Everybody knows that computer viruses are now a consistent and persistent threat to companies.
Attacks like those of Egregor Team against the South American supermarket chain Cencosud and against the Vancouver subway, or like those against Solarwinds, which caused a gigantic data leak from the centers of American power highlighting the criticality of the supply chain or again, attacks such as those increasingly frequent on hospitals and other facilities sanitary they represent a real war scenario that presents enormous risks for our society.
With more and more of our economy moving online, today no one is 100% safer, neither the small nor the large. Also because, while a large slice of the political world does not discuss rules, guidelines on security and regulations, cybercrime has long been organized and operates according to clear business models, always managing to be one step ahead of everyone.
The common denominator of all these criminal groups and subjects is the operational scheme dictated by a business in exponential growth and whose mantra can be this: Viruses are not sold but are rented.
Who develops them, hires other groups to circulate them, for example by carrying out campaigns for Phishing targeted, while others take care of collecting and circulating the extortion money.
The "customers" of these groups do not need to have computer skills. They just need to rent the complete platform of services they need to hit a competing company or a nation state and get the spoils to share with their accomplices. It is also clear how it is increasingly difficult for investigators to trace the originator of the attack which means that, for the most part, the attackers remain unknown, unpunished and free.
In a similar scenario, without a shadow of a doubt, vulnerability hunting has become the favorite sport of attackers because it is the key to be able to “win easy”.
And it is precisely this topic that I would like to talk about in this article without pretending to exhaust it because dealing with all aspects of computer vulnerabilities is, at least for me, a task that is not difficult but simply impossible. Let us not forget, in fact, that the world of vulnerabilities in information technology is an ever-expanding sector that concerns every single component of a computer system and beyond.
Le computer vulnerabilities they can be considered as malfunctions or wrong configurations or, simply, as errors present in a system that expose it to risks.
The cataloging of IT vulnerabilities can be summarized in 3 macro categories:
Software - it is, in fact, the malfunctions and errors in writing the code for which any action that is performed by the software towards the outside and inside can give rise to a vulnerability.
Protocols - to simplify the concept, these are security gaps in the communication system between the technologies present in a computer system
Hardware - we talk about the vulnerability of hardware devices when any element causes an objective danger to the correct functioning of a machine.
The range of vulnerabilities is extremely wide as well as the potential linked to the risks that the vulnerabilities themselves bring with them. The National Vulnerability Database (NVD) of the United States government, powered by the list of CVE (Common Vulnerabilities and Exposures), currently has over 150.000 entries.
Cases that have become very famous of "bought" and exploited vulnerabilities are, without a shadow of a doubt, Windows CVE-2017-0144 which opened the door to ransomware attacks WannaCry through the exploit EternalBlue and the one related to the botnet Mirai which has spread through the exploitation of a significant number of vulnerabilities.
If it is true that it is necessary to improve the quality of writing the code to avoid the presence of vulnerabilities, it is equally true that the awareness of the risks that vulnerabilities bring with them does not seem to be so widespread, at least according to what is reported in the Checkpoint Security Report 2021 which highlights how in 2020 75% of the attacks were exploited vulnerabilities that are at least two years old. In particular:
three out of four attacks exploited bugs reported in 2017 or earlier;
18% of attacks used vulnerabilities disclosed in 2013 or earlier.
Positive Technologies instead, he found that 26% of companies remain vulnerable to ransomware WannaCry as it has not yet distributed the fix.
So far we have talked about vulnerabilities that, pass me the term, we can define "normal" and that can be exploited by anyone without particular investments but, simply, exploiting the weaknesses or the unconsciousness of potential victims.
It would therefore be said that if we were to standardize systems, carry out prevention and monitoring and distribute the patches that have been released, the scenario would be better than the current one and the risks would be greatly reduced. We would not be in Wonderland but we would not witness the massacre we witness every day.
Instead, this is not the case, unfortunately, because the world of vulnerabilities also includes the most precious and coveted one because it is still unknown: vulnerability Zero Day which represents the object of desire of many cyber criminals who can exploit it to carry out their actions, undisturbed.
Many believe it is called zero day because it is exploited for the first time on the day in which the first attack is launched through its use. In fact, the reason is much simpler: the victim code programmer has zero days to correct it.
