Why would an attacker ever want to sit on a zero-day exploit?
I am trying to understand why an attacker would want to wait to use a zero-day exploit.
I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.
Question: What factors would cause the attacker to wait to use a zero-day exploit?
zero-day
|
show 10 more comments
I am trying to understand why an attacker would want to wait to use a zero-day exploit.
I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.
Question: What factors would cause the attacker to wait to use a zero-day exploit?
zero-day
10
Besides being randomly discovered by others two things can spoil a zero day. First of all you use it and it gets detected. And secondly you sell it which also increases likelihood of disclosure or detection. The more you use or share it, the bigger the risk. (That being said it can be a long time until a used zero day is discovered if you are careful)
– eckes
Dec 3 '18 at 8:15
36
Because certain countries are paying good money for them... Evil foreign countries, obviously, certainly not the USA, because we are not a foreign country...
– Harper
Dec 4 '18 at 0:16
23
If you get a 10% discount on your next purchase, would you rather use it for your £10 grocery shopping tomorrow, or the new £10000 car next month?
– HenricF
Dec 4 '18 at 10:39
6
@Harper Ha ha... Everyone is foreign to someone... :-)
– Marcel
Dec 4 '18 at 14:47
8
@forest Suppose your comment was a biscuit, and you wanted to put some butter on it...
– barbecue
Dec 5 '18 at 14:13
|
show 10 more comments
I am trying to understand why an attacker would want to wait to use a zero-day exploit.
I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.
Question: What factors would cause the attacker to wait to use a zero-day exploit?
zero-day
I am trying to understand why an attacker would want to wait to use a zero-day exploit.
I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.
Question: What factors would cause the attacker to wait to use a zero-day exploit?
zero-day
zero-day
asked Dec 3 '18 at 0:33
jonem
572126
572126
10
Besides being randomly discovered by others two things can spoil a zero day. First of all you use it and it gets detected. And secondly you sell it which also increases likelihood of disclosure or detection. The more you use or share it, the bigger the risk. (That being said it can be a long time until a used zero day is discovered if you are careful)
– eckes
Dec 3 '18 at 8:15
36
Because certain countries are paying good money for them... Evil foreign countries, obviously, certainly not the USA, because we are not a foreign country...
– Harper
Dec 4 '18 at 0:16
23
If you get a 10% discount on your next purchase, would you rather use it for your £10 grocery shopping tomorrow, or the new £10000 car next month?
– HenricF
Dec 4 '18 at 10:39
6
@Harper Ha ha... Everyone is foreign to someone... :-)
– Marcel
Dec 4 '18 at 14:47
8
@forest Suppose your comment was a biscuit, and you wanted to put some butter on it...
– barbecue
Dec 5 '18 at 14:13
|
show 10 more comments
10
Besides being randomly discovered by others two things can spoil a zero day. First of all you use it and it gets detected. And secondly you sell it which also increases likelihood of disclosure or detection. The more you use or share it, the bigger the risk. (That being said it can be a long time until a used zero day is discovered if you are careful)
– eckes
Dec 3 '18 at 8:15
36
Because certain countries are paying good money for them... Evil foreign countries, obviously, certainly not the USA, because we are not a foreign country...
– Harper
Dec 4 '18 at 0:16
23
If you get a 10% discount on your next purchase, would you rather use it for your £10 grocery shopping tomorrow, or the new £10000 car next month?
– HenricF
Dec 4 '18 at 10:39
6
@Harper Ha ha... Everyone is foreign to someone... :-)
– Marcel
Dec 4 '18 at 14:47
8
@forest Suppose your comment was a biscuit, and you wanted to put some butter on it...
– barbecue
Dec 5 '18 at 14:13
10
10
Besides being randomly discovered by others two things can spoil a zero day. First of all you use it and it gets detected. And secondly you sell it which also increases likelihood of disclosure or detection. The more you use or share it, the bigger the risk. (That being said it can be a long time until a used zero day is discovered if you are careful)
– eckes
Dec 3 '18 at 8:15
Besides being randomly discovered by others two things can spoil a zero day. First of all you use it and it gets detected. And secondly you sell it which also increases likelihood of disclosure or detection. The more you use or share it, the bigger the risk. (That being said it can be a long time until a used zero day is discovered if you are careful)
– eckes
Dec 3 '18 at 8:15
36
36
Because certain countries are paying good money for them... Evil foreign countries, obviously, certainly not the USA, because we are not a foreign country...
– Harper
Dec 4 '18 at 0:16
Because certain countries are paying good money for them... Evil foreign countries, obviously, certainly not the USA, because we are not a foreign country...
– Harper
Dec 4 '18 at 0:16
23
23
If you get a 10% discount on your next purchase, would you rather use it for your £10 grocery shopping tomorrow, or the new £10000 car next month?
– HenricF
Dec 4 '18 at 10:39
If you get a 10% discount on your next purchase, would you rather use it for your £10 grocery shopping tomorrow, or the new £10000 car next month?
