Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

End of Bibblio RCM includes -->
05:27 PM
Connect Directly

47% of Criminals Buying Exploits Target Microsoft Products

Researchers examine English- and Russian-language underground exploits to track how exploits are advertised and sold.

RSA CONFERENCE 2021 – Microsoft products accounted for 47% of the CVEs that cybercriminals request across underground forums, according to researchers who conducted a yearlong study into the exploit market.

The research spanned more than 600 English and Russian language forums, said Mayra Rosario Fuentes, senior threat researcher at Trend Micro, who presented some of the findings in her RSA Conference talk "Tales from the Underground: The Vulnerability Weaponization Lifecycle." Researchers sought to learn which exploits were sold and requested, the types of sellers and buyers involved in transactions, and how their findings compared with their detection systems'.

Researchers scoured advertisements for the sales of exploits from January 2019 through December 2020. They learned Microsoft's tools and services made up 47% of all requested CVEs on underground forums. Internet-connected products made up only 5%, "but with increased bandwidth of connected devices with the new 5G entering the market, IoT devices will become more vulnerable to cyberattack," noted Fuentes in her talk.

More than half (52%) of exploits requested were less than two years old. Buyers were willing to pay an average of $2,000 (USD) for requested exploits; however, some offered up to $10,000 for zero-day exploits targeting Microsoft products.

Fuentes shared some examples of these exploit requests. One forum post requested help regarding an exploit for CVE-2019-1151, a Microsoft Graphics remote code execution (RCE) vulnerability that exists when the Windows font library improperly handles specially crafted embedded fonts. Another offered $2,000 for help in exploiting an RCE flaw in the Apache Web server.

When researching forum posts advertising exploits, researchers found 61% targeted Microsoft products. The highest percentage (31%) were for Microsoft Office, 15% were for Microsoft Windows, 10% were for Internet Explorer, and 5% were for Microsoft Remote Desktop Protocol. Fuentes noted exploits for Office and Adobe were most common in English language forums.  

A comparison of cybercriminals' wish lists and sold exploits revealed parallels between the two categories, Fuentes pointed out.

"We noticed what was requested was very similar to what the market was offering," she said. "Cybercriminals may have seen the requested items from users before deciding what items to offer on the market."

Microsoft Word and Excel exploits "dominated" in both categories, Fuentes continued, digging into the broader Office category. Word and Excel made up 46% of exploits on criminals' wish lists and 52% of exploits advertised on underground forums.

The Life Cycle of Underground Exploits
Fuentes discussed how exploits are developed and sold, starting from the beginning. An exploit may first be developed by an attacker, who sells it and it's then used in the wild. From there, it is usually disclosed publicly and patched by the vendor. This may end the exploit's life cycle, or it will continue to be offered for sale on Dark Web forums.

There are multiple types of sellers, she noted. An experienced seller with at least five years of experience might sell a couple of zero-day or one-day exploits per year with prices ranging from $10,000 to $500,000. Some sellers are disgruntled with bug bounty programs due to long response times or payouts lower than expected – Fuentes noted most people were happy with bug bounty experiences, but those who weren't may sell exploits on underground forums.

Other "bounty sellers" may have cashed in on the maximum amount of bounty submissions for the year, or they may offer to buy exploits they can use to cash in on bug bounty programs. There are some who find exploits that other people developed and sell them as their own.

Some sellers advertise "exploit builder" subscription services ranging from $60 for one month, to $120 for three months, to $200 for six months. The packages include a range of different types of exploits, along with "free updates" and "full support" for criminal buyers, she noted.

While zero-days may fetch a higher price, many exploits sold on the underground targeted older systems. Researchers found 22% of exploits sold were more than three years old, and 48% of those requested were older than three years. The oldest vulnerability discovered was from 1999, Fuentes said, adding the average time to patch an Internet-facing system is 71 days.

Older vulnerabilities requested included CVE-2014-0133 in Red Hat and CVE-2015-6639 in Qualcomm. Those sold included Microsoft CVE-2017-11882, a 17-year-old memory corruption issue in Microsoft Office, along with Office vulnerability CVE-2012-0158 and CVE-2016-5195, a Linux kernel vulnerability dubbed Dirty Cow that sold for $3,000 on the underground, she said.

"The longevity of a valuable exploit is longer than most expect," Fuentes said. "Patching yesterday's vulnerability can be just as important as today's critical one."

Trend Micro will release a report with the full findings in a few weeks, she noted.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...