It is right before we get into the narrative, to point out a difference at the level of zero day which may appear to be a detail but is not:
zero-day related to vulnerabilities that are the result of the lack of production of a patch;
zero-days related to exploits, which are techniques to unhinge an unknown vulnerability and, consequently, lethal if it is put into the wrong hands.
With respect to known vulnerabilities, I would like to state that the ability to exploit a vulnerability of this type is, however, the privilege of a few. In particular, we are talking about much more experienced subjects and who can enjoy considerable resources to be able to launch massive attack campaigns. It is no coincidence that the percentage of attacks carried out by exploiting vulnerabilities of this type is much lower than that of attacks perpetrated by exploiting known vulnerabilities.
Certainly they are attacks that make noise, which can be devastating and whose aim could also be to create social unrest. But we will talk about this later.
So what is the thing that makes one zero day so precious? Why is there talk of vulnerability trading?
Let's try to answer based on experience. Whenever a vulnerability of type zero day has been exploited, we have witnessed Nations State-type attacks, that is, attacks aimed at hitting the heart of a country by hitting, above all, critical infrastructures.
An unknown exploit, in fact, allows you to violate a system without being practically seen with the consequence of exfiltrating very delicate and sensitive information even in areas where the search for such information can be dangerous.
Furthermore, it can allow an attacker to hit targets or reach systems whose tampering can cause damage equal to that of a military attack without, however, the same expenditure of energy and money.
We can, therefore, affirm that the exploitation of a zero day can turn into one cyber-weapon, or in a computer weapon to say the least lethal and the first example, in this sense, can be considered the case of Stuxnet. This virus, in 2009, had the purpose of damaging the turbines of the Iranian power plant of Natanz by exploiting some vulnerabilities 0-day of Windows. Edward Snowden confirmed that the virus was created by the NSA's collaboration with Israeli intelligence to slow down or even prevent Iran's atomic development. The use of vulnerabilities 0-day it prevented it from being blocked in the initial stages and the discovery was made possible due to a programming error that caused the virus to replicate even outside the plant.
It was one of the first, if not the first, examples of hybrid warfare, fought on a computer battlefield within which zero-day they are similar to weapons stealth not detectable by normal radars and that can hit their enemy in the heart.
All this has led to the birth of a real vulnerability market zero day because it is clear that if you fail to discover them, you buy them and to do so you must adhere to the rules of any financial market where the price is for the buyer. It is the classic law of supply and demand and in this scenario it is also right to remember how large companies such as Microsoft, Google, etc. in addition to the investments made to try to develop their software in the safest way possible, they spend millions of dollars to hire the so-called "Bounty hunter", ie the new "bounty hunters" in order to discover the weaknesses of the software.
In fact, these are professionals who, instead of "hunting" the bad guy, go in search of a new treasure: the vulnerability that has not yet been discovered.
Hackeron published a study that showed that the average cost of a critical software vulnerability is $ 5754 while in the case of hardware, the value drops to $ 4633.
A review from August 2020 reports that Microsoft has paid $ 12M to researchers who have found and reported bugs in its software over the past 13,7 months and that 327 researchers have been awarded $ 200.000.
It is evident, however, that beyond everything, a product with these characteristics can get to have many buyers and consequently its price is destined to rise dramatically. And the buyers aren't just the good guys, so to speak.
The company Zerodium, for example, does business with the trading of zero day just as it could be done on the stock exchange with the purchase and sale of shares. Zerodium is one of the best known companies for buying and distributing exploits zero day. What the American company does, in practice, is to search the market for newly discovered bugs and exploits, usually by developers and hackers, and buy the "rights".
Bekrar Chaouki, the founder, said a few years ago that he only deals with democratic governments, including information on how to defend against vulnerabilities.
Bekrar, in fact, has his own theory according to which, by limiting the spread of zero day abuses are reduced to only a few companies and governments with respect to full disclosure.
Try reading between the lines of this tweet and you will understand what we are talking about.
What could happen is that a government, once it acquires an exploit from Zerodium, may decide to give it to the public security forces or secret services and use it for the operations it deems most appropriate.
The question is "What are these actions?". Finally, in all probability, you can understand that we are not in Heaven but in a world where everything is governed by business and where everything is commodified, unfortunately.