– HenricF
Dec 4 '18 at 10:39
6
6
@Harper Ha ha... Everyone is foreign to someone... :-)
– Marcel
Dec 4 '18 at 14:47
@Harper Ha ha... Everyone is foreign to someone... :-)
– Marcel
Dec 4 '18 at 14:47
8
8
@forest Suppose your comment was a biscuit, and you wanted to put some butter on it...
– barbecue
Dec 5 '18 at 14:13
@forest Suppose your comment was a biscuit, and you wanted to put some butter on it...
– barbecue
Dec 5 '18 at 14:13
|
show 10 more comments
7 Answers
7
active
oldest
votes
It's more likely that you'll burn a 0day by using it than by sitting on it.
There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.
Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.
There are a few other reasons 0days may be kept for long periods:
Some people simply hoard 0days for the sake of it. This is all too common.
Maybe you borrowed the 0day from someone, in which case burning it would piss them off.
Sometimes a 0day broker is sitting on them while waiting for the right client.
The 0day may be useless on its own, needing to be chained with other exploits to work.
There was some interesting research presented at BH US which analyzed the life of 0days.
41
"The 0day may be useless on its own, needing to be chained with other exploits to work." This is a big one. With today's complex and layered systems, maximally compromising a target will often take more than one exploit. (Maybe a 0-day, maybe a known, maybe a human exploit, etc.)
– Paul Draper
Dec 3 '18 at 17:48
1
What does it mean to "borrow" an exploit?
– Oddthinking
Dec 4 '18 at 21:52
3
@Oddthinking Someone might trust you enough to give you a 0day that you can use safely (maybe just once), under the condition that you don't keep using it.
– forest
Dec 5 '18 at 1:56
8
@Oddthinking - Just like stackexchange where people solve issues for "fun" for no material gain, people who tinker with software vulnerabilities sometimes feel the need to share their knowledge for "fun". It's no fun if you cannot show off your knowledge.
– slebetman
Dec 5 '18 at 2:58
add a comment |
The 0 day depends on another vulnerability being discovered to be effectively used. For example you can't use a privilege escalation if you don't have code execution in the first place. This can also work the other way where you'd like another 0 day to chain after the one you currently have.
The attacker doesn't have a worthy target to use it on. I'll also point out that the attacker might not exploit everything at once because if the 0 day is found out you won't be able to use it in the future. What you want to hack into might not even exist when you find the 0 day.
Exploiting the 0 day might be illegal. People can still make money off it by selling it to the highest bidder (this includes negotiating for the money you get from a bug bounty program)
add a comment |
Because the old ways are the best.
Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.
add a comment |
From the standpoint of the attacker, a zero-day exploit is a valuable resource because it is not publicly known. This gives the attacker the element of surprise when it is actually deployed, as the target will not be able to proactively defend against it.
Each time a zero-day is used, there's a chance it'll be discovered by the target and the vulnerability patched out by the software vendor. Once the vulnerability is closed, the usefulness of the exploit is greatly reduced and limited to targets who have not updated the software. This is known as "burning" the exploit.
Because the goal of most attackers today is to directly or indirectly gain money (e.g. by stealing personal information from the target and using it to commit identity fraud), zero-day exploits have economic value. The exploit loses its value if it is burned and rendered ineffective. In essence, a zero-day is a valuable and expendable weapon which should be saved for use against high-value targets that cannot be exploited through publicly-known vulnerabilities.
This means, for example, that an attacker targeting a system running an older version of a particular piece of software with known vulnerabilities would want to use an existing, publicly-available exploit rather than use the zero-day exploit and risk burning it. Why waste a valuable resource when you can get the job done with a less expensive solution?
add a comment |
Maybe an attacker with a 0day is waiting for a good opportunity.
Most targets have their highs and lows. If one's goal is to wreck havoc, and make as much dammages as possible, then using a 0day immediately after uncovering it might not be the best idea.
Some targets have frozen periods, where they lack manpower and must not touch their critical environments. Some other have critical periods to launch a new product, or handle a particularily sensitiv set of data.
Exploiting the vulnerability that was found before such event, means there's a risk it'll be discovered before it happens. And so the attacker lose an opportunity to hit pretty hard.
Should he wait until he knows enough about a target to strike exactly where and more importantly when it hurts, and it will be jackpot.
In 2017, there was a crypto ransomware campaign that targeted compagnies during lunch hours.
That worked nicely, people locked their computers, go somewhere to eat, and when everyone get back to their office at 2 P.M everything was already enciphered. No one was there to ring the alarm bell.
Now apply this attack just before an important board meeting at the end of the financial year, or during a period of mediatic attention to the target. It could damage severely the image of this target, and cost millions if not billions. While performing an attack at some other point might not be noticed at all.
add a comment |
When you infect a computer and use a 0-day exploit, evidence of how you got in is often left behind. Preventing yourself from leaving any evidence is about as hard as having software that has no exploits in it; next to impossible.
Many computer systems aren't patched regularly; on such a system, an old exploit will usually get you in just fine. This exploit being discovered ... doesn't do much. I mean, if you took over 20% of the computers on the internet with a specific exploit, you might notice an increase in patch rates. But you might not.
A 0-day exploit, on the other hand, can be used to break into security-conscious targets. If you care about the specific target, and they work at being secure, the 0-day exploit may still get you in.
