Why would an attacker ever want to sit on a zero-day exploit?












92














I am trying to understand why an attacker would want to wait to use a zero-day exploit.



I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.



Question: What factors would cause the attacker to wait to use a zero-day exploit?










share|improve this question


















  • 10




    Besides being randomly discovered by others two things can spoil a zero day. First of all you use it and it gets detected. And secondly you sell it which also increases likelihood of disclosure or detection. The more you use or share it, the bigger the risk. (That being said it can be a long time until a used zero day is discovered if you are careful)
    – eckes
    Dec 3 '18 at 8:15






  • 36




    Because certain countries are paying good money for them... Evil foreign countries, obviously, certainly not the USA, because we are not a foreign country...
    – Harper
    Dec 4 '18 at 0:16








  • 23




    If you get a 10% discount on your next purchase, would you rather use it for your £10 grocery shopping tomorrow, or the new £10000 car next month?
    – HenricF
    Dec 4 '18 at 10:39






  • 6




    @Harper Ha ha... Everyone is foreign to someone... :-)
    – Marcel
    Dec 4 '18 at 14:47






  • 8




    @forest Suppose your comment was a biscuit, and you wanted to put some butter on it...
    – barbecue
    Dec 5 '18 at 14:13
















92














I am trying to understand why an attacker would want to wait to use a zero-day exploit.



I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.



Question: What factors would cause the attacker to wait to use a zero-day exploit?










share|improve this question


















  • 10




    Besides being randomly discovered by others two things can spoil a zero day. First of all you use it and it gets detected. And secondly you sell it which also increases likelihood of disclosure or detection. The more you use or share it, the bigger the risk. (That being said it can be a long time until a used zero day is discovered if you are careful)
    – eckes
    Dec 3 '18 at 8:15






  • 36




    Because certain countries are paying good money for them... Evil foreign countries, obviously, certainly not the USA, because we are not a foreign country...
    – Harper
    Dec 4 '18 at 0:16








  • 23




    If you get a 10% discount on your next purchase, would you rather use it for your £10 grocery shopping tomorrow, or the new £10000 car next month?
    – HenricF
    Dec 4 '18 at 10:39






  • 6




    @Harper Ha ha... Everyone is foreign to someone... :-)
    – Marcel
    Dec 4 '18 at 14:47






  • 8




    @forest Suppose your comment was a biscuit, and you wanted to put some butter on it...
    – barbecue
    Dec 5 '18 at 14:13














92












92








92


20





I am trying to understand why an attacker would want to wait to use a zero-day exploit.



I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.



Question: What factors would cause the attacker to wait to use a zero-day exploit?










share|improve this question













I am trying to understand why an attacker would want to wait to use a zero-day exploit.



I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.



Question: What factors would cause the attacker to wait to use a zero-day exploit?







zero-day






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Dec 3 '18 at 0:33









jonem

572126




572126








  • 10




    Besides being randomly discovered by others two things can spoil a zero day. First of all you use it and it gets detected. And secondly you sell it which also increases likelihood of disclosure or detection. The more you use or share it, the bigger the risk. (That being said it can be a long time until a used zero day is discovered if you are careful)
    – eckes
    Dec 3 '18 at 8:15






  • 36




    Because certain countries are paying good money for them... Evil foreign countries, obviously, certainly not the USA, because we are not a foreign country...
    – Harper
    Dec 4 '18 at 0:16








  • 23




    If you get a 10% discount on your next purchase, would you rather use it for your £10 grocery shopping tomorrow, or the new £10000 car next month?
    – HenricF
    Dec 4 '18 at 10:39






  • 6




    @Harper Ha ha... Everyone is foreign to someone... :-)
    – Marcel
    Dec 4 '18 at 14:47






  • 8




    @forest Suppose your comment was a biscuit, and you wanted to put some butter on it...
    – barbecue
    Dec 5 '18 at 14:13














  • 10




    Besides being randomly discovered by others two things can spoil a zero day. First of all you use it and it gets detected. And secondly you sell it which also increases likelihood of disclosure or detection. The more you use or share it, the bigger the risk. (That being said it can be a long time until a used zero day is discovered if you are careful)
    – eckes
    Dec 3 '18 at 8:15






  • 36




    Because certain countries are paying good money for them... Evil foreign countries, obviously, certainly not the USA, because we are not a foreign country...
    – Harper
    Dec 4 '18 at 0:16








  • 23




    If you get a 10% discount on your next purchase, would you rather use it for your £10 grocery shopping tomorrow, or the new £10000 car next month?
    – HenricF
    Dec 4 '18 at 10:39






  • 6




    @Harper Ha ha... Everyone is foreign to someone... :-)
    – Marcel
    Dec 4 '18 at 14:47






  • 8




    @forest Suppose your comment was a biscuit, and you wanted to put some butter on it...
    – barbecue
    Dec 5 '18 at 14:13








10




10




Besides being randomly discovered by others two things can spoil a zero day. First of all you use it and it gets detected. And secondly you sell it which also increases likelihood of disclosure or detection. The more you use or share it, the bigger the risk. (That being said it can be a long time until a used zero day is discovered if you are careful)
– eckes
Dec 3 '18 at 8:15




Besides being randomly discovered by others two things can spoil a zero day. First of all you use it and it gets detected. And secondly you sell it which also increases likelihood of disclosure or detection. The more you use or share it, the bigger the risk. (That being said it can be a long time until a used zero day is discovered if you are careful)
– eckes
Dec 3 '18 at 8:15




36




36




Because certain countries are paying good money for them... Evil foreign countries, obviously, certainly not the USA, because we are not a foreign country...
– Harper
Dec 4 '18 at 0:16






Because certain countries are paying good money for them... Evil foreign countries, obviously, certainly not the USA, because we are not a foreign country...
– Harper
Dec 4 '18 at 0:16






