Wealthy cybercriminals are using zero-day hacks more than ever

Wealthy cybercriminals are using zero-day hacks more than ever thumbnail

Organized cybercriminals with a lot of money are fueling an increase in the use powerful, expensive zero day hacking exploits.

Zero-days exploits allow hackers to access a target. This is because cyber-defenders have had no time to fix the holes that were discovered. The tools are extremely powerful, dangerous, and highly valuable. Zero-days can be more expensive than a million dollars to purchase or develop. For that reason, they have historically been found in the arsenals of the most sophisticated state-sponsored cyberespionage groups on Earth.

But new research from the cybersecurity firm Mandiant shows that in a record-breaking year for hacking attacks, the proportion of zero-days exploited by cybercriminals is growing. One-third of all hacking groups exploiting zero-days in 2021 were financially motivated criminals as opposed to government-backed cyberespionage groups, according to Mandiant’s research. Cybercriminals were only able to deploy a small percentage of zero-days in the past decade. Experts believe that the rapid changes are due to the multibillion-dollar ransomware market.

“Ransomware groups have been able to recruit new talent and to use the resources from their ransomware operations and from the insane amounts of revenue they’re pulling in in order to focus on what was once the domain of state-sponsored [hacking] groups,” says James Sadowski, a researcher with Mandiant.

Zero-days are often bought and sold in shadows. But what we know shows how much money is involved. A recent MIT Technology Review report described how an American company sold a powerful iPhone zero day for $1.3 million. Zerodium, a zero day vendor, is willing to pay $2.5million for any zero-day that gives hackers control of an Android phone. Zerodium then turns around and sells the exploit to another organization–perhaps an intelligence agency–at a significant markup. Because zero-days can provide an instant trump card for the global game of spying, governments are willing to pay this amount.

But criminals also find them valuable. One particularly aggressive and adept ransomware group, known by the code name UNC2447, exploited a zero-day vulnerability in SonicWall, a virtual private network tool used in major corporations around the world. After gaining access, the hackers used ransomware to force victims to pay. They threatened to inform the media about the hacks and sell their data to the dark web.

Maybe Darkside is the most well-known ransomware group in recent history. They are the hackers responsible for the shut down of the Colonial Pipeline, and ultimately a fuel shortage in the eastern United States. Sadowski claims that they also exploited at most one zero-day during a brief but intense period. Darkside was soon world-famous and attracted all the unwanted attention from law enforcement. However, the group has since been rebranded.

A hacker might consider a one-day or two-day vulnerability as the next best thing to a zero-day vulnerability. This is a security hole that was discovered recently but not yet fixed by potential targets around the globe. Cybercriminals are also making rapid progress in this race.

Cybercrime organizations “are picking up state sponsored threat actors’ zero days at a faster pace,” says Adam Meyers (senior vice president of intelligence at Crowdstrike). The criminals see the zero-days being used, then they sprint to steal the tools for their own purposes. Most cyber-defenders don’t know what’s going on. They quickly learn how to use it and then they leverage it for their continued operations,” Meyers says.

To support MIT Technology Review’s journalism, please consider becoming a subscriber.

Cybercriminals can recruit and pay for technical talent because they are making more money than ever. The prospect of more payoffs is an incentive to act quickly to adopt zero-days to their own ends.

Last year, Chinese-government-sponsored hacking groups began targeting Microsoft Exchange email servers with zero-day attacks in a widespread campaign led by some of the country’s most sophisticated cyberespionage operators. As with all predators, scavengers follow. Within days, cybercriminals with financial motives had the tool in their possession.

Read More