Criminals Offer Windows Zero-Day For £66,000 In Bitcoin

An unpatched Local Privilege Escalation (LPE) vulnerability in Windows is being touted for sale on an underground market for Russian-speaking cyber criminals.

Researchers at TrustWave said the marketplace allows hackers to buy and sell coding labour, exploit kits, botnets and other wares, but finding a zero day for sale is extremely uncommon, suggesting they could become a “commodity for the masses.”

“Dear friends, I offer you a rare product,” the cybercriminals declare in their zero-day sales pitch. “Exploit for local privilege escalation (LPE) for a 0day vulnerability in win32k.sys.”

Zero Day for sale

The seller said that the buyer would receive the source code of the exploit and a demo for the exploit, technical support, a detailed write up of the vulnerability details, complementary consultation on integrating the exploit according to your needs among other after market services.

But of course criminality like this does not cheap, and the seller is willing to accept offers starting from $95,000 (£66,000) in Bitcoins.

“Do not offer revenue sharing as payment,” the seller warned. “Respect your and my time.”

“It seems the seller has put in the effort to present himself/herself as a trustworthy seller with a valid offering,” said TrustWave. “One of the main indicators for this is the fact that the seller insists on conducting the deal using the forum’s admin as the escrow. In an update posted by the seller on 23rd of May it is stated that the exploit will be sold exclusively to a single buyer.

“Additionally, the seller provides two proof videos for any potential buyers that might be concerned with the validity of the offer.”

The first video apparently shows a fully updated Windows 10 machine being exploited successfully, by elevating the CMD EXE process to the SYSTEM account. The second video shows the exploit successfully bypassing all of EMET protections for the latest version of the product.

Layered Security

Trustwave noted that while the most coveted zero day would be a Remote Code Execution (RCE) exploit, Local Privilege Escalation vulnerabilities are likely next in line in popularity.

Trustwave said that it has notified Microsoft of the zero day offering and it continues to monitor the situation. In the meantime it advised Windows users to keep their software up-to-date, and bear in the mind that protection works best in layers.

The rate of zero day vulnerability discoveries actually doubled in 2015 from 2014, according to Symantec Security Response.

It also said that cybercriminals are adopting corporate best practices and establishing professional businesses to boost the efficiency of their attacks against enterprises and consumers.

Take our hacking and viruses quiz here!