23




23




If you get a 10% discount on your next purchase, would you rather use it for your £10 grocery shopping tomorrow, or the new £10000 car next month?
– HenricF
Dec 4 '18 at 10:39




If you get a 10% discount on your next purchase, would you rather use it for your £10 grocery shopping tomorrow, or the new £10000 car next month?
– HenricF
Dec 4 '18 at 10:39




6




6




@Harper Ha ha... Everyone is foreign to someone... :-)
– Marcel
Dec 4 '18 at 14:47




@Harper Ha ha... Everyone is foreign to someone... :-)
– Marcel
Dec 4 '18 at 14:47




8




8




@forest Suppose your comment was a biscuit, and you wanted to put some butter on it...
– barbecue
Dec 5 '18 at 14:13




@forest Suppose your comment was a biscuit, and you wanted to put some butter on it...
– barbecue
Dec 5 '18 at 14:13










7 Answers
7






active

oldest

votes


















158














It's more likely that you'll burn a 0day by using it than by sitting on it.



There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.



Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.



There are a few other reasons 0days may be kept for long periods:




  1. Some people simply hoard 0days for the sake of it. This is all too common.


  2. Maybe you borrowed the 0day from someone, in which case burning it would piss them off.


  3. Sometimes a 0day broker is sitting on them while waiting for the right client.


  4. The 0day may be useless on its own, needing to be chained with other exploits to work.



There was some interesting research presented at BH US which analyzed the life of 0days.






share|improve this answer



















  • 41




    "The 0day may be useless on its own, needing to be chained with other exploits to work." This is a big one. With today's complex and layered systems, maximally compromising a target will often take more than one exploit. (Maybe a 0-day, maybe a known, maybe a human exploit, etc.)
    – Paul Draper
    Dec 3 '18 at 17:48








  • 1




    What does it mean to "borrow" an exploit?
    – Oddthinking
    Dec 4 '18 at 21:52






  • 3




    @Oddthinking Someone might trust you enough to give you a 0day that you can use safely (maybe just once), under the condition that you don't keep using it.
    – forest
    Dec 5 '18 at 1:56






  • 8




    @Oddthinking - Just like stackexchange where people solve issues for "fun" for no material gain, people who tinker with software vulnerabilities sometimes feel the need to share their knowledge for "fun". It's no fun if you cannot show off your knowledge.
    – slebetman
    Dec 5 '18 at 2:58



















44















  1. The 0 day depends on another vulnerability being discovered to be effectively used. For example you can't use a privilege escalation if you don't have code execution in the first place. This can also work the other way where you'd like another 0 day to chain after the one you currently have.


  2. The attacker doesn't have a worthy target to use it on. I'll also point out that the attacker might not exploit everything at once because if the 0 day is found out you won't be able to use it in the future. What you want to hack into might not even exist when you find the 0 day.


  3. Exploiting the 0 day might be illegal. People can still make money off it by selling it to the highest bidder (this includes negotiating for the money you get from a bug bounty program)







share|improve this answer





























    28














    Because the old ways are the best.
    Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
    Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.






    share|improve this answer





























      21














      From the standpoint of the attacker, a zero-day exploit is a valuable resource because it is not publicly known. This gives the attacker the element of surprise when it is actually deployed, as the target will not be able to proactively defend against it.



      Each time a zero-day is used, there's a chance it'll be discovered by the target and the vulnerability patched out by the software vendor. Once the vulnerability is closed, the usefulness of the exploit is greatly reduced and limited to targets who have not updated the software. This is known as "burning" the exploit.



      Because the goal of most attackers today is to directly or indirectly gain money (e.g. by stealing personal information from the target and using it to commit identity fraud), zero-day exploits have economic value. The exploit loses its value if it is burned and rendered ineffective. In essence, a zero-day is a valuable and expendable weapon which should be saved for use against high-value targets that cannot be exploited through publicly-known vulnerabilities.



      This means, for example, that an attacker targeting a system running an older version of a particular piece of software with known vulnerabilities would want to use an existing, publicly-available exploit rather than use the zero-day exploit and risk burning it. Why waste a valuable resource when you can get the job done with a less expensive solution?






      share|improve this answer































        12














        Maybe an attacker with a 0day is waiting for a good opportunity.



        Most targets have their highs and lows. If one's goal is to wreck havoc, and make as much dammages as possible, then using a 0day immediately after uncovering it might not be the best idea.



        Some targets have frozen periods, where they lack manpower and must not touch their critical environments. Some other have critical periods to launch a new product, or handle a particularily sensitiv set of data.



        Exploiting the vulnerability that was found before such event, means there's a risk it'll be discovered before it happens. And so the attacker lose an opportunity to hit pretty hard.



        Should he wait until he knows enough about a target to strike exactly where and more importantly when it hurts, and it will be jackpot.



        In 2017, there was a crypto ransomware campaign that targeted compagnies during lunch hours.



        That worked nicely, people locked their computers, go somewhere to eat, and when everyone get back to their office at 2 P.M everything was already enciphered. No one was there to ring the alarm bell.



        Now apply this attack just before an important board meeting at the end of the financial year, or during a period of mediatic attention to the target. It could damage severely the image of this target, and cost millions if not billions. While performing an attack at some other point might not be noticed at all.






        share|improve this answer





























          6














          When you infect a computer and use a 0-day exploit, evidence of how you got in is often left behind. Preventing yourself from leaving any evidence is about as hard as having software that has no exploits in it; next to impossible.



          Many computer systems aren't patched regularly; on such a system, an old exploit will usually get you in just fine. This exploit being discovered ... doesn't do much. I mean, if you took over 20% of the computers on the internet with a specific exploit, you might notice an increase in patch rates. But you might not.



