A scammer has been attempting to take advantage of the buzz around two new, unpatched Microsoft Exchange vulnerabilities by attempting to sell phoney zero-day exploits which take advantage of the flaws. Fake zero-day – or previously unknown – vulnerabilities are becoming increasingly common, with cybercriminals taking advantage of high demand and spreading malware under the guise of Proof-of-Concept (PoC) for the exploits.
The latest Microsoft Exchange vulnerabilities were discovered last week. MSFT has confirmed they have already been used in targeted attacks, so it is no surprise more criminals are looking to take advantage.
Repositories have been posted on the popular coding platform GitHub containing fake PoC exploits for the Exchange CVE-2022-41040 and CVE-2022-41082 vulnerabilities. PoC exploits attempt to demonstrate a weakness in a system or piece of software, and the repositories have been posted using the names of researchers such as Kevin Beaumont, who regularly documents Exchange security issues online.
The repositories contain a readme file featuring a description of a PoC for one of the Microsoft Exchange server zero-day vulnerabilities, alongside a price in bitcoin. The spoof accounts have since been removed.
Other criminals are making similar claims. A supposed pre-authorisation exploit for the Microsoft Exchange vulnerability is being offered for a sale on Russian-speaking, dark web forum Exploit for $50,000.
In May, researchers reported that GitHub was hosting malicious software disguised as PoC exploits for other Microsoft Windows vulnerabilities. The fake PoC exploits were delivered as executable files that could provide a back door into a system.
However, what they actually did was display fake messages of a failed attempt to exploit the particular vulnerability, then run a hidden PowerShell command that delivered malware. GitHub subsequently removed the files.
Fake zero-day exploits increase risks for buyers
Zero-day exploits are in high demand among governments and makers of spyware such as NSO Group’s controversial Pegasus software. The most sought-after flaws come with a hefty price tag with a zero-day vulnerability in Apple’s iOS operating system put on sale for €8m earlier this year.
A number of brokers exist in the market, who will buy zero days from hackers or security researchers who discover them, then sell them on to a buyer. But with no way of knowing whether these exploits are genuine prior to making a purchase, buying one comes with a high level of risk. Despite this, larger spyware companies are often willing to take a gamble in the hope of obtaining a useful vulnerability.
“Zero-day exploits are of high interest for the security community, which makes it a good subject for scams,” says Anton Shipulin, cybersecurity evangelist at Nozomi Networks.
Dr Max Smeets, director of the European Cyber Conflict Research Initiative, agrees. Bigger companies “will sometimes buy zero days to integrate them into their larger frameworks”, he says. For smaller organisations, however, the risk may be too great. “If you buy an exploit, do you have an internal team that can actually evaluate how good the exploit is?,” Smeets asks. “If you are a tiny spyware company with five employees, you’re much less able to do that.”
Will the fake Exchange zero days change the market
According to Google’s Project Zero, which tracks zero-day exploits across major software, 24 previously unknown vulnerabilities have been unearthed in 2022. Last year there were 59 such exploits discovered, the highest number since Project Zero began tracking in 2014.
While scams are unlikely to affect the higher end of the zero-day trading market, they will have implications elsewhere, Smeets says, putting more power in the hands of brokers to verify whether an exploit is real. “It’s damaging and will change the way the market functions,” he says. “Increasingly brokers are seen as the trusted party.”
Others say the market is likely to regulate itself and flush out sellers of phoney zero days. “It’s a matter of ‘caveat emptor’ – let the buyer beware,” explains Jason Steer, CISO at security vendor Recorded Future. “The purchaser will need to do their own due diligence and decide whether it’s worth the payment or not. If you sell poor code your reputation will be damaged quickly, so it is unlikely any purveyor of fake zero days will last long, as the marketplace will share their experiences with everyone else.”