Windows zero-day exploit offered for sale on underground market

Someone is selling an exploit for a Windows zero-day on an underground market for Russian-speaking cyber criminals, and the current price is set at $90,000.

Trustwave researchers have discovered the advertisement in early May and believe it to be genuine, although they point out that it’s impossible to know for sure unless one buys the exploit and tries it out.

“Zero days have long been sold in the shadows. In this business you usually need to ‘know people who know people’ in order to buy or sell this kind of commodity. This type of business transaction is conducted in a private manner, meaning either direct contact between a potential buyer and the seller or possibly mediated by a middle man,” they explained, and noted that this particular offer is definitely an anomaly.

“It goes to show that zero days are coming out of the shadows and are fast becoming a commodity for the masses, a worrying trend indeed,” they added.

The exploit in question is for a Local Privilege Escalation (LPE) vulnerability in Windows and, the seller claims, it works on all versions of the OS, including Windows 10 and Windows Server versions, and all OS architectures.

“It seems the seller has put in the effort to present himself/herself as a trustworthy seller with a valid offering. One of the main indicators for this is the fact that the seller insists on conducting the deal using the forum’s admin as the escrow,” they noted.

The seller also provided two video demonstrations of the exploit in action on Windows 10, which show a successful elevation of the CMD EXE process to the SYSTEM account (highest level of privilege on the OS), and the exploit bypassing Microsoft’s Enhanced Mitigation Experience Toolkit (EMET):

The seller promises that the exploit will be sold to one single buyer, and offers to provide source code of the exploit, a demo of it, free of charge updates to address any Windows version that the exploit might not work on, vulnerability details, and a consultation on integrating the exploit.

While a Remote Code Execution (RCE) exploit would likely be more pricy, this one is also a great way to compromise Windows systems.

As Trustwave researchers noted, it could be used to perform sandbox escapes, install rootkits, modify system properties that allow persistence on the system, install additional malicious software, etc.

They notified Microsoft of the offering, and hopefully the limited vulnerability information provided by the seller will be enough to point them in the right direction and allow them to discover and patch the flaw themselves.

As for users, advice for protection against this and other zero-day exploits includes keeping software up-to-date, implementing a layered defense, and using common sense.