          A 0-day exploit, on the other hand, can be used to break into security-conscious targets. If you care about the specific target, and they work at being secure, the 0-day exploit may still get you in.



          Your attack may, however, be noticed. And once noticed, they might work out your exploit. And once they work out your exploit, they could share it with the vendor, who might patch it; or they might hack a patch themselves.



          And now, your 0-day exploit has patches published, and every security-conscious system on the planet blocks its use. So tomorrow, when you really want to break into a secure server somewhere, you'll need different and new exploit. You burned your exploit.



          Not every use of your exploit is going to be noticed, and not every notice is going to result in a patch, but every use increases the chance that a patch will arrive that breaks your exploit.



          We can illustrate this with some examples of state-sponsored computer hacking. Stuxnet used four zero-day flaws (that there was no security against). Its discovery led to all 4 being patched, "burning" their usefulness in the future. In exchange, a pile of expensive centrifuges in Iran broke, slowing Iranian nuclear research.



          It did the job of multiple cruise missiles, with far less diplomatic, humanitarian and military risks.






          share|improve this answer































            5














            Another reason is they can't use it (optimally) at the moment. Examples are:




            • They might have a specific target like a diplomat in mind but the exploit requires to be in the same Ethernet-/WiFi-network or physical access. So they have to wait until this condition is met or arrange it so the condition is met.


            • They don't have enough information about the target yet. For example they need to find out a way on which server the interesting information is hosted. If they use the exploit to soon before finding the files, the more likely it is they are detected and the exploit gets burned.


            • They currently don't have the resources/manpower to launch the attack because they are currently occupied with another target or the employees of their department for launching the attacks are currently sick (even bad guys get sick).


            • They lack of other tools required to use effectively. The might have an Email exploit to run their code when the victim opens the mail but all their RAT-tools/botnet-clients/ransom-ware is currently detected by all virus scanner, so it would be useless to burn it.







            share|improve this answer























              Your Answer








              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "162"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: false,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              noCode: true, onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f198951%2fwhy-would-an-attacker-ever-want-to-sit-on-a-zero-day-exploit%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              7 Answers
              7






              active

              oldest

              votes








              7 Answers
              7






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              158














              It's more likely that you'll burn a 0day by using it than by sitting on it.



              There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.



              Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.



              There are a few other reasons 0days may be kept for long periods:




              1. Some people simply hoard 0days for the sake of it. This is all too common.


              2. Maybe you borrowed the 0day from someone, in which case burning it would piss them off.


              3. Sometimes a 0day broker is sitting on them while waiting for the right client.


              4. The 0day may be useless on its own, needing to be chained with other exploits to work.



              There was some interesting research presented at BH US which analyzed the life of 0days.






              share|improve this answer



















              • 41




                "The 0day may be useless on its own, needing to be chained with other exploits to work." This is a big one. With today's complex and layered systems, maximally compromising a target will often take more than one exploit. (Maybe a 0-day, maybe a known, maybe a human exploit, etc.)
                – Paul Draper
                Dec 3 '18 at 17:48








              • 1




                What does it mean to "borrow" an exploit?
                – Oddthinking
                Dec 4 '18 at 21:52






              • 3




                @Oddthinking Someone might trust you enough to give you a 0day that you can use safely (maybe just once), under the condition that you don't keep using it.
                – forest
                Dec 5 '18 at 1:56






              • 8




                @Oddthinking - Just like stackexchange where people solve issues for "fun" for no material gain, people who tinker with software vulnerabilities sometimes feel the need to share their knowledge for "fun". It's no fun if you cannot show off your knowledge.
                – slebetman
                Dec 5 '18 at 2:58
















              158














              It's more likely that you'll burn a 0day by using it than by sitting on it.



              There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.



              Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.



              There are a few other reasons 0days may be kept for long periods:




              1. Some people simply hoard 0days for the sake of it. This is all too common.


              2. Maybe you borrowed the 0day from someone, in which case burning it would piss them off.


              3. Sometimes a 0day broker is sitting on them while waiting for the right client.


              4. The 0day may be useless on its own, needing to be chained with other exploits to work.



              There was some interesting research presented at BH US which analyzed the life of 0days.






              share|improve this answer



















              • 41




                "The 0day may be useless on its own, needing to be chained with other exploits to work." This is a big one. With today's complex and layered systems, maximally compromising a target will often take more than one exploit. (Maybe a 0-day, maybe a known, maybe a human exploit, etc.)
                – Paul Draper
                Dec 3 '18 at 17:48








              • 1




                What does it mean to "borrow" an exploit?
                – Oddthinking
                Dec 4 '18 at 21:52






              • 3




                @Oddthinking Someone might trust you enough to give you a 0day that you can use safely (maybe just once), under the condition that you don't keep using it.
                – forest
                Dec 5 '18 at 1:56






              • 8




                @Oddthinking - Just like stackexchange where people solve issues for "fun" for no material gain, people who tinker with software vulnerabilities sometimes feel the need to share their knowledge for "fun". It's no fun if you cannot show off your knowledge.
                – slebetman
                Dec 5 '18 at 2:58














              158












              158








              158






              It's more likely that you'll burn a 0day by using it than by sitting on it.



              There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.



              Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.



              There are a few other reasons 0days may be kept for long periods:




              1. Some people simply hoard 0days for the sake of it. This is all too common.


              2. Maybe you borrowed the 0day from someone, in which case burning it would piss them off.


              3. Sometimes a 0day broker is sitting on them while waiting for the right client.


              4. The 0day may be useless on its own, needing to be chained with other exploits to work.



              There was some interesting research presented at BH US which analyzed the life of 0days.






              share|improve this answer














              It's more likely that you'll burn a 0day by using it than by sitting on it.



