UPDATE: The seller once again lowered their price on the 6th of June to $85,000USD. This means that the exploit hasn't sold yet and seller may be having problems finding a buyer.
Over the years we've seen practically exponential growth in the underground economy. Criminals are organizing their efforts online on a scale we haven't seen before. Capitalizing on the anonymity of private forums, cryptocurrency and anonymous networks, cybercriminals have evolved their techniques and tactics tremendously.
We've seen these criminals change from individuals and small, tight groups to large, disparate networks of criminals where individuals typically don't know each other at all save for a nickname on a specific forum. Out of this we've seen small malware campaigns become malware-as-a-service where malware can equal instant revenue through ransomware. Single "drive-by" malicious websites have become distributed exploit kits.
Criminal enterprises have splintered as well in this new environment. It used to be that a single group would develop malware, find victims, design a campaign, and monetize the data theft. These days criminals can flourish doing the one thing they are good at and selling that one thing as a service to others.
Malware developers specifically seem to benefit from this new environment. It could be that they feel less of a bite at their conscience if they are only developing the malware and not actually victimizing people with it. It could be that the developers feel they are at less of a risk of getting caught by law enforcement by keeping their profile low. What we do know is that the underground malware and exploit market place is very profitable and the development of zero days has become a bigger and bigger piece of this underground economy.
Last year, a great write up was published by Vlad Tsyrklevich which revealed a lot of interesting information about the zero day market and prices: https://tsyrklevich.net/2015/07/22/hacking-team-0day-market/. He notes specifically that a person by the name Eugene Ching was paid a total of 80K USD for a working zero day. The payment was divided to a contract fee and a bonus for the specific delivery. There is also the case of zero day vendor Zerodium who have published their price list here: https://www.zerodium.com/program.html. Zerodium will pay anywhere from 5K-500K USD depending on the nature of the zero day.
We've also seen zero days in action in the market place via the Angler Exploit Kit. Last year Angler introduced four zero-day exploits as a part of their offering and due to the constantly refreshed list of new exploits, Angler skyrocketed to the most popular exploit kit on the market last year representing 40% of all exploit kit-related incidents Trustwave SpiderLabs observed last year.
However, zero days have long been sold in the shadows. In this business you usually need to "know people who know people" in order to buy or sell this kind of commodity. This type of business transaction is conducted in a private manner, meaning either direct contact between a potential buyer and the seller or possibly mediated by a middle man.
As such, a zero day being offered for sale stood out among the other offerings in an underground market for Russian-speaking cyber criminals. This specific forum serves as a collaboration platform where one can hire malware coders, lease an exploit kit, buy web shells for compromised websites, or even rent a whole botnet for any purpose. However, finding a zero day listed in between these fairly common offerings is definitely an anomaly. It goes to show that zero days are coming out of the shadows and are fast becoming a commodity for the masses, a worrying trend indeed.
The zero day in question claims to be a Local Privilege Escalation (LPE) vulnerability in Windows. Below is a screen shot of the original offer, posted on May 11th 2016:
"Dear friends, I offer you a rare product.
Exploit for local privilege escalation (LPE) for a 0day vulnerability in win32k.sys. The vulnerability exists in the incorrect handling of window objects, which have certain properties, and [the vulnerability] exists in all OS [versions], starting from Windows 2000. [The] exploit is implemented for all OS architectures (x86 and x64), starting from Windows XP, including Windows Server versions, and up to current variants of Windows 10. The vulnerability is of "write-what-where" type, and as such allows one to write a certain value to any address [in memory], which is sufficient for a full exploit. The exploit successfully escapes from ILL/appcontainer (LOW), bypassing (more precisely: doesn't get affected at all [by]) all existing protection mechanisms such as ASLR, DEP, SMEP, etc. [The exploit] relies solely on the KERNEL32 and USER32 libraries [DLLs]. The [source code] project of the exploit and a demo example are written in C and assembly with MSVC 2005. The output is a "lib"-file which can later be linked to any other code, and [additional output from the source code project] is a demo EXE file which launches CMD EXE and escalates the privileges to SYSTEM account. The resulting EXE file size is between 7KB to 12KB depending on OS architecture. The exploit was tested on all versions of Windows, starting from XP, and on at least 20 different variants of Windows OS, including Windows Server versions.
The exploit is offered in two variants:
- Simple escalation of privileges to SYSTEM account for any given process.
- Escalation of privileges for any given process and the ability to execute code in Ring0. When exploiting the vulnerability, you can pass a pointer to a piece of code you want to execute in Ring0 (kernel mode). The method in use [to execute in kernel mode] basically modifies the PTE record of the [memory] page, specifically the ownership flag, changing it from "User" to "Kernel". Next, we will allocate memory from a non-paged pool, copy the pointed "user code" to the newly allocated memory, then pass the execution to it [the "user code"] and eventually restore the PTE record [to its original values]. This method doesn't rely on unstable tricks like ROP and doesn't conflict with SMEP and other protection mechanisms.
The buyer will receive:
- Source code project based on MSVC2005, with all the source code of the exploit and a demo for the exploit.
- Free of charge updates to address any Windows version that the exploit might not work on (Might be the case with Windows 10 as there is a large number of different builds).
