actively exploited in the wild against Windows 7, 8 and 8.1, Windows Server 2008 R2, 2012 and 2012 R2.
The RealDeal marketplace also offers other products very common in the criminal ecosystem, including drugs, weapons, and Remote Trojan (RAT).
Operators have also created a specific category of “services” with the intention of attracting high-profile black hats offering their hacking services (i.e. email account takeover, DDoS services, data theft, hacking campaign). The Information category was created for sellers who offer any kind of information, documents, databases, secret keys and similar products.
TheRealDeal does not implement a true third-party escrow model; instead, it adopts a multi-signature model to make any financial transaction efficient. Basically, buyers, sellers and administrators control the amount of bitcoins to be transferred together, and any transaction requires the signature of two of the three parties before the funds are transferred. The admins decided to implement multisig transactions because their marketplace is very young and without a reputation. This means that people have no incentive to shell out a sum of money for something they can’t verify.
Interestingly, the marketplace also offers drugs due to high demand, but according to administrators, they might consider removing them in the future.
There’s also a “services” category – it could be anything, but we’re hoping some high-quality blackhats will come forward and offer their services, anything from getting email access and getting a certain document to long-term campaigns. The hardware category is for toys such as fake mobile base stations and other physical “hacking” tools. Information category is for all kinds of information, documents, databases, secret keys, etc.
The following table lists the main product categories offered on the market and their prices.
|Apple id / iCloud remote exploit||USD 17025,52|
|Internet Explorer <= 11||USD 7840,70|
|Android WebView 0day RCE||USD 8176,73|
|WordPress MU RCE||USD 1008,09|
|Category: FUD Exploits|
|FUD .js download and execute||USD 291,23|
|Adobe Flash < 184.108.40.2066 (CVE-2015-0313)||USD 560,05|
|Adobe Flash < 220.127.116.117 (CVE-2015-0311)||USD 560,05|
|Category: 1Day Private Exploits|
|MS15-034 Microsoft IIS Remote||USD 42313,18|
|A5/1 Encryption Rainbow Tables||USD 67,21|
|Category: Source Code|
|Banking malware source code||USD 2,11|
|Alina POS malware full source code||USD 0,92|
|Exploit Kits Source Code||USD 1,82|
|“Start your own maket” code and server||USD 7959,43|
I’ll keep you updated on the evolution of the TheRealDeal marketplace in the next weeks.