So-called “zero-day” vulnerabilities are flaws in software and hardware that even the makers of the product in question are not aware about. Zero-days can be used by attackers to remotely and completely compromise a target such as with a zero-day vulnerability in a browser plugin component like Adobe Flash or Oracle’s Java. These flaws are coveted, prized, and in some cases stored by cybercriminals and nation states alike because they enable very stealthy and targeted attacks. Trustwave researchers said that the hackers have unearthed a zero-day vulnerability giving attackers admin rights that the criminal group claim to work on any Windows machine from Windows 2000 to a fully patched version of Windows 10. The item was first noticed on May 11 by a seller using the handle “BuggiCorp” on the semi-exclusive Russian language cybercrime forum exploit[dot]in earlier this month with an initial price of $95,000, but this was lowered to $90,000 on May 23. “For this type of capability $95,000 USD does sound reasonable. These are relatively rare, and take a degree of expertise to develop, thus they are valuable to attackers and defenders alike,” said Logan Brown, president Exodus Intelligence that runs its own vulnerability purchasing program, among other offerings. “A cyber gang would be eager to use this to leverage malware and ransomware to get a much better ROI by combining exploits. Also, any nation state type APT attack would easily see this as key tool in sophisticated network penetration,” said “Based on this and the prices we know about, the price here seems on the high end but still within a realistic price range, especially considering the return on investment criminals are likely to make using this exploit in any campaign,” Trustwave wrote. The listing for the exploit describes itself as an “exploit for local privilege escalation (LPE) for a 0day vulnerability in win32k.sys. The vulnerability exists in the incorrect handling of window objects, which have certain properties, and [the vulnerability] exists in all OS [versions], starting from Windows 2000,” according to the seller. “While the most coveted zero day would be a Remote Code Execution (RCE) exploit, Local Privilege Escalation vulnerabilities are likely next in line in popularity. Although such an exploit can’t provide the initial infection vector like a Remote Code Execution would, it is still a very much needed puzzle piece in the overall infection process,” Trustwave wrote.
Since this is a case of criminals selling to criminals, the seller tries to build some level of trust into the deal. To support his claims, the seller includes two videos of the exploit in action on what appears to be a system that was patched all the way up through this month’s (May 2016) batch of patches from Microsoft. A second video appears to show the exploit working even though the test machine in the video is running Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), a free software framework designed to help block or blunt exploits against known and unknown Windows vulnerabilities and flaws in third-party applications that run on top of Windows.
BuggiCorp, the seller of the Windows LPE zero-day flaw, was asked by several forum members whether his zero-day was related to a vulnerability that Microsoft patched on April 12, 2016. BuggiCorp responds that his is different. However, this zero-day thread is an unusual sight on such an open cybercrime forum, Trustwave’s Mador said. “Finding a zero day listed in between these fairly common offerings is definitely an anomaly,” he said. “It goes to show that zero days are coming out of the shadows and are fast becoming a commodity for the masses, a worrying trend indeed.” According to those behind the exploit say, that the zero-day vulnerability will be sold only to a single buyer for $90,000, who will also receive the source code for the exploit and the demo, free updates that will address any security enhancements added to Windows, a comprehensive write up of the vulnerability information and complementary consultation on assimilating the exploit.