- A detailed write up of the vulnerability details (including the specific vulnerable code in win2k).
- Complementary consultation on integrating the exploit according to your needs (within reason).
- On request – convert the source code project to a different MSVC version.
Willing to accept offers starting from 95k [USD]
Do not offer revenue sharing as payment. Respect your and my time.
Escrow – the forum admin." (Translation ends here)
It seems the seller has put in the effort to present himself/herself as a trustworthy seller with a valid offering. One of the main indicators for this is the fact that the seller insists on conducting the deal using the forum's admin as the escrow. In an update posted by the seller on 23rd of May (see screenshot above) it is stated that the exploit will be sold exclusively to a single buyer. Additionally, the seller provides two proof videos for any potential buyers that might be concerned with the validity of the offer. The first video shows a fully updated Windows 10 machine being exploited successfully, by elevating the CMD EXE process to the SYSTEM account. It is interesting to note that the video was actually recorded on "Patch Tuesday" and the author made sure the latest updates were installed.
The second video shows the exploit successfully bypassing all of EMET protections for the latest version of the product.
It's important to mention that despite the indications that the offer is authentic, there's no way to know this with absolute certainty without taking the risk of purchasing the exploit or waiting for it to appear in the wild.
While the most coveted zero day would be a Remote Code Execution (RCE) exploit, Local Privilege Escalation vulnerabilities are likely next in line in popularity. Although such an exploit can't provide the initial infection vector like a Remote Code Execution (RCE) would, it is still a very much needed puzzle piece in the overall infection process. For instance, an LPE exploit paired with a client-side RCE exploit can allow an attacker to escape an application that implements sandbox protection (For example Google Chrome, Adobe Reader, etc…). Moreover, an LPE exploit provides the means to persist on an infected machine, which is a crucial aspect when considering APTs (Advanced Persistent Threats). In general terms, this exploit can be leveraged in almost any kind of attack scenario. Let's review the potential capabilities presented to an attacker purchasing this exploit:
- Escape from sandbox if the initial compromise vector is an RCE for a sandboxed app (e.g. Google Chrome, Adobe Reader, etc…) – essentially converting a very limited RCE exploit into a fully functional takeover tool.
- Since the zero day exploit in this case provides the means to execute code in ring0, the buyer will be able use it to install a root kit on the victim machine, hiding itself in a much more efficient manner. This allows the attacker to avoid detection and prolong the control over the infected system.
- The seller specifically notes that the exploit has been tested on Windows Server OS versions. This presents a new possibility if an attacker already has some form of limited control over a web server (SQLi, web shell with limited privileges – as is often the case, since all modern web servers run under a designated user account with limited privileges).
- Modify system properties that allow persistence on the system. A recent example posted by FireEye shows how crooks used a zero day LPE for Windows (exactly like the one in this case!) to persist on POS systems and steal credit card data.
- Install additional (malicious) software – a privilege reserved for administrative accounts on Windows and on other OS's: http://arstechnica.com/security/2015/08/0-day-bug-in-fully-patched-os-x-comes-under-active-exploit-to-hijack-macs/
A quick thought about the price of this zero day. We don't have many public records of what the price of such exploit should be, but we can refer back to the prices discussed earlier being offered by Zerodium and written about by Vlad Tsyrklevich. Even though the price of the zero day was lowered 12 days after the initial post, it was only lowered a mere 5.3% from 95K to 90K. Based on this and the prices we know about, the price here seems on the high end but still within a realistic price range, especially considering the return on investment criminals are likely to make using this exploit in any campaign.
All software has bugs. This is the base assumption of any person who has ever worked with code, security professional or developer. Trustwave SpiderLabs has worked with Microsoft for many years and we know first hand the amazing lengths Microsoft goes to in order to prevent zero days. From embracing independent research and bug bounty programs to establishing the MAPP program with transparency into their patching process. Unfortunately, it's occasionally the case where criminals find those bugs before the "good guys".
Now that we understand that these situations do occur, we've established that the offer is likely a valid zero day, and that the asking price is likely to be met by an interested cybercriminal, the obvious question left open is "What can we do about it?"
Due to all the "unknowns" associated with zero days, it's hard to provide specific advice for protection. Luckily, this is not the first (and unfortunately not the last) zero day, so we can use lessons learned from previous cases to provide some general guidance that has proven itself over the years:
- Keep your software up-to-date: as we discussed, a LPE is one component of several that constitute a successful compromise. If you can break one link in the chain and you will probably thwart the entire attack. Consider the scenario where this LPE exploit is used in tandem with an RCE exploit to break out of a sandbox. Your machine may not be patched against the zero day LPE, but it may very well be patched against the RCE component of the attack.
- Security works in layers: Following the above logic, a link in the chain can be broken in various parts of your security infrastructure. Deploying a full stack of intelligent security products will increase the odds of breaking one of these links.
- Common sense: Many attacks these days begin and depend on user interaction, such as clicking a link or opening an attachment. Avoid clicking suspicious links or opening attachments from unsolicited sources.
We have notified Microsoft of the zero day offering and we continue to monitor the situation. We plan to update this blog post should we come across any new information.