              There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.



              Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.



              There are a few other reasons 0days may be kept for long periods:




              1. Some people simply hoard 0days for the sake of it. This is all too common.


              2. Maybe you borrowed the 0day from someone, in which case burning it would piss them off.


              3. Sometimes a 0day broker is sitting on them while waiting for the right client.


              4. The 0day may be useless on its own, needing to be chained with other exploits to work.



              There was some interesting research presented at BH US which analyzed the life of 0days.







              share|improve this answer














              share|improve this answer



              share|improve this answer








              edited Dec 3 '18 at 9:18

























              answered Dec 3 '18 at 3:09









              forest

              32k1598108




              32k1598108








              • 41




                "The 0day may be useless on its own, needing to be chained with other exploits to work." This is a big one. With today's complex and layered systems, maximally compromising a target will often take more than one exploit. (Maybe a 0-day, maybe a known, maybe a human exploit, etc.)
                – Paul Draper
                Dec 3 '18 at 17:48








              • 1




                What does it mean to "borrow" an exploit?
                – Oddthinking
                Dec 4 '18 at 21:52






              • 3




                @Oddthinking Someone might trust you enough to give you a 0day that you can use safely (maybe just once), under the condition that you don't keep using it.
                – forest
                Dec 5 '18 at 1:56






              • 8




                @Oddthinking - Just like stackexchange where people solve issues for "fun" for no material gain, people who tinker with software vulnerabilities sometimes feel the need to share their knowledge for "fun". It's no fun if you cannot show off your knowledge.
                – slebetman
                Dec 5 '18 at 2:58














              • 41




                "The 0day may be useless on its own, needing to be chained with other exploits to work." This is a big one. With today's complex and layered systems, maximally compromising a target will often take more than one exploit. (Maybe a 0-day, maybe a known, maybe a human exploit, etc.)
                – Paul Draper
                Dec 3 '18 at 17:48








              • 1




                What does it mean to "borrow" an exploit?
                – Oddthinking
                Dec 4 '18 at 21:52






              • 3




                @Oddthinking Someone might trust you enough to give you a 0day that you can use safely (maybe just once), under the condition that you don't keep using it.
                – forest
                Dec 5 '18 at 1:56






              • 8




                @Oddthinking - Just like stackexchange where people solve issues for "fun" for no material gain, people who tinker with software vulnerabilities sometimes feel the need to share their knowledge for "fun". It's no fun if you cannot show off your knowledge.
                – slebetman
                Dec 5 '18 at 2:58








              41




              41




              "The 0day may be useless on its own, needing to be chained with other exploits to work." This is a big one. With today's complex and layered systems, maximally compromising a target will often take more than one exploit. (Maybe a 0-day, maybe a known, maybe a human exploit, etc.)
              – Paul Draper
              Dec 3 '18 at 17:48






              "The 0day may be useless on its own, needing to be chained with other exploits to work." This is a big one. With today's complex and layered systems, maximally compromising a target will often take more than one exploit. (Maybe a 0-day, maybe a known, maybe a human exploit, etc.)
              – Paul Draper
              Dec 3 '18 at 17:48






              1




              1




              What does it mean to "borrow" an exploit?
              – Oddthinking
              Dec 4 '18 at 21:52




              What does it mean to "borrow" an exploit?
              – Oddthinking
              Dec 4 '18 at 21:52




              3




              3




              @Oddthinking Someone might trust you enough to give you a 0day that you can use safely (maybe just once), under the condition that you don't keep using it.
              – forest
              Dec 5 '18 at 1:56




              @Oddthinking Someone might trust you enough to give you a 0day that you can use safely (maybe just once), under the condition that you don't keep using it.
              – forest
              Dec 5 '18 at 1:56




              8




              8




              @Oddthinking - Just like stackexchange where people solve issues for "fun" for no material gain, people who tinker with software vulnerabilities sometimes feel the need to share their knowledge for "fun". It's no fun if you cannot show off your knowledge.
              – slebetman
              Dec 5 '18 at 2:58




              @Oddthinking - Just like stackexchange where people solve issues for "fun" for no material gain, people who tinker with software vulnerabilities sometimes feel the need to share their knowledge for "fun". It's no fun if you cannot show off your knowledge.
              – slebetman
              Dec 5 '18 at 2:58













              44















              1. The 0 day depends on another vulnerability being discovered to be effectively used. For example you can't use a privilege escalation if you don't have code execution in the first place. This can also work the other way where you'd like another 0 day to chain after the one you currently have.


              2. The attacker doesn't have a worthy target to use it on. I'll also point out that the attacker might not exploit everything at once because if the 0 day is found out you won't be able to use it in the future. What you want to hack into might not even exist when you find the 0 day.


              3. Exploiting the 0 day might be illegal. People can still make money off it by selling it to the highest bidder (this includes negotiating for the money you get from a bug bounty program)







              share|improve this answer


























                44















                1. The 0 day depends on another vulnerability being discovered to be effectively used. For example you can't use a privilege escalation if you don't have code execution in the first place. This can also work the other way where you'd like another 0 day to chain after the one you currently have.


                2. The attacker doesn't have a worthy target to use it on. I'll also point out that the attacker might not exploit everything at once because if the 0 day is found out you won't be able to use it in the future. What you want to hack into might not even exist when you find the 0 day.


                3. Exploiting the 0 day might be illegal. People can still make money off it by selling it to the highest bidder (this includes negotiating for the money you get from a bug bounty program)







                share|improve this answer
























                  44












                  44








                  44







                  1. The 0 day depends on another vulnerability being discovered to be effectively used. For example you can't use a privilege escalation if you don't have code execution in the first place. This can also work the other way where you'd like another 0 day to chain after the one you currently have.


