For Sale - Dark Web Exploits

Updating and patching to protect against vulnerabilities as soon as they become known is vital but it's not just Zero-Day exploits that security teams need to worry about. For cyber criminals, buying a proven exploit off the shelf on the Dark Web has the advantage of something known to be effective, where all the hard work has already been done for the buyer.

Indeed, researchers at Trend Micro have found that 22% of exploits for sale in underground forums are more than three years old, emphasising the importance that organisations should place on patching vulnerabilities that pose the greatest risk to their organisation, not just the latest ones.

A new report Trend Micro reveals a decline in the market for Zero-Day over the past two year, driven in part by the  the rise of Access-as-a-Service, the new force in the exploit market. Access-as-a-Service has the advantages of an exploit, but all the hard work has already been done for the buyer, with underground prices starting at $1,000.  

The lifespan of a vulnerability or exploit does not depend on when a patch becomes available to stop it. In fact, older exploits are cheaper and therefore may be more popular with criminals shopping in underground forums and virtual patching remains the best way to mitigate the risks of known and unknown threats to your organisation.

The report reveals several risks of legacy exploits and vulnerabilities, including:

  • The oldest exploit sold in the underground was for CVE-2012-0158, a Microsoft RCE.
  • CVE-2016-5195, known as the Dirty Cow exploit, is still ongoing after five years.
  • 47% of cyber criminals looked to target Microsoft products in the past two years.

These trends are combining to create greater risk for organizations. With nearly 50 new CVEs released per day in 2020, the pressure on security teams to prioritize and deploy timely patches has never been greater, and it’s showing. 

Today, the time to patch averages nearly 51 days for organizations patching a new vulnerability. To cover that gap in security protection, virtual patching is key. It is based on intrusion prevention technology and offers a hassle-free way to shield vulnerable or end-of-life systems from known and unknown threats indefinitely. Applying all available vulnerability patches can be a nearly impossible task for any organisation. It is simply unrealistic for organisations to have their systems be completely invulnerable. Virtual patching is one way for organisations to buy additional time needed for security teams to implement the necessary updates, making it a crucial aspect of patch management. 

While several patch prioritisation approaches exist for vulnerability management, organisations should  factor into the equation the exploits that cyber criminals actually wish to use and can purchase, rather than simply patching vulnerabilities based on severity. 

Since vendors and manufacturers need time to come up with and deploy the necessary patches and upgrades upon the disclosure of a vulnerability, these temporary fixes give them time for permanent solutions, as well as help avoid unnecessary downtime for organisations to implement patches at their own pace. This is especially important when it comes to zero-day vulnerabilities since virtual patches protect systems and networks by serving as an additional security layer from both known and unknown exploits. 

Trend Micro's researchers saw the price of an exploit continually drop over time until it eventually fell to zero, making the exploit progressively more accessible to more cyber criminals as time passed and allowing more malicious actors to incorporate the exploit for the vulnerability into their cyber criminal business models. 

The longevity of a valuable exploit is longer than you might reasonably expect and this is vital information for anyone who manages their organisation’s patch management program, since addressing yesterday’s popular vulnerability can often be more important than addressing today’s critical one. 

Trend Micro:      Trend Micro:   

You Might Also Read:
 

Avoiding Arrest: Cyber Criminals Share Dark Web Secrets:

 

« Microsoft Buys RiskIQ
IISS: Cyber Capabilities & National Power Rankings »

Perimeter 81

Directory of Suppliers

Cylance Smart Antivirus

Cylance Smart Antivirus

An antivirus that works smarter, not harder, from BlackBerry. Lightweight, non-intrusive protection powered by artificial intelligence. BUY NOW - LIMITED DISCOUNT OFFER.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Perimeter 81

Perimeter 81

Perimeter 81 is a Zero Trust Network as a Service designed to simplify secure network, cloud and application access for the modern and distributed workforce.

DigitalStakeout

DigitalStakeout

A simple and cost-effective solution to monitor, investigate and analyze data from the web, social media and cyber sources to identify threats and make better security decisions.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

Digital Defense Inc (DDI)

Digital Defense Inc (DDI)

DDI offers vulnerability scanning, penetration testing, web application testing, social engineering and additional security assessments.

Avast Software

Avast Software

Avast Software is a security software company that develops antivirus software and internet security services.

BGD E-GOV CIRT

BGD E-GOV CIRT

BGD e-GOV CIRT's mission is to support government efforts to develop ICT programs by establishing incident management capabilities within Bangladesh.

ioXt Alliance

ioXt Alliance

The ioXt Alliance is a group of manufacturers, industry alliances and government organizations dedicated to harmonizing best security practices in a highly connected world.

Skrumble Technologies

Skrumble Technologies

Skrumble Network (SKM) is a completely new, innovative blockchain powering an application ecosystem that centers on creating the most secure connections for communication possible.

CyberForum

CyberForum

CyberForum supports businesses from the IT and high-tech industry in all stages of their development: from startup consulting to professional staffing and even location marketing campaigns.

Cysiv

Cysiv

Cysiv SOC-as-a-Service combines all the elements of an advanced, proactive, threat hunting SOC, with a managed security stack for hybrid cloud, network, and endpoint security.

ISARR

ISARR

The ISARR software platform - your bespoke Risk, Resilience & Security Management solution. Simple, cost effective and adaptable, now and into the future.