Organized cybercriminals with money to burn are fueling a spike in the use of powerful, expensive zero-day hacking exploits, new research has found.
Zero-days exploits, which help grant a hacker access to a chosen target, are so called because cyber-defenders have had zero days to fix the newly discovered holes—making the tools extraordinarily capable, dangerous, and valuable. At the highest end, zero-days can cost more than a million dollars to buy or develop. For that reason, they have historically been found in the arsenals of the most sophisticated state-sponsored cyberespionage groups on Earth.
But new research from the cybersecurity firm Mandiant shows that in a record-breaking year for hacking attacks, the proportion of zero-days exploited by cybercriminals is growing. One-third of all hacking groups exploiting zero-days in 2021 were financially motivated criminals as opposed to government-backed cyberespionage groups, according to Mandiant’s research. During the last decade, only a very small fraction of zero-days were deployed by cybercriminals. Experts believe the rapid change has to do with the illicit, multibillion-dollar ransomware industry.
“Ransomware groups have been able to recruit new talent and to use the resources from their ransomware operations and from the insane amounts of revenue they’re pulling in in order to focus on what was once the domain of state-sponsored [hacking] groups,” says James Sadowski, a researcher with Mandiant.
Zero-days are typically bought and sold in the shadows, but what we do know shows just how much money is at play. A recent MIT Technology Review report detailed how an American firm sold a powerful iPhone zero-day for $1.3 million. Zerodium, a zero-day vendor, has a standing offer to pay $2.5 million for any zero-day that gives the hacker control of an Android device. Zerodium then turns around and sells the exploit to another organization—perhaps an intelligence agency—at a significant markup. Governments are willing to pay that kind of money because zero-days can be an instant trump card in the global game of espionage, potentially worth more than the millions an agency might spend.
But they’re clearly worth a lot to criminals too. One particularly aggressive and adept ransomware group, known by the code name UNC2447, exploited a zero-day vulnerability in SonicWall, a virtual private network tool used in major corporations around the world. After the hackers gained access, they used ransomware and then pressured victims to pay by threatening to tell the media about the hacks or sell the firms’ data on the dark web.
Maybe the most famous ransomware group of recent history is Darkside, the hackers who caused the shutdown of the Colonial Pipeline and ultimately a fuel shortage for the eastern United States. Sadowski says they too exploited at least one zero-day during their short but intense period of activity. Soon after becoming world famous and attracting all the unwanted law enforcement attention that comes with fame, Darkside shuttered, but since then the group may simply have rebranded.
For a hacker, the next best thing after a zero-day might be a one- or two-day vulnerability—a security hole that has been recently discovered but has not yet been fixed by that hacker’s potential targets around the world. Cybercriminals are making rapid advances in that race, too.
Cybercrime groups “are picking up state-sponsored threat actors’ zero-days at a quicker pace,” says Adam Meyers, senior vice president of intelligence at the security firm Crowdstrike. The criminals observe the zero-days being used and then sprint to co-opt the tools for their own purposes before most cyber-defenders know what’s happening.
“They quickly figure out how to use it, and then they leverage it for continued operations,” says Meyers.
To support MIT Technology Review’s journalism, please consider becoming a subscriber.
Cybercriminals can recruit and pay for technical talent because they are making more money than ever. And the prospect of further payoffs is a huge incentive to move quickly to adopt zero-days for their own purposes.
Last year, Chinese-government-sponsored hacking groups began targeting Microsoft Exchange email servers with zero-day attacks in a widespread campaign led by some of the country’s most sophisticated cyberespionage operators. As is the case wherever there are predators, scavengers followed. Financially motivated cybercriminals had their hands on the once-exclusive tool within days.