14:15 CET, 3rd September 2013 By Pierluigi Paganini founder of the security blog "Security Affairs," Editor-in-Chief at CyberDefense magazine and author of the books "The Deep Dark Web" and "Digital Virtual Currency and Bitcoin"..
Every day, we read about cyber-attacks and data breaches, incidents that represent in many cases a disaster for private companies and governments. Technology plays a significant role in our lives; every component that surrounds us runs a piece of software that could be affected by flaws and exploited by those with ill intentions.
Of course, the impact of these vulnerabilities depends on the nature and scope of the exposed software. Some applications are more commonly used, and their vulnerabilities could expose users to serious risks. Take for example the recent vulnerability discovered in Skype, in which a bug allowed an attacker to obtain full access to any Skype account by simply knowing the email address used by a victim during the creation of the account.
The possible damage that the exploit of a vulnerability could do depends on different factors such as the level of diffusion of the application compromised, the previous knowledge of the vulnerabilities, and the context in which the compromised application is used.
In the wide universe of vulnerabilities, zero-day vulnerabilities represent a real nightmare for security experts. Knowledge of any leak about them makes it impossible to predict how and when they could be exploited. This characteristic makes their use ideal in state-sponsored attacks and in the development of cyber weapons.
Interest in the discovery of unknown vulnerabilities for a widespread application has totally changed the role of hackers. In the past, they were figures who kept away from government affairs; today, the industry and even intelligence agencies have launched a massive recruitment campaign for this new type of expertise.
Profiting from these vulnerabilities can be done through different channels: flaws could be sold to the makers of the compromised application; a government interested in exploiting a flaw could acquire it to conduct cyber-attacks against hostile countries; or it could be sold in the underground market.
Around this concept of vulnerability grew a market in which “instantaneity” of any transactions is a fundamental factor. Once a new bug is found and exploited, the researcher must be to quickly identify possible buyers, contact them to negotiate a price, and then complete the sale. Timing is crucial; the value of the sale could decay to zero if any third party preemptively divulges information on the vulnerability.
The famous security expert Charles Miller described this market in the document, “The Legitimate Vulnerability Market: The Secretive World of 0-Day Exploit Sales,” which discusses some of the main issues:
The principal problem for a hacker who needs to sell a vulnerability is his ability to do it without exposing too much information on the flaw. The sale is very complicated because the buyers want to be certain of the effectiveness of the exploit and may possibly require a demonstration of its existence.
The only way to prove the validity of the information is to either reveal it or demonstrate it in some fashion. Obviously, revealing the information before the sale is undesirable as it leaves the researcher exposed to losing the intellectual property of the information without compensation.
To respond to this emerging need, and to regulate the transactions between buyers and sellers, a new professional specializing in mediation was born: brokers for sales of Zero-Days exploits who provide anonymity to the bargaining parties in return for a commission.
Third parties ensure correct payment to the seller and the protection of the knowledge on vulnerabilities. On the buyer’s side, they verify the information the seller claims to have. Trusted third parties play a crucial role in these sales, as the market is extremely volatile and is characterized by fast dynamics. Since selling the discovery of vulnerability usually takes a few weeks, the nature of the information covered by the bargaining does not allow longer negotiation. One of the more famous third party firms that do this is Grugq, but even small companies like Vupen, Netragard and defense contractor Northrop Grumman also operate as mediators.
Netragard’s founder Adriel Desautels explained to Forbes Magazine that he’s been in the exploit-selling game for a decade, and he has observed the rapid change of the market which has literally “exploded” in just the last year.He says there are now “more buyers, deeper pockets” – that the time for a purchase has accelerated from months to weeks, and that he’s being approached by sellers with around 12 to 14 zero-day exploits every month compared to just four to six a few years ago.
The lifecycle of a zero-day vulnerability is composed of the following phases:
The discovery of a zeroday vulnerability requires an urgent response. The period between the exploit of a vulnerability and the release of the proper patch to fix it is a crucial factor for the management of software flaws. Researchers Leyla Bilge and Tudor Dumitras from Symantec Research Labs presented a study entitled “Before We Knew It … An Empirical Study of Zero-Day Attacks In The Real World,” in which they explained how the knowledge of this type of vulnerabilities gives to governments, hackers and cyber criminals “a free pass” to exploit every target remaining undetected. The study revealed that typical zero-day attacks have an average duration of 312 days and once publicly disclosed, an increase of five orders of magnitude of the volume of attacks is observed, as shown in the following picture.
The disclosure of a vulnerability triggers a series of cyber-attacks that try to benefit from its knowledge and the delay in the application of the patch. The increase in offensive activity has no specific origin, which makes it hard to prevent. Groups of cyber criminals, hacktivists and cyber terrorists could try to exploit the vulnerability in various sectors and the damage they can do depends on the context they operate in.
The belief that zero-day vulnerabilities are rare is wrong. They are vulnerabilities exactly like any others with the fundamental difference that they are unknown. A study illustrated an alarming scenario: 60% of the flaws identified were unknown, and the data suggested that there are many more zero-day vulnerabilities than expected, plus, the average time proposed for the zero-day vulnerability duration may be underestimated.
One of the most debated questions is how to respond to the discovery of a zero-day vulnerability. Many experts are convinced that it is necessary to immediately disclose it but it has been observed that this usually is the primary cause for an escalation of cyber-attacks that try to exploit the bug. A second school of thought suggests keeping the discovery of a vulnerability secret, informing only the company that has designed the compromised application. In this way, it is possible to control the explosion of attacks as a consequence of the first approach. However, there is a risk that companies would fail to manage the event properly and only provide a suitable patch to fix the bug several months after it has already happened. For a deeper discussion of zero-day vulnerabilities check out the CEH v8 (Certified Ethical Hacker) course offered by the InfoSec Institute.