Your attack may, however, be noticed. And once noticed, they might work out your exploit. And once they work out your exploit, they could share it with the vendor, who might patch it; or they might hack a patch themselves.
And now, your 0-day exploit has patches published, and every security-conscious system on the planet blocks its use. So tomorrow, when you really want to break into a secure server somewhere, you'll need different and new exploit. You burned your exploit.
Not every use of your exploit is going to be noticed, and not every notice is going to result in a patch, but every use increases the chance that a patch will arrive that breaks your exploit.
We can illustrate this with some examples of state-sponsored computer hacking. Stuxnet used four zero-day flaws (that there was no security against). Its discovery led to all 4 being patched, "burning" their usefulness in the future. In exchange, a pile of expensive centrifuges in Iran broke, slowing Iranian nuclear research.
It did the job of multiple cruise missiles, with far less diplomatic, humanitarian and military risks.
add a comment |
Another reason is they can't use it (optimally) at the moment. Examples are:
They might have a specific target like a diplomat in mind but the exploit requires to be in the same Ethernet-/WiFi-network or physical access. So they have to wait until this condition is met or arrange it so the condition is met.
They don't have enough information about the target yet. For example they need to find out a way on which server the interesting information is hosted. If they use the exploit to soon before finding the files, the more likely it is they are detected and the exploit gets burned.
They currently don't have the resources/manpower to launch the attack because they are currently occupied with another target or the employees of their department for launching the attacks are currently sick (even bad guys get sick).
They lack of other tools required to use effectively. The might have an Email exploit to run their code when the victim opens the mail but all their RAT-tools/botnet-clients/ransom-ware is currently detected by all virus scanner, so it would be useless to burn it.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f198951%2fwhy-would-an-attacker-ever-want-to-sit-on-a-zero-day-exploit%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
7 Answers
7
active
oldest
votes
7 Answers
7
active
oldest
votes
active
oldest
votes
active
oldest
votes
It's more likely that you'll burn a 0day by using it than by sitting on it.
There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.
Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.
There are a few other reasons 0days may be kept for long periods:
Some people simply hoard 0days for the sake of it. This is all too common.
Maybe you borrowed the 0day from someone, in which case burning it would piss them off.
Sometimes a 0day broker is sitting on them while waiting for the right client.
The 0day may be useless on its own, needing to be chained with other exploits to work.
There was some interesting research presented at BH US which analyzed the life of 0days.
41
"The 0day may be useless on its own, needing to be chained with other exploits to work." This is a big one. With today's complex and layered systems, maximally compromising a target will often take more than one exploit. (Maybe a 0-day, maybe a known, maybe a human exploit, etc.)
– Paul Draper
Dec 3 '18 at 17:48
1
What does it mean to "borrow" an exploit?
– Oddthinking
Dec 4 '18 at 21:52
3
@Oddthinking Someone might trust you enough to give you a 0day that you can use safely (maybe just once), under the condition that you don't keep using it.
– forest
Dec 5 '18 at 1:56
8
@Oddthinking - Just like stackexchange where people solve issues for "fun" for no material gain, people who tinker with software vulnerabilities sometimes feel the need to share their knowledge for "fun". It's no fun if you cannot show off your knowledge.
– slebetman
Dec 5 '18 at 2:58
add a comment |
It's more likely that you'll burn a 0day by using it than by sitting on it.
There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.
Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.
There are a few other reasons 0days may be kept for long periods:
Some people simply hoard 0days for the sake of it. This is all too common.
Maybe you borrowed the 0day from someone, in which case burning it would piss them off.
Sometimes a 0day broker is sitting on them while waiting for the right client.
The 0day may be useless on its own, needing to be chained with other exploits to work.
There was some interesting research presented at BH US which analyzed the life of 0days.
41
"The 0day may be useless on its own, needing to be chained with other exploits to work." This is a big one. With today's complex and layered systems, maximally compromising a target will often take more than one exploit. (Maybe a 0-day, maybe a known, maybe a human exploit, etc.)
– Paul Draper
Dec 3 '18 at 17:48
1
What does it mean to "borrow" an exploit?
– Oddthinking
Dec 4 '18 at 21:52
3
@Oddthinking Someone might trust you enough to give you a 0day that you can use safely (maybe just once), under the condition that you don't keep using it.
– forest
Dec 5 '18 at 1:56
8
@Oddthinking - Just like stackexchange where people solve issues for "fun" for no material gain, people who tinker with software vulnerabilities sometimes feel the need to share their knowledge for "fun". It's no fun if you cannot show off your knowledge.
– slebetman
Dec 5 '18 at 2:58
add a comment |
It's more likely that you'll burn a 0day by using it than by sitting on it.
There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.
Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.
There are a few other reasons 0days may be kept for long periods:
Some people simply hoard 0days for the sake of it. This is all too common.
Maybe you borrowed the 0day from someone, in which case burning it would piss them off.
Sometimes a 0day broker is sitting on them while waiting for the right client.
The 0day may be useless on its own, needing to be chained with other exploits to work.
There was some interesting research presented at BH US which analyzed the life of 0days.
It's more likely that you'll burn a 0day by using it than by sitting on it.
There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.
Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.
