Zero-day or 0day vulnerability is a security weakness that is unknown and that has not been patched by the vendor. The term “zero-day” refers to the number of days the vendor has had to fix a security issue. No one else knows about the vulnerability except the person who discovered it. Once the vendor announces a security patch, the bug is no longer a zero-day. It is then called an n-day exploit, because there are n days since the patch was released. Zero-day vulnerabilities can be found in software, firmware or hardware. Let us have a look at the current state of zero-day exploit market.
Where Can You Purchase or Sell Zero-Day Exploits?
You can find zero-day exploits in all kinds of markets, including black markets, grey and white markets. There are multiple web portals that are buying and/or selling 0days, such as these:
- zeronomi.com
- zerodium.com
- zerodaytechnology.com
- zerodayinitiative.com
- pwnables.com
- rsp.exodusintel.com
And finally, there is the infamous platform 0day.today or the Inj3t0r Exploits Market. This website differs from others because everybody can see what is currently being offered. People are offering various exploits, business logic bugs and tricks.
0day.today – private section
What is the Price Range?
The price range for 0day exploits is from $60,000 (Adobe Reader) up to $2,500,000 (Apple iOS) per one zero-day exploit. Payout For the n-day vulnerabilities transferred into functional exploits is much lower. However, the price for exploit differs from marketplace to marketplace.
How Can I Be Sure That the Purchased Exploit Will Actually Work?
There is no guarantee that the exploit will work and that the seller will not sell it to others. The seller should perform the proof of concept that the exploit still works. Nevertheless, there you cannot be 100% sure that you will receive the original working exploit.
Which Categories of 0day Exploits Are Popular Right Now?
The zero-day market is based on supply and demand. Zerodium stated on May 13, 2020, that they are pausing acquisitions of Apple iOS exploits due to a high number of submissions. Among these were privilege escalation exploits, Safari remote code executions or sandbox escapes. However, they are still acquiring full iOS chains not requiring any user interaction (aka zero-click).
SAP NetWeaver exploits are the category, which is currently being looking for. Especially, exploits which can lead to pre-auth remote code execution, authentication bypass, or data disclosure are under high demand.
How to Protect Against Zero-Day Exploits?
Since 0day attacks are very difficult to prepare for and are quite unpredictable. These kinds of attacks can be effective even in environments where state-of-the-art security controls are in place.
Despite their unpredictability, holistic approach to security, implementing defense-in-depth and zero-trust can significantly lower the chance of a successful attack. Among some of the controls that can help mitigate them is:
- Using endpoint detection software (EDR) to monitor system & network for changes and anomalies
- Network segmentation/isolation can prevent mitigate the propagation of exploit to other systems
- Having incident response plan that you test regularly
- Extensive logging to enable incident response and digital forensics
- Proper vulnerability management to protect against n-day exploits