Many professionals believe that the real nightmare of information security is represented by zero-day vulnerabilities, flaws that are impossible to predict and expose their infrastructures to attacks that are difficult to detect and can cause serious damage. Despite the fear in zero-day attacks being recognized worldwide, infrastructures are menaced daily by a huge list of well-known vulnerabilities for which the proper countermeasures aren’t yet applied.
Failure to follow the best practices in the process of patch management is the main cause of problems for private companies and governments. In some cases, patch management processes are extremely slow and the window of exposure to cyber threats is extremely large. In other cases, and for various reasons, the administrators of the infrastructure do not undertake the necessary updates which lead to a lot of homes affected by attacks.
The result is shocking: millions of PCs every day are compromised by failure to follow simple rules. Known exploits are inefficient against correctly patched systems, but they still remain a privileged option for attackers who perform large scale attacks.
Only a few entities are able to patch their systems in a short time. Patch management has a sizable impact in large organizations with complex architectures so a patch must be analyzed in detail to avoid problems to IT infrastructure, requesting further and more time-consuming analysis.
The deployment phase has a variable length. For example, in a company located over multiple locations with a high number of strongly heterogeneous systems to patch, deployment activities are more challenging.
A known bug is also called a 1-day vulnerability. It is cheaper compared to a 0-Day, so it is really easy for an attacker to acquire information and tools on internet and in the underground to arrange a large scale attack.
Development of a 0-day is really expensive and time-consuming due the intense research that must be conducted to discover and to exploit the vulnerability. For this reason, this kind of exploits is typically used by governments, while cyber criminals appear to be more interested in 1-day exploits. Security firm Eset has demonstrated in many occasions how quickly the Blackhole gang can react to the 1-day opportunity. “There’s intense interest in vulnerability research, with legitimate research seized upon by malware authors for malicious purposes.”
David Harley, a senior researcher, declared:
“The increase in volume of 1-day exploits suggests that even if 0-days’ research prices itself out of the mass market for exploits, inadequate update/patch take-up among users is leaving plenty of room for exploits of already-patched vulnerabilities (as with the current spate of Tibet attacks.)”
How is it possible to create a tool to exploit a vulnerability once it has been disclosed? The procedure is simpler with respect to the research of zero-day vulnerability. After the release of a software patch, researchers and criminals are able to identify the fixed vulnerability using binary diffing techniques. The term diff derives from the name of the command utility used for comparing files, in the same manner as the binary of a system before and after the application of a patch are compared.
These binary diffing techniques are very efficient on Microsoft’s binaries because the company releases patches regularly, and from the analysis of patch code, it is quite simple for specialists to identify the binary code related to that patch. A couple of the most famous frameworks for binary diffing are DarunGrim2 and Patchdiff2.
Now that 0-day vulnerability and 1-day vulnerability have been introduced, it could be useful to discover the economy behind their commercialization.
An article published on Forbes’ website proposed the cost of zero-day vulnerabilities related to products of principal IT security firms.
The cost of vulnerability is influenced by many factors:
Typically, governments and intelligence agencies are more interested in these hacks because they could use them for operations such as cyber espionage campaigns or exploiting target infrastructures.
Due to the reasons explained, cyber criminals are more interested in the use of 1-day vulnerabilities typically sold in the underground market as they are easier to use against a wide range of targets.
Trend Micro has recently published a very interesting report on the Russian underground market analyzing the services and the products marketed by cyber criminals. The study is based on data obtained from the analysis of online forums and services attended by Russian hackers such as antichat.ru, xeka.ru, and carding-cc.com.
Trend Micro demonstrated that it is possible to acquire all kinds of tools and services to initialize cyber-criminal activities and frauds. The top ten activities included malware creation and sale of exploit writing.
The Russian cybercrime investigation company Group-IB published in the last month another interesting study on the Russian cybercrime market, estimating its business in 2011 to be worth $2.3 billion.
Cybercriminals are selling services to conduct cyber-attacks exploiting well-known vulnerabilities and to conduct SQL injections and cross-site scripting attacks.
Exploits are scripts that attack vulnerabilities in other programs or applications. According to Trend Micro, browser exploits are the most prevalent type as these enable the download of malicious files. Exploits introduce code that download and launch executable files on a victim’s computer.
Exploit bundles are usually installed in hosting servers. Smart bundles consist of a set of malicious scripts able to exploit the vulnerability related to the victim’s characteristics such as OS version, browser or application type.
Exploits are usually sold in a bundle but they may be sold singly or rented for a limited period of time, following a table that reports the exploit prices:
Clearly, every vulnerability represents a serious threat for a specific application. Moreover, it could also menace the security of an organization or a government when it impacts the applications and infrastructure they’ve adopted.
It is not possible to follow a standard approach to face the huge range of vulnerabilities, but a series of actions must be put in place starting at the development phase of a product. Security requirements have to be considered crucial for the design of every solution.
Preventing zero-day vulnerabilities is a utopia but much more can be done once they are discovered. An efficient response could prevent dramatic consequences from a security perspective. The process of patch management must be improved especially for large organizations, which are common targets of cyber-attacks, and which usually have long reaction times. Don’t forget that it’s a race against time, and the only guaranteed defense against the 1-day attack is to patch our systems before the attackers exploit it.