There are a few other reasons 0days may be kept for long periods:
Some people simply hoard 0days for the sake of it. This is all too common.
Maybe you borrowed the 0day from someone, in which case burning it would piss them off.
Sometimes a 0day broker is sitting on them while waiting for the right client.
The 0day may be useless on its own, needing to be chained with other exploits to work.
There was some interesting research presented at BH US which analyzed the life of 0days.
edited Dec 3 '18 at 9:18
answered Dec 3 '18 at 3:09
forest
32k1598108
32k1598108
41
"The 0day may be useless on its own, needing to be chained with other exploits to work." This is a big one. With today's complex and layered systems, maximally compromising a target will often take more than one exploit. (Maybe a 0-day, maybe a known, maybe a human exploit, etc.)
– Paul Draper
Dec 3 '18 at 17:48
1
What does it mean to "borrow" an exploit?
– Oddthinking
Dec 4 '18 at 21:52
3
@Oddthinking Someone might trust you enough to give you a 0day that you can use safely (maybe just once), under the condition that you don't keep using it.
– forest
Dec 5 '18 at 1:56
8
@Oddthinking - Just like stackexchange where people solve issues for "fun" for no material gain, people who tinker with software vulnerabilities sometimes feel the need to share their knowledge for "fun". It's no fun if you cannot show off your knowledge.
– slebetman
Dec 5 '18 at 2:58
add a comment |
41
"The 0day may be useless on its own, needing to be chained with other exploits to work." This is a big one. With today's complex and layered systems, maximally compromising a target will often take more than one exploit. (Maybe a 0-day, maybe a known, maybe a human exploit, etc.)
– Paul Draper
Dec 3 '18 at 17:48
1
What does it mean to "borrow" an exploit?
– Oddthinking
Dec 4 '18 at 21:52
3
@Oddthinking Someone might trust you enough to give you a 0day that you can use safely (maybe just once), under the condition that you don't keep using it.
– forest
Dec 5 '18 at 1:56
8
@Oddthinking - Just like stackexchange where people solve issues for "fun" for no material gain, people who tinker with software vulnerabilities sometimes feel the need to share their knowledge for "fun". It's no fun if you cannot show off your knowledge.
– slebetman
Dec 5 '18 at 2:58
41
41
"The 0day may be useless on its own, needing to be chained with other exploits to work." This is a big one. With today's complex and layered systems, maximally compromising a target will often take more than one exploit. (Maybe a 0-day, maybe a known, maybe a human exploit, etc.)
– Paul Draper
Dec 3 '18 at 17:48
"The 0day may be useless on its own, needing to be chained with other exploits to work." This is a big one. With today's complex and layered systems, maximally compromising a target will often take more than one exploit. (Maybe a 0-day, maybe a known, maybe a human exploit, etc.)
– Paul Draper
Dec 3 '18 at 17:48
1
1
What does it mean to "borrow" an exploit?
– Oddthinking
Dec 4 '18 at 21:52
What does it mean to "borrow" an exploit?
– Oddthinking
Dec 4 '18 at 21:52
3
3
@Oddthinking Someone might trust you enough to give you a 0day that you can use safely (maybe just once), under the condition that you don't keep using it.
– forest
Dec 5 '18 at 1:56
@Oddthinking Someone might trust you enough to give you a 0day that you can use safely (maybe just once), under the condition that you don't keep using it.
– forest
Dec 5 '18 at 1:56
8
8
@Oddthinking - Just like stackexchange where people solve issues for "fun" for no material gain, people who tinker with software vulnerabilities sometimes feel the need to share their knowledge for "fun". It's no fun if you cannot show off your knowledge.
– slebetman
Dec 5 '18 at 2:58
@Oddthinking - Just like stackexchange where people solve issues for "fun" for no material gain, people who tinker with software vulnerabilities sometimes feel the need to share their knowledge for "fun". It's no fun if you cannot show off your knowledge.
– slebetman
Dec 5 '18 at 2:58
add a comment |
The 0 day depends on another vulnerability being discovered to be effectively used. For example you can't use a privilege escalation if you don't have code execution in the first place. This can also work the other way where you'd like another 0 day to chain after the one you currently have.
The attacker doesn't have a worthy target to use it on. I'll also point out that the attacker might not exploit everything at once because if the 0 day is found out you won't be able to use it in the future. What you want to hack into might not even exist when you find the 0 day.
Exploiting the 0 day might be illegal. People can still make money off it by selling it to the highest bidder (this includes negotiating for the money you get from a bug bounty program)
add a comment |
The 0 day depends on another vulnerability being discovered to be effectively used. For example you can't use a privilege escalation if you don't have code execution in the first place. This can also work the other way where you'd like another 0 day to chain after the one you currently have.
The attacker doesn't have a worthy target to use it on. I'll also point out that the attacker might not exploit everything at once because if the 0 day is found out you won't be able to use it in the future. What you want to hack into might not even exist when you find the 0 day.
Exploiting the 0 day might be illegal. People can still make money off it by selling it to the highest bidder (this includes negotiating for the money you get from a bug bounty program)
add a comment |
The 0 day depends on another vulnerability being discovered to be effectively used. For example you can't use a privilege escalation if you don't have code execution in the first place. This can also work the other way where you'd like another 0 day to chain after the one you currently have.
