98

I am trying to understand why an attacker would want to wait to use a zero-day exploit.

I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.

Question: What factors would cause the attacker to wait to use a zero-day exploit?

jonem
  • 979
  • 1
  • 7
  • 7
  • 11
    Besides being randomly discovered by others two things can spoil a zero day. First of all you use it and it gets detected. And secondly you sell it which also increases likelihood of disclosure or detection. The more you use or share it, the bigger the risk. (That being said it can be a long time until a used zero day is discovered if you are careful) – eckes Dec 03 '18 at 08:15
  • 2
    One reason I can think of is they have just enough morals not to use it themselves but not enough to prevent them from selling it and getting the highest price. – Chloe Dec 03 '18 at 18:18
  • 38
    Because certain countries are paying good money for them... Evil foreign countries, obviously, certainly not the USA, because we are not a foreign country... – Harper - Reinstate Monica Dec 04 '18 at 00:16
  • 5
    @Chloe Some people sell exploits, but only sell it to private buyers and never governments (even though government contractors pay higher prices). That makes it far more ethical. – forest Dec 04 '18 at 01:46
  • 24
    If you get a 10% discount on your next purchase, would you rather use it for your £10 grocery shopping tomorrow, or the new £10000 car next month? – HenricF Dec 04 '18 at 10:39
  • 6
    @Harper Ha ha... Everyone is foreign to someone... :-) – Marcel Dec 04 '18 at 14:47
  • 3
    "cause the **attacker**" - this is your first misconception. Attackers are almost NEVER the people who discover zero day exploits. They are people who want to hack other people's computer for various reasons. Discoverers of exploits on the other hand are typically coders who are curious to see if they can break a piece of software. Sometimes these two personas can be the same person but at different points in time. The moment I myself discover a security bug is almost never at the same time I'm angry at someone – slebetman Dec 05 '18 at 03:04
  • 7
    If I gave you an illegal gun, would you just start shooting it immediately? Alerting the cops and emptying the clip? No, you would wait for something worth shooting at to come by. – Agent_L Dec 05 '18 at 09:02
  • 1
    @slebetman That's actually not always true. With the exception of big exploit kits like CANVAS and Core Impact, the ones finding 0days very often use them themselves. In fact everyone I know who has found 0days (who hasn't reported them) used it themselves or are keeping it for their own use. – forest Dec 05 '18 at 09:05
  • 3
    Why did the American chess grandmaster Frank Marshall wait several years to unveil his dangerous Marshall Attack in the Ruy Lopez? He wanted a good target for it. He could have used it as soon as he discovered it against weaker players, but kept it for a game against Capablanca (the strongest player in the world at the time). Capablanca won easily, but that is another story. (There is a debate on whether or not Marshall keeping his open secret for years is apocryphal, but it is a standard bit of chess lore). – John Coleman Dec 05 '18 at 10:38
  • 3
    Why are the comments here all being used to provide analogies? – forest Dec 05 '18 at 10:57
  • 1
    @forest You missed my point about the attacker and discoverer may be the same person but at different points in time. I've personally never managed to find an exploit right when I need to use one and I bet it's the same for the people you know – slebetman Dec 05 '18 at 11:29
  • @slebetman Ah you're right, I did miss that. Good point. – forest Dec 05 '18 at 11:29
  • 4
    @forest because analogies are (arguably) fun and potentially enlightening, but are manifestly not answers. – John Coleman Dec 05 '18 at 13:40
  • 10
    @forest Suppose your comment was a biscuit, and you wanted to put some butter on it... – barbecue Dec 05 '18 at 14:13
  • Just the comments here give enough data to plot a good graph of what people on this site would do. Interestingly, not a single person said they'd just spend time trying to find the right honest person to tell so it can get fixed and not exploited. – CL22 Apr 14 '19 at 13:41
  • @CL22 Personally, I'll report a bug I find in an open source project that works against any reasonably secure configuration. If it's for some project that doesn't take security seriously or is out to sue security researchers, then I'll just keep it and it'll get discovered eventually in the form of an in-the-wild exploit. – forest Feb 23 '21 at 00:39

7 Answers7

160

It's more likely that you'll burn a 0day by using it than by sitting on it.

There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.

Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.

There are a few other reasons 0days may be kept for long periods:

  1. Some people simply hoard 0days for the sake of it. This is all too common.

  2. Maybe you borrowed the 0day from someone, in which case burning it would piss them off.

  3. Sometimes a 0day broker is sitting on them while waiting for the right client.

  4. The 0day may be useless on its own, needing to be chained with other exploits to work.

There was some interesting research presented at BH US which analyzed the life of 0days.

forest
  • 65,613
  • 20
  • 208
  • 262
  • 41
    "The 0day may be useless on its own, needing to be chained with other exploits to work." This is a big one. With today's complex and layered systems, maximally compromising a target will often take more than one exploit. (Maybe a 0-day, maybe a known, maybe a human exploit, etc.) – Paul Draper Dec 03 '18 at 17:48
  • 1
    What does it mean to "borrow" an exploit? – Oddthinking Dec 04 '18 at 21:52
  • 3
    @Oddthinking Someone might trust you enough to give you a 0day that you can use safely (maybe just once), under the condition that you don't keep using it. – forest Dec 05 '18 at 01:56
  • 9
    @Oddthinking - Just like stackexchange where people solve issues for "fun" for no material gain, people who tinker with software vulnerabilities sometimes feel the need to share their knowledge for "fun". It's no fun if you cannot show off your knowledge. – slebetman Dec 05 '18 at 02:58
42
  1. The 0 day depends on another vulnerability being discovered to be effectively used. For example you can't use a privilege escalation if you don't have code execution in the first place. This can also work the other way where you'd like another 0 day to chain after the one you currently have.