Beckar, before founding Zerodium, worked for Vupen, a well-known French exploit trading company. With Vupen's group, Bekrar managed to bypass Google Chrome security in a hackathon organized by Hewlett Packard.
Instead of withdrawing the $ 60.000 prize, awarded to those who succeeded, Bekrar claimed that, for no amount in the world, his company would ever reveal how it had managed to perpetrate the browser attack and that he would have preferred. by far, sell the information to their customers rather than collect the prize.
And who were his customers? But, above all, what did they buy?
Just browse some emails contained in the leak by Hacking Team to get the answer and, above all, to understand its dimension.
I believe there is a truth that many do not say and that prevents having complete awareness of what is happening in the world of cyber security: governments and multinationals have a vested interest in having information before others.
Have you ever heard of James Bond? Have you ever heard of espionage? Of course yes. Espionage has always existed and today, in its modern version, vulnerabilities zero day they are his most powerful weapon.
The system Hacking Team Galileo, written on the basis of some unknown vulnerabilities and purchased by intermediaries such as Vupen, reports this wording in its brochure "Remote Control System:"The hacking suite for governmental interception. Right at your fingertips."
At this point you will ask yourself: “And if someone wants to find a way to buy one of these very useful vulnerabilities, where should they look? Who should he ask to buy? "
Considering everything we have said so far, is it possible that simply by searching the net, anyone would be able to find a vulnerability that others pay millions of dollars?
Well, I would say with almost absolute certainty that the answer is no. Assuming that the vulnerability has not already been widely used and sold as many times, this would certainly make it more readily available.
To clarify the concept even better: a very recent exploit that gives the possibility to access a system worthy of being called zero day it is not found on the net and the reason is obvious: it costs too much !!!
Maybe it is online but not on a market or supported who knows where waiting for millionaire transactions. Or again, maybe it's also easy to imagine that those who work there are on famous payrolls ...
We could go on with the assumptions for a long time but one fact is certain and intuitive, given that it is an underground market: both the transactions, both the buyers and the sellers remain secret to most.
What can be done to defend themselves and what can companies do better to develop more secure code?
It is objectively difficult to answer the second question above all.
It is a fact that the great giants of computer science are using increasingly sophisticated systems to analyze and control the code. They take advantage of automation and punctual control cycles but the error is always present, unfortunately. If it is true that until now we have not been able to eliminate the error, and who knows if we will ever succeed, it has at least drastically reduced the release time of the patches and this is, without a doubt, a positive aspect.
In any case, it is complex to be able to limit the danger against this type of vulnerability, especially as regards the world of smartphones and tablets in 3G, 4G or 5G networks.
Instead, it is possible to verify the passage of data within a telecommunications network by analyzing the packets in a more advanced way thanks to the use of new generation firewalls able to analyze and understand, separating it, the "good" traffic from the “Bad”, with the possibility, therefore, of mitigating the danger of an attack brought towards a vulnerability zero day.
It is necessary to review the logical architectures following the best practices that the suppliers of operating systems and applications provide and not trying to adapt them to the company policies that often represent a brake on their correct use.
The use of solutions and tools that allow real-time monitoring using analysis algorithms based on Machine Learning ed Artificial Intelligence, represent another means of preventing risks.
Changing the cultural model to increasingly move preventive security and vulnerability controls closer to their origins, placing them in the chain where software, virtual machines, containers, cloud resources and more are built.
It is also useful to underline that good preventive digital hygiene, combined with the use of threat intelligence systems, would greatly reduce the exposed surface, preventing it from becoming an attackable surface.
There is no doubt that cyberspace has, for some time now, been a real battlefield within which the games that are played are very important. It makes me think of the attack in North Korea during the Olympics, about which I wrote on these pages, or the one at Sony or still al Cybercaliphate or, to return a short time ago, to Solarwinds e Kaseya or to other attacks that have marked the birth of cyber wars with one and only goal: conquer information.
Chaouki Bekrar on Twitter: "What a researcher should do with his / her 0day? 1. Full disclosure so anyone / Govs can (ab) use it without limits / regulation 2. Sell to Govs / brokers and get a decent revenue while limiting ( ab) use 3. Report to vendors & get sued, or get shitty bounties and / or your name in advisories "/ Twitter
Photo: US Air Force / author / web