View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 5, 2022

Fake Microsoft Exchange vulnerabilities are further complicating the zero-day exploit market

Criminals are turning to fake zero-day exploits to make a quick buck. This complicates the market for buyers.

By Claudia Glover

A scammer has been attempting to take advantage of the buzz around two new, unpatched Microsoft Exchange vulnerabilities by attempting to sell phoney zero-day exploits which take advantage of the flaws. Fake zero-day – or previously unknown – vulnerabilities are becoming increasingly common, with cybercriminals taking advantage of high demand and spreading malware under the guise of Proof-of-Concept (PoC) for the exploits.

Zero-day scams are on the rise. (Photo by Monticello/Shutterstock)

The latest Microsoft Exchange vulnerabilities were discovered last week. MSFT has confirmed they have already been used in targeted attacks, so it is no surprise more criminals are looking to take advantage. 

Repositories have been posted on the popular coding platform GitHub containing fake PoC exploits for the Exchange CVE-2022-41040 and CVE-2022-41082 vulnerabilities. PoC exploits attempt to demonstrate a weakness in a system or piece of software, and the repositories have been posted using the names of researchers such as Kevin Beaumont, who regularly documents Exchange security issues online.

The repositories contain a readme file featuring a description of a PoC for one of the Microsoft Exchange server zero-day vulnerabilities, alongside a price in bitcoin. The spoof accounts have since been removed.

Other criminals are making similar claims. A supposed pre-authorisation exploit for the Microsoft Exchange vulnerability is being offered for a sale on Russian-speaking, dark web forum Exploit for $50,000.

In May, researchers reported that GitHub was hosting malicious software disguised as PoC exploits for other Microsoft Windows vulnerabilities. The fake PoC exploits were delivered as executable files that could provide a back door into a system. 

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

However, what they actually did was display fake messages of a failed attempt to exploit the particular vulnerability, then run a hidden PowerShell command that delivered malware. GitHub subsequently removed the files.

Fake zero-day exploits increase risks for buyers

Zero-day exploits are in high demand among governments and makers of spyware such as NSO Group’s controversial Pegasus software. The most sought-after flaws come with a hefty price tag with a zero-day vulnerability in Apple’s iOS operating system put on sale for €8m earlier this year.

A number of brokers exist in the market, who will buy zero days from hackers or security researchers who discover them, then sell them on to a buyer. But with no way of knowing whether these exploits are genuine prior to making a purchase, buying one comes with a high level of risk. Despite this, larger spyware companies are often willing to take a gamble in the hope of obtaining a useful vulnerability.

“Zero-day exploits are of high interest for the security community, which makes it a good subject for scams,” says Anton Shipulin, cybersecurity evangelist at Nozomi Networks. 

Dr Max Smeets, director of the European Cyber Conflict Research Initiative, agrees. Bigger companies “will sometimes buy zero days to integrate them into their larger frameworks”, he says. For smaller organisations, however, the risk may be too great. “If you buy an exploit, do you have an internal team that can actually evaluate how good the exploit is?,” Smeets asks. “If you are a tiny spyware company with five employees, you’re much less able to do that.”

Will the fake Exchange zero days change the market

According to Google’s Project Zero, which tracks zero-day exploits across major software, 24 previously unknown vulnerabilities have been unearthed in 2022. Last year there were 59 such exploits discovered, the highest number since Project Zero began tracking in 2014.

While scams are unlikely to affect the higher end of the zero-day trading market, they will have implications elsewhere, Smeets says, putting more power in the hands of brokers to verify whether an exploit is real. “It’s damaging and will change the way the market functions,” he says. “Increasingly brokers are seen as the trusted party.”

Others say the market is likely to regulate itself and flush out sellers of phoney zero days. “It’s a matter of ‘caveat emptor’ – let the buyer beware,” explains Jason Steer, CISO at security vendor Recorded Future. “The purchaser will need to do their own due diligence and decide whether it’s worth the payment or not. If you sell poor code your reputation will be damaged quickly, so it is unlikely any purveyor of fake zero days will last long, as the marketplace will share their experiences with everyone else.”

Read more: Two Apple zero-day vulnerabilities discovered

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.