The attacker doesn't have a worthy target to use it on. I'll also point out that the attacker might not exploit everything at once because if the 0 day is found out you won't be able to use it in the future. What you want to hack into might not even exist when you find the 0 day.
Exploiting the 0 day might be illegal. People can still make money off it by selling it to the highest bidder (this includes negotiating for the money you get from a bug bounty program)
The 0 day depends on another vulnerability being discovered to be effectively used. For example you can't use a privilege escalation if you don't have code execution in the first place. This can also work the other way where you'd like another 0 day to chain after the one you currently have.
The attacker doesn't have a worthy target to use it on. I'll also point out that the attacker might not exploit everything at once because if the 0 day is found out you won't be able to use it in the future. What you want to hack into might not even exist when you find the 0 day.
Exploiting the 0 day might be illegal. People can still make money off it by selling it to the highest bidder (this includes negotiating for the money you get from a bug bounty program)
answered Dec 3 '18 at 4:51
Anon
44112
44112
add a comment |
add a comment |
Because the old ways are the best.
Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.
add a comment |
Because the old ways are the best.
Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.
add a comment |
Because the old ways are the best.
Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.
Because the old ways are the best.
Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result?
Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.
answered Dec 3 '18 at 1:55
McMatty
2,8501414
2,8501414
add a comment |
add a comment |
From the standpoint of the attacker, a zero-day exploit is a valuable resource because it is not publicly known. This gives the attacker the element of surprise when it is actually deployed, as the target will not be able to proactively defend against it.
Each time a zero-day is used, there's a chance it'll be discovered by the target and the vulnerability patched out by the software vendor. Once the vulnerability is closed, the usefulness of the exploit is greatly reduced and limited to targets who have not updated the software. This is known as "burning" the exploit.
Because the goal of most attackers today is to directly or indirectly gain money (e.g. by stealing personal information from the target and using it to commit identity fraud), zero-day exploits have economic value. The exploit loses its value if it is burned and rendered ineffective. In essence, a zero-day is a valuable and expendable weapon which should be saved for use against high-value targets that cannot be exploited through publicly-known vulnerabilities.
This means, for example, that an attacker targeting a system running an older version of a particular piece of software with known vulnerabilities would want to use an existing, publicly-available exploit rather than use the zero-day exploit and risk burning it. Why waste a valuable resource when you can get the job done with a less expensive solution?
add a comment |
From the standpoint of the attacker, a zero-day exploit is a valuable resource because it is not publicly known. This gives the attacker the element of surprise when it is actually deployed, as the target will not be able to proactively defend against it.
Each time a zero-day is used, there's a chance it'll be discovered by the target and the vulnerability patched out by the software vendor. Once the vulnerability is closed, the usefulness of the exploit is greatly reduced and limited to targets who have not updated the software. This is known as "burning" the exploit.
Because the goal of most attackers today is to directly or indirectly gain money (e.g. by stealing personal information from the target and using it to commit identity fraud), zero-day exploits have economic value. The exploit loses its value if it is burned and rendered ineffective. In essence, a zero-day is a valuable and expendable weapon which should be saved for use against high-value targets that cannot be exploited through publicly-known vulnerabilities.
This means, for example, that an attacker targeting a system running an older version of a particular piece of software with known vulnerabilities would want to use an existing, publicly-available exploit rather than use the zero-day exploit and risk burning it. Why waste a valuable resource when you can get the job done with a less expensive solution?
add a comment |
From the standpoint of the attacker, a zero-day exploit is a valuable resource because it is not publicly known. This gives the attacker the element of surprise when it is actually deployed, as the target will not be able to proactively defend against it.
Each time a zero-day is used, there's a chance it'll be discovered by the target and the vulnerability patched out by the software vendor. Once the vulnerability is closed, the usefulness of the exploit is greatly reduced and limited to targets who have not updated the software. This is known as "burning" the exploit.
Because the goal of most attackers today is to directly or indirectly gain money (e.g. by stealing personal information from the target and using it to commit identity fraud), zero-day exploits have economic value. The exploit loses its value if it is burned and rendered ineffective. In essence, a zero-day is a valuable and expendable weapon which should be saved for use against high-value targets that cannot be exploited through publicly-known vulnerabilities.
This means, for example, that an attacker targeting a system running an older version of a particular piece of software with known vulnerabilities would want to use an existing, publicly-available exploit rather than use the zero-day exploit and risk burning it. Why waste a valuable resource when you can get the job done with a less expensive solution?
From the standpoint of the attacker, a zero-day exploit is a valuable resource because it is not publicly known. This gives the attacker the element of surprise when it is actually deployed, as the target will not be able to proactively defend against it.
Each time a zero-day is used, there's a chance it'll be discovered by the target and the vulnerability patched out by the software vendor. Once the vulnerability is closed, the usefulness of the exploit is greatly reduced and limited to targets who have not updated the software. This is known as "burning" the exploit.
