For Sale - Dark Web Exploits

Uploaded on 2021-07-17 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Updating and patching to protect against vulnerabilities as soon as they become known is vital but it's not just Zero-Day exploits that security teams need to worry about. For cyber criminals, buying a proven exploit off the shelf on the Dark Web has the advantage of something known to be effective, where all the hard work has already been done for the buyer.

Indeed, researchers at Trend Micro have found that 22% of exploits for sale in underground forums are more than three years old, emphasising the importance that organisations should place on patching vulnerabilities that pose the greatest risk to their organisation, not just the latest ones.

A new report Trend Micro reveals a decline in the market for Zero-Day over the past two year, driven in part by the  the rise of Access-as-a-Service, the new force in the exploit market. Access-as-a-Service has the advantages of an exploit, but all the hard work has already been done for the buyer, with underground prices starting at $1,000.  

The lifespan of a vulnerability or exploit does not depend on when a patch becomes available to stop it. In fact, older exploits are cheaper and therefore may be more popular with criminals shopping in underground forums and virtual patching remains the best way to mitigate the risks of known and unknown threats to your organisation.

The report reveals several risks of legacy exploits and vulnerabilities, including:

  • The oldest exploit sold in the underground was for CVE-2012-0158, a Microsoft RCE.
  • CVE-2016-5195, known as the Dirty Cow exploit, is still ongoing after five years.
  • 47% of cyber criminals looked to target Microsoft products in the past two years.

These trends are combining to create greater risk for organizations. With nearly 50 new CVEs released per day in 2020, the pressure on security teams to prioritize and deploy timely patches has never been greater, and it’s showing. 

Today, the time to patch averages nearly 51 days for organizations patching a new vulnerability. To cover that gap in security protection, virtual patching is key. It is based on intrusion prevention technology and offers a hassle-free way to shield vulnerable or end-of-life systems from known and unknown threats indefinitely. Applying all available vulnerability patches can be a nearly impossible task for any organisation. It is simply unrealistic for organisations to have their systems be completely invulnerable. Virtual patching is one way for organisations to buy additional time needed for security teams to implement the necessary updates, making it a crucial aspect of patch management. 

While several patch prioritisation approaches exist for vulnerability management, organisations should  factor into the equation the exploits that cyber criminals actually wish to use and can purchase, rather than simply patching vulnerabilities based on severity. 

Since vendors and manufacturers need time to come up with and deploy the necessary patches and upgrades upon the disclosure of a vulnerability, these temporary fixes give them time for permanent solutions, as well as help avoid unnecessary downtime for organisations to implement patches at their own pace. This is especially important when it comes to zero-day vulnerabilities since virtual patches protect systems and networks by serving as an additional security layer from both known and unknown exploits. 

Trend Micro's researchers saw the price of an exploit continually drop over time until it eventually fell to zero, making the exploit progressively more accessible to more cyber criminals as time passed and allowing more malicious actors to incorporate the exploit for the vulnerability into their cyber criminal business models. 

The longevity of a valuable exploit is longer than you might reasonably expect and this is vital information for anyone who manages their organisation’s patch management program, since addressing yesterday’s popular vulnerability can often be more important than addressing today’s critical one. 

Trend Micro:      Trend Micro:   

You Might Also Read:
 

Avoiding Arrest: Cyber Criminals Share Dark Web Secrets:

 

« Microsoft Buys RiskIQ
IISS: Cyber Capabilities & National Power Rankings »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

DoSarrest Internet Security Ltd

DoSarrest Internet Security Ltd

DOSarrest is a fully managed security firm specializing in cloud based DDoS protection services to a worldwide client base.

StackRox

StackRox

StackRox delivers a container-native security platform that adapts detection and response to new threats.

The Security Awareness Company (SAC)

The Security Awareness Company (SAC)

The Security Awareness Company provides cyber security awareness training programs for companies of all sizes.

Lynx Technology Partners

Lynx Technology Partners

Lynx Technology Partners is a full service, full life-cycle risk-based security consulting firm.

Sliced Tech

Sliced Tech

Sliced Tech provides enterprise grade managed Cloud services, including Security-as-a-Services, aimed at meeting the needs of commercial and government clients from within Australia.

Think Cyber Security (ThinkCyber)

Think Cyber Security (ThinkCyber)

ThinkCyber is a Tel Aviv-based Israeli company with a team of cybersecurity professionals who are experts in both information and operations technology.

Safe Security

Safe Security

Safe Security (formerly Lucideus) provides Cyber risk assessment services and platforms to multiple Fortune 500 companies and governments across the globe.

TAV Technologies

TAV Technologies

TAV Technologies is a provider of technology services to the aviation industry in areas including airport infrastructure systems, digital transformation and cybersecurity.

BridgingMinds Network

BridgingMinds Network

BridgingMinds Network is an industry leading best practices and IT security training provider in Singapore.

Cyber Security Services

Cyber Security Services

Cyber Security Services is a cyber security consulting firm and security operations center (SOC).

Com Olho

Com Olho

Com Olho provides the measurement, analytics, quality assurance, and fraud protection technologies brands need for their business and customers.

Bosch Global Software Technologies (BGSW)

Bosch Global Software Technologies (BGSW)

Bosch Global Software Technologies offer an advanced innovation for AI security. The Bosch AIShield is the definite answer to safeguard your business against model extraction attacks.

Banyax

Banyax

Banyax provides 24×7 real-time Cyber Defense Center Services using the latest technology tools to provide state-of-the-art defense.

Avalor

Avalor

Avalor are on a mission to help security teams make faster, more accurate decisions by making sense of their data. With Avalor you can bring in data from anywhere, normalize it and analyze it.

HWG

HWG

HWG is a company specialized in providing cyber security solutions and consulting services.

turingpoint

turingpoint

turingpoint GmbH is a tech enabled boutique consultancy. It was founded by security experts with a focus on cyber security and software solutions.