                  2. The attacker doesn't have a worthy target to use it on. I'll also point out that the attacker might not exploit everything at once because if the 0 day is found out you won't be able to use it in the future. What you want to hack into might not even exist when you find the 0 day.


                  3. Exploiting the 0 day might be illegal. People can still make money off it by selling it to the highest bidder (this includes negotiating for the money you get from a bug bounty program)







                  share|improve this answer













                  1. The 0 day depends on another vulnerability being discovered to be effectively used. For example you can't use a privilege escalation if you don't have code execution in the first place. This can also work the other way where you'd like another 0 day to chain after the one you currently have.


                  2. The attacker doesn't have a worthy target to use it on. I'll also point out that the attacker might not exploit everything at once because if the 0 day is found out you won't be able to use it in the future. What you want to hack into might not even exist when you find the 0 day.


                  3. Exploiting the 0 day might be illegal. People can still make money off it by selling it to the highest bidder (this includes negotiating for the money you get from a bug bounty program)








                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Dec 3 '18 at 4:51









                  Anon

                  44112




                  44112























                      28














                      Because the old ways are the best.
                      Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
                      Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.






                      share|improve this answer


























                        28














                        Because the old ways are the best.
                        Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
                        Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.






                        share|improve this answer
























                          28












                          28








                          28






                          Because the old ways are the best.
                          Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
                          Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.






                          share|improve this answer












                          Because the old ways are the best.
                          Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
                          Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.







                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered Dec 3 '18 at 1:55









                          McMatty

                          2,8501414




                          2,8501414























                              21














                              From the standpoint of the attacker, a zero-day exploit is a valuable resource because it is not publicly known. This gives the attacker the element of surprise when it is actually deployed, as the target will not be able to proactively defend against it.



                              Each time a zero-day is used, there's a chance it'll be discovered by the target and the vulnerability patched out by the software vendor. Once the vulnerability is closed, the usefulness of the exploit is greatly reduced and limited to targets who have not updated the software. This is known as "burning" the exploit.



                              Because the goal of most attackers today is to directly or indirectly gain money (e.g. by stealing personal information from the target and using it to commit identity fraud), zero-day exploits have economic value. The exploit loses its value if it is burned and rendered ineffective. In essence, a zero-day is a valuable and expendable weapon which should be saved for use against high-value targets that cannot be exploited through publicly-known vulnerabilities.



                              This means, for example, that an attacker targeting a system running an older version of a particular piece of software with known vulnerabilities would want to use an existing, publicly-available exploit rather than use the zero-day exploit and risk burning it. Why waste a valuable resource when you can get the job done with a less expensive solution?






                              share|improve this answer




























                                21














                                From the standpoint of the attacker, a zero-day exploit is a valuable resource because it is not publicly known. This gives the attacker the element of surprise when it is actually deployed, as the target will not be able to proactively defend against it.



                                Each time a zero-day is used, there's a chance it'll be discovered by the target and the vulnerability patched out by the software vendor. Once the vulnerability is closed, the usefulness of the exploit is greatly reduced and limited to targets who have not updated the software. This is known as "burning" the exploit.



                                Because the goal of most attackers today is to directly or indirectly gain money (e.g. by stealing personal information from the target and using it to commit identity fraud), zero-day exploits have economic value. The exploit loses its value if it is burned and rendered ineffective. In essence, a zero-day is a valuable and expendable weapon which should be saved for use against high-value targets that cannot be exploited through publicly-known vulnerabilities.



                                This means, for example, that an attacker targeting a system running an older version of a particular piece of software with known vulnerabilities would want to use an existing, publicly-available exploit rather than use the zero-day exploit and risk burning it. Why waste a valuable resource when you can get the job done with a less expensive solution?






                                share|improve this answer


























                                  21












                                  21








                                  21






                                  From the standpoint of the attacker, a zero-day exploit is a valuable resource because it is not publicly known. This gives the attacker the element of surprise when it is actually deployed, as the target will not be able to proactively defend against it.



                                  Each time a zero-day is used, there's a chance it'll be discovered by the target and the vulnerability patched out by the software vendor. Once the vulnerability is closed, the usefulness of the exploit is greatly reduced and limited to targets who have not updated the software. This is known as "burning" the exploit.



                                  Because the goal of most attackers today is to directly or indirectly gain money (e.g. by stealing personal information from the target and using it to commit identity fraud), zero-day exploits have economic value. The exploit loses its value if it is burned and rendered ineffective. In essence, a zero-day is a valuable and expendable weapon which should be saved for use against high-value targets that cannot be exploited through publicly-known vulnerabilities.



                                  This means, for example, that an attacker targeting a system running an older version of a particular piece of software with known vulnerabilities would want to use an existing, publicly-available exploit rather than use the zero-day exploit and risk burning it. Why waste a valuable resource when you can get the job done with a less expensive solution?






                                  share|improve this answer














                                  From the standpoint of the attacker, a zero-day exploit is a valuable resource because it is not publicly known. This gives the attacker the element of surprise when it is actually deployed, as the target will not be able to proactively defend against it.



                                  Each time a zero-day is used, there's a chance it'll be discovered by the target and the vulnerability patched out by the software vendor. Once the vulnerability is closed, the usefulness of the exploit is greatly reduced and limited to targets who have not updated the software. This is known as "burning" the exploit.



                                  Because the goal of most attackers today is to directly or indirectly gain money (e.g. by stealing personal information from the target and using it to commit identity fraud), zero-day exploits have economic value. The exploit loses its value if it is burned and rendered ineffective. In essence, a zero-day is a valuable and expendable weapon which should be saved for use against high-value targets that cannot be exploited through publicly-known vulnerabilities.