Because the goal of most attackers today is to directly or indirectly gain money (e.g. by stealing personal information from the target and using it to commit identity fraud), zero-day exploits have economic value. The exploit loses its value if it is burned and rendered ineffective. In essence, a zero-day is a valuable and expendable weapon which should be saved for use against high-value targets that cannot be exploited through publicly-known vulnerabilities.
This means, for example, that an attacker targeting a system running an older version of a particular piece of software with known vulnerabilities would want to use an existing, publicly-available exploit rather than use the zero-day exploit and risk burning it. Why waste a valuable resource when you can get the job done with a less expensive solution?
edited Dec 3 '18 at 4:02
answered Dec 3 '18 at 3:54
bwDraco
473210
473210
add a comment |
add a comment |
Maybe an attacker with a 0day is waiting for a good opportunity.
Most targets have their highs and lows. If one's goal is to wreck havoc, and make as much dammages as possible, then using a 0day immediately after uncovering it might not be the best idea.
Some targets have frozen periods, where they lack manpower and must not touch their critical environments. Some other have critical periods to launch a new product, or handle a particularily sensitiv set of data.
Exploiting the vulnerability that was found before such event, means there's a risk it'll be discovered before it happens. And so the attacker lose an opportunity to hit pretty hard.
Should he wait until he knows enough about a target to strike exactly where and more importantly when it hurts, and it will be jackpot.
In 2017, there was a crypto ransomware campaign that targeted compagnies during lunch hours.
That worked nicely, people locked their computers, go somewhere to eat, and when everyone get back to their office at 2 P.M everything was already enciphered. No one was there to ring the alarm bell.
Now apply this attack just before an important board meeting at the end of the financial year, or during a period of mediatic attention to the target. It could damage severely the image of this target, and cost millions if not billions. While performing an attack at some other point might not be noticed at all.
add a comment |
Maybe an attacker with a 0day is waiting for a good opportunity.
Most targets have their highs and lows. If one's goal is to wreck havoc, and make as much dammages as possible, then using a 0day immediately after uncovering it might not be the best idea.
Some targets have frozen periods, where they lack manpower and must not touch their critical environments. Some other have critical periods to launch a new product, or handle a particularily sensitiv set of data.
Exploiting the vulnerability that was found before such event, means there's a risk it'll be discovered before it happens. And so the attacker lose an opportunity to hit pretty hard.
Should he wait until he knows enough about a target to strike exactly where and more importantly when it hurts, and it will be jackpot.
In 2017, there was a crypto ransomware campaign that targeted compagnies during lunch hours.
That worked nicely, people locked their computers, go somewhere to eat, and when everyone get back to their office at 2 P.M everything was already enciphered. No one was there to ring the alarm bell.
Now apply this attack just before an important board meeting at the end of the financial year, or during a period of mediatic attention to the target. It could damage severely the image of this target, and cost millions if not billions. While performing an attack at some other point might not be noticed at all.
add a comment |
Maybe an attacker with a 0day is waiting for a good opportunity.
Most targets have their highs and lows. If one's goal is to wreck havoc, and make as much dammages as possible, then using a 0day immediately after uncovering it might not be the best idea.
Some targets have frozen periods, where they lack manpower and must not touch their critical environments. Some other have critical periods to launch a new product, or handle a particularily sensitiv set of data.
Exploiting the vulnerability that was found before such event, means there's a risk it'll be discovered before it happens. And so the attacker lose an opportunity to hit pretty hard.
Should he wait until he knows enough about a target to strike exactly where and more importantly when it hurts, and it will be jackpot.
In 2017, there was a crypto ransomware campaign that targeted compagnies during lunch hours.
That worked nicely, people locked their computers, go somewhere to eat, and when everyone get back to their office at 2 P.M everything was already enciphered. No one was there to ring the alarm bell.
Now apply this attack just before an important board meeting at the end of the financial year, or during a period of mediatic attention to the target. It could damage severely the image of this target, and cost millions if not billions. While performing an attack at some other point might not be noticed at all.
Maybe an attacker with a 0day is waiting for a good opportunity.
Most targets have their highs and lows. If one's goal is to wreck havoc, and make as much dammages as possible, then using a 0day immediately after uncovering it might not be the best idea.
Some targets have frozen periods, where they lack manpower and must not touch their critical environments. Some other have critical periods to launch a new product, or handle a particularily sensitiv set of data.
Exploiting the vulnerability that was found before such event, means there's a risk it'll be discovered before it happens. And so the attacker lose an opportunity to hit pretty hard.
Should he wait until he knows enough about a target to strike exactly where and more importantly when it hurts, and it will be jackpot.
In 2017, there was a crypto ransomware campaign that targeted compagnies during lunch hours.
That worked nicely, people locked their computers, go somewhere to eat, and when everyone get back to their office at 2 P.M everything was already enciphered. No one was there to ring the alarm bell.
Now apply this attack just before an important board meeting at the end of the financial year, or during a period of mediatic attention to the target. It could damage severely the image of this target, and cost millions if not billions. While performing an attack at some other point might not be noticed at all.
answered Dec 3 '18 at 13:55
Kaël
336210
336210
add a comment |
add a comment |
When you infect a computer and use a 0-day exploit, evidence of how you got in is often left behind. Preventing yourself from leaving any evidence is about as hard as having software that has no exploits in it; next to impossible.