  2. The attacker doesn't have a worthy target to use it on. I'll also point out that the attacker might not exploit everything at once because if the 0 day is found out you won't be able to use it in the future. What you want to hack into might not even exist when you find the 0 day.

  3. Exploiting the 0 day might be illegal. People can still make money off it by selling it to the highest bidder (this includes negotiating for the money you get from a bug bounty program)

Anon
  • 421
  • 3
  • 2
27

Because the old ways are the best. Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result? Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.

McMatty
  • 3,232
  • 1
  • 8
  • 16
21

From the standpoint of the attacker, a zero-day exploit is a valuable resource because it is not publicly known. This gives the attacker the element of surprise when it is actually deployed, as the target will not be able to proactively defend against it.

Each time a zero-day is used, there's a chance it'll be discovered by the target and the vulnerability patched out by the software vendor. Once the vulnerability is closed, the usefulness of the exploit is greatly reduced and limited to targets who have not updated the software. This is known as "burning" the exploit.

Because the goal of most attackers today is to directly or indirectly gain money (e.g. by stealing personal information from the target and using it to commit identity fraud), zero-day exploits have economic value. The exploit loses its value if it is burned and rendered ineffective. In essence, a zero-day is a valuable and expendable weapon which should be saved for use against high-value targets that cannot be exploited through publicly-known vulnerabilities.

This means, for example, that an attacker targeting a system running an older version of a particular piece of software with known vulnerabilities would want to use an existing, publicly-available exploit rather than use the zero-day exploit and risk burning it. Why waste a valuable resource when you can get the job done with a less expensive solution?

bwDraco
  • 473
  • 2
  • 10
12

Maybe an attacker with a 0day is waiting for a good opportunity.

Most targets have their highs and lows. If one's goal is to wreck havoc, and make as much dammages as possible, then using a 0day immediately after uncovering it might not be the best idea.

Some targets have frozen periods, where they lack manpower and must not touch their critical environments. Some other have critical periods to launch a new product, or handle a particularily sensitiv set of data.

Exploiting the vulnerability that was found before such event, means there's a risk it'll be discovered before it happens. And so the attacker lose an opportunity to hit pretty hard.

Should he wait until he knows enough about a target to strike exactly where and more importantly when it hurts, and it will be jackpot.

In 2017, there was a crypto ransomware campaign that targeted compagnies during lunch hours.

That worked nicely, people locked their computers, go somewhere to eat, and when everyone get back to their office at 2 P.M everything was already enciphered. No one was there to ring the alarm bell.

Now apply this attack just before an important board meeting at the end of the financial year, or during a period of mediatic attention to the target. It could damage severely the image of this target, and cost millions if not billions. While performing an attack at some other point might not be noticed at all.

Kaël
  • 362
  • 2
  • 10
6

When you infect a computer and use a 0-day exploit, evidence of how you got in is often left behind. Preventing yourself from leaving any evidence is about as hard as having software that has no exploits in it; next to impossible.

Many computer systems aren't patched regularly; on such a system, an old exploit will usually get you in just fine. This exploit being discovered ... doesn't do much. I mean, if you took over 20% of the computers on the internet with a specific exploit, you might notice an increase in patch rates. But you might not.

A 0-day exploit, on the other hand, can be used to break into security-conscious targets. If you care about the specific target, and they work at being secure, the 0-day exploit may still get you in.

Your attack may, however, be noticed. And once noticed, they might work out your exploit. And once they work out your exploit, they could share it with the vendor, who might patch it; or they might hack a patch themselves.

And now, your 0-day exploit has patches published, and every security-conscious system on the planet blocks its use. So tomorrow, when you really want to break into a secure server somewhere, you'll need different and new exploit. You burned your exploit.

Not every use of your exploit is going to be noticed, and not every notice is going to result in a patch, but every use increases the chance that a patch will arrive that breaks your exploit.

We can illustrate this with some examples of state-sponsored computer hacking. Stuxnet used four zero-day flaws (that there was no security against). Its discovery led to all 4 being patched, "burning" their usefulness in the future. In exchange, a pile of expensive centrifuges in Iran broke, slowing Iranian nuclear research.

It did the job of multiple cruise missiles, with far less diplomatic, humanitarian and military risks.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Yakk
  • 499
  • 2
  • 7
5

Another reason is they can't use it (optimally) at the moment. Examples are:

  • They might have a specific target like a diplomat in mind but the exploit requires to be in the same Ethernet-/WiFi-network or physical access. So they have to wait until this condition is met or arrange it so the condition is met.

  • They don't have enough information about the target yet. For example they need to find out a way on which server the interesting information is hosted. If they use the exploit to soon before finding the files, the more likely it is they are detected and the exploit gets burned.

  • They currently don't have the resources/manpower to launch the attack because they are currently occupied with another target or the employees of their department for launching the attacks are currently sick (even bad guys get sick).

  • They lack of other tools required to use effectively. The might have an Email exploit to run their code when the victim opens the mail but all their RAT-tools/botnet-clients/ransom-ware is currently detected by all virus scanner, so it would be useless to burn it.

forest
  • 65,613
  • 20
  • 208
  • 262
H. Idden
  • 2,998
  • 1
  • 11
  • 19