                                  This means, for example, that an attacker targeting a system running an older version of a particular piece of software with known vulnerabilities would want to use an existing, publicly-available exploit rather than use the zero-day exploit and risk burning it. Why waste a valuable resource when you can get the job done with a less expensive solution?







                                  share|improve this answer














                                  share|improve this answer



                                  share|improve this answer








                                  edited Dec 3 '18 at 4:02

























                                  answered Dec 3 '18 at 3:54









                                  bwDraco

                                  473210




                                  473210























                                      12














                                      Maybe an attacker with a 0day is waiting for a good opportunity.



                                      Most targets have their highs and lows. If one's goal is to wreck havoc, and make as much dammages as possible, then using a 0day immediately after uncovering it might not be the best idea.



                                      Some targets have frozen periods, where they lack manpower and must not touch their critical environments. Some other have critical periods to launch a new product, or handle a particularily sensitiv set of data.



                                      Exploiting the vulnerability that was found before such event, means there's a risk it'll be discovered before it happens. And so the attacker lose an opportunity to hit pretty hard.



                                      Should he wait until he knows enough about a target to strike exactly where and more importantly when it hurts, and it will be jackpot.



                                      In 2017, there was a crypto ransomware campaign that targeted compagnies during lunch hours.



                                      That worked nicely, people locked their computers, go somewhere to eat, and when everyone get back to their office at 2 P.M everything was already enciphered. No one was there to ring the alarm bell.



                                      Now apply this attack just before an important board meeting at the end of the financial year, or during a period of mediatic attention to the target. It could damage severely the image of this target, and cost millions if not billions. While performing an attack at some other point might not be noticed at all.






                                      share|improve this answer


























                                        12














                                        Maybe an attacker with a 0day is waiting for a good opportunity.



                                        Most targets have their highs and lows. If one's goal is to wreck havoc, and make as much dammages as possible, then using a 0day immediately after uncovering it might not be the best idea.



                                        Some targets have frozen periods, where they lack manpower and must not touch their critical environments. Some other have critical periods to launch a new product, or handle a particularily sensitiv set of data.



                                        Exploiting the vulnerability that was found before such event, means there's a risk it'll be discovered before it happens. And so the attacker lose an opportunity to hit pretty hard.



                                        Should he wait until he knows enough about a target to strike exactly where and more importantly when it hurts, and it will be jackpot.



                                        In 2017, there was a crypto ransomware campaign that targeted compagnies during lunch hours.



                                        That worked nicely, people locked their computers, go somewhere to eat, and when everyone get back to their office at 2 P.M everything was already enciphered. No one was there to ring the alarm bell.



                                        Now apply this attack just before an important board meeting at the end of the financial year, or during a period of mediatic attention to the target. It could damage severely the image of this target, and cost millions if not billions. While performing an attack at some other point might not be noticed at all.






                                        share|improve this answer
























                                          12












                                          12








                                          12






                                          Maybe an attacker with a 0day is waiting for a good opportunity.



                                          Most targets have their highs and lows. If one's goal is to wreck havoc, and make as much dammages as possible, then using a 0day immediately after uncovering it might not be the best idea.



                                          Some targets have frozen periods, where they lack manpower and must not touch their critical environments. Some other have critical periods to launch a new product, or handle a particularily sensitiv set of data.



                                          Exploiting the vulnerability that was found before such event, means there's a risk it'll be discovered before it happens. And so the attacker lose an opportunity to hit pretty hard.



                                          Should he wait until he knows enough about a target to strike exactly where and more importantly when it hurts, and it will be jackpot.



                                          In 2017, there was a crypto ransomware campaign that targeted compagnies during lunch hours.



                                          That worked nicely, people locked their computers, go somewhere to eat, and when everyone get back to their office at 2 P.M everything was already enciphered. No one was there to ring the alarm bell.



                                          Now apply this attack just before an important board meeting at the end of the financial year, or during a period of mediatic attention to the target. It could damage severely the image of this target, and cost millions if not billions. While performing an attack at some other point might not be noticed at all.






                                          share|improve this answer












                                          Maybe an attacker with a 0day is waiting for a good opportunity.



                                          Most targets have their highs and lows. If one's goal is to wreck havoc, and make as much dammages as possible, then using a 0day immediately after uncovering it might not be the best idea.



                                          Some targets have frozen periods, where they lack manpower and must not touch their critical environments. Some other have critical periods to launch a new product, or handle a particularily sensitiv set of data.



                                          Exploiting the vulnerability that was found before such event, means there's a risk it'll be discovered before it happens. And so the attacker lose an opportunity to hit pretty hard.



                                          Should he wait until he knows enough about a target to strike exactly where and more importantly when it hurts, and it will be jackpot.



                                          In 2017, there was a crypto ransomware campaign that targeted compagnies during lunch hours.



                                          That worked nicely, people locked their computers, go somewhere to eat, and when everyone get back to their office at 2 P.M everything was already enciphered. No one was there to ring the alarm bell.



                                          Now apply this attack just before an important board meeting at the end of the financial year, or during a period of mediatic attention to the target. It could damage severely the image of this target, and cost millions if not billions. While performing an attack at some other point might not be noticed at all.







                                          share|improve this answer












                                          share|improve this answer



                                          share|improve this answer










                                          answered Dec 3 '18 at 13:55









                                          Kaël

                                          336210




                                          336210























                                              6














                                              When you infect a computer and use a 0-day exploit, evidence of how you got in is often left behind. Preventing yourself from leaving any evidence is about as hard as having software that has no exploits in it; next to impossible.



                                              Many computer systems aren't patched regularly; on such a system, an old exploit will usually get you in just fine. This exploit being discovered ... doesn't do much. I mean, if you took over 20% of the computers on the internet with a specific exploit, you might notice an increase in patch rates. But you might not.