Many computer systems aren't patched regularly; on such a system, an old exploit will usually get you in just fine. This exploit being discovered ... doesn't do much. I mean, if you took over 20% of the computers on the internet with a specific exploit, you might notice an increase in patch rates. But you might not.
A 0-day exploit, on the other hand, can be used to break into security-conscious targets. If you care about the specific target, and they work at being secure, the 0-day exploit may still get you in.
Your attack may, however, be noticed. And once noticed, they might work out your exploit. And once they work out your exploit, they could share it with the vendor, who might patch it; or they might hack a patch themselves.
And now, your 0-day exploit has patches published, and every security-conscious system on the planet blocks its use. So tomorrow, when you really want to break into a secure server somewhere, you'll need different and new exploit. You burned your exploit.
Not every use of your exploit is going to be noticed, and not every notice is going to result in a patch, but every use increases the chance that a patch will arrive that breaks your exploit.
We can illustrate this with some examples of state-sponsored computer hacking. Stuxnet used four zero-day flaws (that there was no security against). Its discovery led to all 4 being patched, "burning" their usefulness in the future. In exchange, a pile of expensive centrifuges in Iran broke, slowing Iranian nuclear research.
It did the job of multiple cruise missiles, with far less diplomatic, humanitarian and military risks.
add a comment |
When you infect a computer and use a 0-day exploit, evidence of how you got in is often left behind. Preventing yourself from leaving any evidence is about as hard as having software that has no exploits in it; next to impossible.
Many computer systems aren't patched regularly; on such a system, an old exploit will usually get you in just fine. This exploit being discovered ... doesn't do much. I mean, if you took over 20% of the computers on the internet with a specific exploit, you might notice an increase in patch rates. But you might not.
A 0-day exploit, on the other hand, can be used to break into security-conscious targets. If you care about the specific target, and they work at being secure, the 0-day exploit may still get you in.
Your attack may, however, be noticed. And once noticed, they might work out your exploit. And once they work out your exploit, they could share it with the vendor, who might patch it; or they might hack a patch themselves.
And now, your 0-day exploit has patches published, and every security-conscious system on the planet blocks its use. So tomorrow, when you really want to break into a secure server somewhere, you'll need different and new exploit. You burned your exploit.
Not every use of your exploit is going to be noticed, and not every notice is going to result in a patch, but every use increases the chance that a patch will arrive that breaks your exploit.
We can illustrate this with some examples of state-sponsored computer hacking. Stuxnet used four zero-day flaws (that there was no security against). Its discovery led to all 4 being patched, "burning" their usefulness in the future. In exchange, a pile of expensive centrifuges in Iran broke, slowing Iranian nuclear research.
It did the job of multiple cruise missiles, with far less diplomatic, humanitarian and military risks.
add a comment |
When you infect a computer and use a 0-day exploit, evidence of how you got in is often left behind. Preventing yourself from leaving any evidence is about as hard as having software that has no exploits in it; next to impossible.
Many computer systems aren't patched regularly; on such a system, an old exploit will usually get you in just fine. This exploit being discovered ... doesn't do much. I mean, if you took over 20% of the computers on the internet with a specific exploit, you might notice an increase in patch rates. But you might not.
A 0-day exploit, on the other hand, can be used to break into security-conscious targets. If you care about the specific target, and they work at being secure, the 0-day exploit may still get you in.
Your attack may, however, be noticed. And once noticed, they might work out your exploit. And once they work out your exploit, they could share it with the vendor, who might patch it; or they might hack a patch themselves.
And now, your 0-day exploit has patches published, and every security-conscious system on the planet blocks its use. So tomorrow, when you really want to break into a secure server somewhere, you'll need different and new exploit. You burned your exploit.
Not every use of your exploit is going to be noticed, and not every notice is going to result in a patch, but every use increases the chance that a patch will arrive that breaks your exploit.
We can illustrate this with some examples of state-sponsored computer hacking. Stuxnet used four zero-day flaws (that there was no security against). Its discovery led to all 4 being patched, "burning" their usefulness in the future. In exchange, a pile of expensive centrifuges in Iran broke, slowing Iranian nuclear research.
It did the job of multiple cruise missiles, with far less diplomatic, humanitarian and military risks.
When you infect a computer and use a 0-day exploit, evidence of how you got in is often left behind. Preventing yourself from leaving any evidence is about as hard as having software that has no exploits in it; next to impossible.
Many computer systems aren't patched regularly; on such a system, an old exploit will usually get you in just fine. This exploit being discovered ... doesn't do much. I mean, if you took over 20% of the computers on the internet with a specific exploit, you might notice an increase in patch rates. But you might not.
A 0-day exploit, on the other hand, can be used to break into security-conscious targets. If you care about the specific target, and they work at being secure, the 0-day exploit may still get you in.
Your attack may, however, be noticed. And once noticed, they might work out your exploit. And once they work out your exploit, they could share it with the vendor, who might patch it; or they might hack a patch themselves.
And now, your 0-day exploit has patches published, and every security-conscious system on the planet blocks its use. So tomorrow, when you really want to break into a secure server somewhere, you'll need different and new exploit. You burned your exploit.