                                              A 0-day exploit, on the other hand, can be used to break into security-conscious targets. If you care about the specific target, and they work at being secure, the 0-day exploit may still get you in.



                                              Your attack may, however, be noticed. And once noticed, they might work out your exploit. And once they work out your exploit, they could share it with the vendor, who might patch it; or they might hack a patch themselves.



                                              And now, your 0-day exploit has patches published, and every security-conscious system on the planet blocks its use. So tomorrow, when you really want to break into a secure server somewhere, you'll need different and new exploit. You burned your exploit.



                                              Not every use of your exploit is going to be noticed, and not every notice is going to result in a patch, but every use increases the chance that a patch will arrive that breaks your exploit.



                                              We can illustrate this with some examples of state-sponsored computer hacking. Stuxnet used four zero-day flaws (that there was no security against). Its discovery led to all 4 being patched, "burning" their usefulness in the future. In exchange, a pile of expensive centrifuges in Iran broke, slowing Iranian nuclear research.



                                              It did the job of multiple cruise missiles, with far less diplomatic, humanitarian and military risks.






                                              share|improve this answer




























                                                6














                                                When you infect a computer and use a 0-day exploit, evidence of how you got in is often left behind. Preventing yourself from leaving any evidence is about as hard as having software that has no exploits in it; next to impossible.



                                                Many computer systems aren't patched regularly; on such a system, an old exploit will usually get you in just fine. This exploit being discovered ... doesn't do much. I mean, if you took over 20% of the computers on the internet with a specific exploit, you might notice an increase in patch rates. But you might not.



                                                A 0-day exploit, on the other hand, can be used to break into security-conscious targets. If you care about the specific target, and they work at being secure, the 0-day exploit may still get you in.



                                                Your attack may, however, be noticed. And once noticed, they might work out your exploit. And once they work out your exploit, they could share it with the vendor, who might patch it; or they might hack a patch themselves.



                                                And now, your 0-day exploit has patches published, and every security-conscious system on the planet blocks its use. So tomorrow, when you really want to break into a secure server somewhere, you'll need different and new exploit. You burned your exploit.



                                                Not every use of your exploit is going to be noticed, and not every notice is going to result in a patch, but every use increases the chance that a patch will arrive that breaks your exploit.



                                                We can illustrate this with some examples of state-sponsored computer hacking. Stuxnet used four zero-day flaws (that there was no security against). Its discovery led to all 4 being patched, "burning" their usefulness in the future. In exchange, a pile of expensive centrifuges in Iran broke, slowing Iranian nuclear research.



                                                It did the job of multiple cruise missiles, with far less diplomatic, humanitarian and military risks.






                                                share|improve this answer


























                                                  6












                                                  6








                                                  6






                                                  When you infect a computer and use a 0-day exploit, evidence of how you got in is often left behind. Preventing yourself from leaving any evidence is about as hard as having software that has no exploits in it; next to impossible.



                                                  Many computer systems aren't patched regularly; on such a system, an old exploit will usually get you in just fine. This exploit being discovered ... doesn't do much. I mean, if you took over 20% of the computers on the internet with a specific exploit, you might notice an increase in patch rates. But you might not.



                                                  A 0-day exploit, on the other hand, can be used to break into security-conscious targets. If you care about the specific target, and they work at being secure, the 0-day exploit may still get you in.



                                                  Your attack may, however, be noticed. And once noticed, they might work out your exploit. And once they work out your exploit, they could share it with the vendor, who might patch it; or they might hack a patch themselves.



                                                  And now, your 0-day exploit has patches published, and every security-conscious system on the planet blocks its use. So tomorrow, when you really want to break into a secure server somewhere, you'll need different and new exploit. You burned your exploit.



                                                  Not every use of your exploit is going to be noticed, and not every notice is going to result in a patch, but every use increases the chance that a patch will arrive that breaks your exploit.



                                                  We can illustrate this with some examples of state-sponsored computer hacking. Stuxnet used four zero-day flaws (that there was no security against). Its discovery led to all 4 being patched, "burning" their usefulness in the future. In exchange, a pile of expensive centrifuges in Iran broke, slowing Iranian nuclear research.



                                                  It did the job of multiple cruise missiles, with far less diplomatic, humanitarian and military risks.






                                                  share|improve this answer














                                                  When you infect a computer and use a 0-day exploit, evidence of how you got in is often left behind. Preventing yourself from leaving any evidence is about as hard as having software that has no exploits in it; next to impossible.



                                                  Many computer systems aren't patched regularly; on such a system, an old exploit will usually get you in just fine. This exploit being discovered ... doesn't do much. I mean, if you took over 20% of the computers on the internet with a specific exploit, you might notice an increase in patch rates. But you might not.



                                                  A 0-day exploit, on the other hand, can be used to break into security-conscious targets. If you care about the specific target, and they work at being secure, the 0-day exploit may still get you in.



                                                  Your attack may, however, be noticed. And once noticed, they might work out your exploit. And once they work out your exploit, they could share it with the vendor, who might patch it; or they might hack a patch themselves.



                                                  And now, your 0-day exploit has patches published, and every security-conscious system on the planet blocks its use. So tomorrow, when you really want to break into a secure server somewhere, you'll need different and new exploit. You burned your exploit.



                                                  Not every use of your exploit is going to be noticed, and not every notice is going to result in a patch, but every use increases the chance that a patch will arrive that breaks your exploit.



                                                  We can illustrate this with some examples of state-sponsored computer hacking. Stuxnet used four zero-day flaws (that there was no security against). Its discovery led to all 4 being patched, "burning" their usefulness in the future. In exchange, a pile of expensive centrifuges in Iran broke, slowing Iranian nuclear research.



                                                  It did the job of multiple cruise missiles, with far less diplomatic, humanitarian and military risks.







                                                  share|improve this answer














                                                  share|improve this answer



                                                  share|improve this answer








                                                  edited Dec 7 '18 at 9:56









                                                  schroeder

                                                  73.3k29160195




                                                  73.3k29160195










                                                  answered Dec 4 '18 at 19:27









                                                  Yakk

                                                  44027




                                                  44027























                                                      5














                                                      Another reason is they can't use it (optimally) at the moment. Examples are:




                                                      • They might have a specific target like a diplomat in mind but the exploit requires to be in the same Ethernet-/WiFi-network or physical access. So they have to wait until this condition is met or arrange it so the condition is met.


                                                      • They don't have enough information about the target yet. For example they need to find out a way on which server the interesting information is hosted. If they use the exploit to soon before finding the files, the more likely it is they are detected and the exploit gets burned.


                                                      • They currently don't have the resources/manpower to launch the attack because they are currently occupied with another target or the employees of their department for launching the attacks are currently sick (even bad guys get sick).


                                                      • They lack of other tools required to use effectively. The might have an Email exploit to run their code when the victim opens the mail but all their RAT-tools/botnet-clients/ransom-ware is currently detected by all virus scanner, so it would be useless to burn it.







                                                      share|improve this answer




























                                                        5














                                                        Another reason is they can't use it (optimally) at the moment. Examples are:




                                                        • They might have a specific target like a diplomat in mind but the exploit requires to be in the same Ethernet-/WiFi-network or physical access. So they have to wait until this condition is met or arrange it so the condition is met.


                                                        • They don't have enough information about the target yet. For example they need to find out a way on which server the interesting information is hosted. If they use the exploit to soon before finding the files, the more likely it is they are detected and the exploit gets burned.


                                                        • They currently don't have the resources/manpower to launch the attack because they are currently occupied with another target or the employees of their department for launching the attacks are currently sick (even bad guys get sick).


                                                        • They lack of other tools required to use effectively. The might have an Email exploit to run their code when the victim opens the mail but all their RAT-tools/botnet-clients/ransom-ware is currently detected by all virus scanner, so it would be useless to burn it.







                                                        share|improve this answer


























                                                          5












                                                          5








                                                          5






                                                          Another reason is they can't use it (optimally) at the moment. Examples are:




                                                          • They might have a specific target like a diplomat in mind but the exploit requires to be in the same Ethernet-/WiFi-network or physical access. So they have to wait until this condition is met or arrange it so the condition is met.


                                                          • They don't have enough information about the target yet. For example they need to find out a way on which server the interesting information is hosted. If they use the exploit to soon before finding the files, the more likely it is they are detected and the exploit gets burned.


                                                          • They currently don't have the resources/manpower to launch the attack because they are currently occupied with another target or the employees of their department for launching the attacks are currently sick (even bad guys get sick).


                                                          • They lack of other tools required to use effectively. The might have an Email exploit to run their code when the victim opens the mail but all their RAT-tools/botnet-clients/ransom-ware is currently detected by all virus scanner, so it would be useless to burn it.







                                                          share|improve this answer














                                                          Another reason is they can't use it (optimally) at the moment. Examples are:




                                                          • They might have a specific target like a diplomat in mind but the exploit requires to be in the same Ethernet-/WiFi-network or physical access. So they have to wait until this condition is met or arrange it so the condition is met.


                                                          • They don't have enough information about the target yet. For example they need to find out a way on which server the interesting information is hosted. If they use the exploit to soon before finding the files, the more likely it is they are detected and the exploit gets burned.


                                                          • They currently don't have the resources/manpower to launch the attack because they are currently occupied with another target or the employees of their department for launching the attacks are currently sick (even bad guys get sick).


                                                          • They lack of other tools required to use effectively. The might have an Email exploit to run their code when the victim opens the mail but all their RAT-tools/botnet-clients/ransom-ware is currently detected by all virus scanner, so it would be useless to burn it.








                                                          share|improve this answer














                                                          share|improve this answer



                                                          share|improve this answer








                                                          edited Dec 4 '18 at 4:37









                                                          forest

                                                          32k1598108




                                                          32k1598108










                                                          answered Dec 3 '18 at 19:27









                                                          H. Idden

                                                          1,724514




                                                          1,724514






























                                                              draft saved

                                                              draft discarded




















































                                                              Thanks for contributing an answer to Information Security Stack Exchange!


                                                              • Please be sure to answer the question. Provide details and share your research!

                                                              But avoid



                                                              • Asking for help, clarification, or responding to other answers.

                                                              • Making statements based on opinion; back them up with references or personal experience.


                                                              To learn more, see our tips on writing great answers.





                                                              Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                                                              Please pay close attention to the following guidance:


                                                              • Please be sure to answer the question. Provide details and share your research!

                                                              But avoid



                                                              • Asking for help, clarification, or responding to other answers.

                                                              • Making statements based on opinion; back them up with references or personal experience.


                                                              To learn more, see our tips on writing great answers.




                                                              draft saved


                                                              draft discarded














                                                              StackExchange.ready(
                                                              function () {
                                                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f198951%2fwhy-would-an-attacker-ever-want-to-sit-on-a-zero-day-exploit%23new-answer', 'question_page');
                                                              }
                                                              );

                                                              Post as a guest















                                                              Required, but never shown





















































                                                              Required, but never shown














                                                              Required, but never shown












                                                              Required, but never shown







                                                              Required, but never shown

































                                                              Required, but never shown














                                                              Required, but never shown












                                                              Required, but never shown







                                                              Required, but never shown







                                                              Popular posts from this blog

                                                              AnyDesk - Fatal Program Failure

                                                              How to calibrate 16:9 built-in touch-screen to a 4:3 resolution?

                                                              QoS: MAC-Priority for clients behind a repeater