Not every use of your exploit is going to be noticed, and not every notice is going to result in a patch, but every use increases the chance that a patch will arrive that breaks your exploit.
We can illustrate this with some examples of state-sponsored computer hacking. Stuxnet used four zero-day flaws (that there was no security against). Its discovery led to all 4 being patched, "burning" their usefulness in the future. In exchange, a pile of expensive centrifuges in Iran broke, slowing Iranian nuclear research.
It did the job of multiple cruise missiles, with far less diplomatic, humanitarian and military risks.
edited Dec 7 '18 at 9:56
schroeder♦
73.3k29160195
73.3k29160195
answered Dec 4 '18 at 19:27
Yakk
44027
44027
add a comment |
add a comment |
Another reason is they can't use it (optimally) at the moment. Examples are:
They might have a specific target like a diplomat in mind but the exploit requires to be in the same Ethernet-/WiFi-network or physical access. So they have to wait until this condition is met or arrange it so the condition is met.
They don't have enough information about the target yet. For example they need to find out a way on which server the interesting information is hosted. If they use the exploit to soon before finding the files, the more likely it is they are detected and the exploit gets burned.
They currently don't have the resources/manpower to launch the attack because they are currently occupied with another target or the employees of their department for launching the attacks are currently sick (even bad guys get sick).
They lack of other tools required to use effectively. The might have an Email exploit to run their code when the victim opens the mail but all their RAT-tools/botnet-clients/ransom-ware is currently detected by all virus scanner, so it would be useless to burn it.
add a comment |
Another reason is they can't use it (optimally) at the moment. Examples are:
They might have a specific target like a diplomat in mind but the exploit requires to be in the same Ethernet-/WiFi-network or physical access. So they have to wait until this condition is met or arrange it so the condition is met.
They don't have enough information about the target yet. For example they need to find out a way on which server the interesting information is hosted. If they use the exploit to soon before finding the files, the more likely it is they are detected and the exploit gets burned.
They currently don't have the resources/manpower to launch the attack because they are currently occupied with another target or the employees of their department for launching the attacks are currently sick (even bad guys get sick).
They lack of other tools required to use effectively. The might have an Email exploit to run their code when the victim opens the mail but all their RAT-tools/botnet-clients/ransom-ware is currently detected by all virus scanner, so it would be useless to burn it.
add a comment |
Another reason is they can't use it (optimally) at the moment. Examples are:
They might have a specific target like a diplomat in mind but the exploit requires to be in the same Ethernet-/WiFi-network or physical access. So they have to wait until this condition is met or arrange it so the condition is met.
They don't have enough information about the target yet. For example they need to find out a way on which server the interesting information is hosted. If they use the exploit to soon before finding the files, the more likely it is they are detected and the exploit gets burned.
They currently don't have the resources/manpower to launch the attack because they are currently occupied with another target or the employees of their department for launching the attacks are currently sick (even bad guys get sick).
They lack of other tools required to use effectively. The might have an Email exploit to run their code when the victim opens the mail but all their RAT-tools/botnet-clients/ransom-ware is currently detected by all virus scanner, so it would be useless to burn it.
Another reason is they can't use it (optimally) at the moment. Examples are:
They might have a specific target like a diplomat in mind but the exploit requires to be in the same Ethernet-/WiFi-network or physical access. So they have to wait until this condition is met or arrange it so the condition is met.
They don't have enough information about the target yet. For example they need to find out a way on which server the interesting information is hosted. If they use the exploit to soon before finding the files, the more likely it is they are detected and the exploit gets burned.
They currently don't have the resources/manpower to launch the attack because they are currently occupied with another target or the employees of their department for launching the attacks are currently sick (even bad guys get sick).
They lack of other tools required to use effectively. The might have an Email exploit to run their code when the victim opens the mail but all their RAT-tools/botnet-clients/ransom-ware is currently detected by all virus scanner, so it would be useless to burn it.
edited Dec 4 '18 at 4:37
forest
32k1598108
32k1598108
answered Dec 3 '18 at 19:27
H. Idden
1,724514
1,724514
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f198951%2fwhy-would-an-attacker-ever-want-to-sit-on-a-zero-day-exploit%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
10
Besides being randomly discovered by others two things can spoil a zero day. First of all you use it and it gets detected. And secondly you sell it which also increases likelihood of disclosure or detection. The more you use or share it, the bigger the risk. (That being said it can be a long time until a used zero day is discovered if you are careful)
– eckes
Dec 3 '18 at 8:15
36
Because certain countries are paying good money for them... Evil foreign countries, obviously, certainly not the USA, because we are not a foreign country...
– Harper
Dec 4 '18 at 0:16
23
If you get a 10% discount on your next purchase, would you rather use it for your £10 grocery shopping tomorrow, or the new £10000 car next month?
– HenricF
Dec 4 '18 at 10:39
6
@Harper Ha ha... Everyone is foreign to someone... :-)
– Marcel
Dec 4 '18 at 14:47
8
@forest Suppose your comment was a biscuit, and you wanted to put some butter on it...
– barbecue
Dec 5 '18 at 14:13