The document discusses the modern zero-day exploit market and economy. It describes how vulnerabilities are found by researchers and sold through brokers to various parties, including governments, criminals, and exploit kit creators. It also outlines trends in the market, such as the impact of new mitigations, regulations, and events like Pwn2Own on the sale of exploits. Finally, it shares some examples of vulnerabilities the Zero Day Initiative has helped patch and the conclusion encourages questions.

1. Modern Day Entomology
Examining the Inner Workings of the Bug Bazaar

2. 2 Copyright 2018 Trend Micro Inc.
Director of Vulnerability Research at Trend Micro
Leads the Zero Day Initiative
Organizes Pwn2Own
Approver of Payments
Past Experiences
Lead Developer at Lockheed Martin
Past research:
Microsoft Bounty submission
Patents on Exploit Mitigation Technologies
Bug hunting in many products
BS in Computer Engineering – Texas A&M University
MS in Software Engineering – Southern Methodist University
Twitter: @MaliciousInput
Brian Gorenc

3. Copyright 2018 Trend Micro Inc.3

4. 4 Copyright 2018 Trend Micro Inc.
How it works
Trend Micro Customers Protected Ahead of Patch
Other Network Security Vendor’s Customers at Risk
Vulnerability
submitted to the
ZDI program
Vendor Notified
Digital Vaccine®
Filter Created
Vendor Response
Window
Vulnerability is
Patched or Remains
Unfixed
Public Disclosure

5. Exploit Economy

6. 6 Copyright 2018 Trend Micro Inc.
Economy in Action
Researchers
Finds Bugs
Bug Bounty
Program
Report to
Vendor
Sell Report
$1K - $25K
Signatures
Exploit Kit Creator
$10K - $100K
Vuln Broker
Government
$10K - $1000K
$10K - $1000K
Bot HerderBotnet Creator
Compromises PCs
Sells Kit Rents Botnet
Spammer DDoS Extortion Credential Harvesting
Smart Criminal Make One
Big Purchase
Sells Stolen Creds
Dumb Criminal Buys Beer
& Chips
Re-Sells Stolen Creds
Used
Against??

7. 7 Copyright 2018 Trend Micro Inc.
0
100
200
300
400
500
600
700
800
900
1000
Qtr4
2013
Qtr1
2014
Qtr2 Qtr3 Qtr4 Qtr1
2015
Qtr2 Qtr3 Qtr4 Qtr1
2016
Qtr2 Qtr3 Qtr4 Qtr1
2017
Qtr2 Qtr3 Qtr4 Qtr1
2018
Qtr2
Active economy

8. 8 Copyright 2018 Trend Micro Inc.
Variety
High-Profile
SCADA/IIoT
Infrastructure
Virtualization
IoT
Enterprise
Security
Misc
Open Source
Web
Other
Mobile
Top Vendors

9. 9 Copyright 2018 Trend Micro Inc.
Global economy

10. 10 Copyright 2018 Trend Micro Inc.
Highly-deployed software submissions

11. 11 Copyright 2018 Trend Micro Inc.
SCADA submissions

12. 12 Copyright 2018 Trend Micro Inc.
Lessons learned from Hacking Team

13. 13 Copyright 2018 Trend Micro Inc.
Lucrative business

14. 14 Copyright 2018 Trend Micro Inc.
How to buy 0-day: Consultancy Services

15. 15 Copyright 2018 Trend Micro Inc.
How to buy 0-day: Vulnerability Brokers

16. 16 Copyright 2018 Trend Micro Inc.
Payments and Pay Schedules

17. 17 Copyright 2018 Trend Micro Inc.
Exploit Inventory

18. Market Factors
and Trends

19. 19 Copyright 2018 Trend Micro Inc.
0
5
10
15
20
25
30
35
40
Qtr1
2011
Qtr2 Qtr3 Qtr4 Qtr1
2012
Qtr2 Qtr3 Qtr4 Qtr1
2013
Qtr2 Qtr3 Qtr4 Qtr1
2014
Qtr2 Qtr3 Qtr4 Qtr1
2015
Qtr2 Qtr3 Qtr4
Browser Click-to-Play Intervention

20. 20 Copyright 2018 Trend Micro Inc.
0
10
20
30
40
50
60
70
80
90
100
Qtr1
2012
Qtr2 Qtr3 Qtr4 Qtr1
2013
Qtr2 Qtr3 Qtr4 Qtr1
2014
Qtr2 Qtr3 Qtr4 Qtr1
2015
Qtr2 Qtr3 Qtr4 Qtr1
2016
Qtr2 Qtr3 Qtr4 Qtr1
2017
Qtr2 Qtr3 Qtr4 Qtr1
2018
New Mitigations

21. 21 Copyright 2018 Trend Micro Inc.
0
10
20
30
40
50
60
70
80
90
100
Qtr1
2012
Qtr2 Qtr3 Qtr4 Qtr1
2013
Qtr2 Qtr3 Qtr4 Qtr1
2014
Qtr2 Qtr3 Qtr4 Qtr1
2015
Qtr2 Qtr3 Qtr4 Qtr1
2016
Qtr2 Qtr3 Qtr4 Qtr1
2017
Qtr2 Qtr3 Qtr4 Qtr1
2018
New Mitigations

22. 22 Copyright 2018 Trend Micro Inc.
0
5
10
15
20
25
30
35
40
Qtr1
2012
Qtr2 Qtr3 Qtr4 Qtr1
2013
Qtr2 Qtr3 Qtr4 Qtr1
2014
Qtr2 Qtr3 Qtr4 Qtr1
2015
Qtr2 Qtr3 Qtr4 Qtr1
2016
Qtr2 Qtr3 Qtr4 Qtr1
2017
Qtr2 Qtr3 Qtr4 Qtr1
2018
End of Life Announcements

23. 23 Copyright 2018 Trend Micro Inc.
0
20
40
60
80
100
120
140
160
Qtr1
2012
Qtr2 Qtr3 Qtr4 Qtr1
2013
Qtr2 Qtr3 Qtr4 Qtr1
2014
Qtr2 Qtr3 Qtr4 Qtr1
2015
Qtr2 Qtr3 Qtr4 Qtr1
2016
Qtr2 Qtr3 Qtr4 Qtr1
2017
Qtr2 Qtr3 Qtr4 Qtr1
2018
Unchecked

24. 24 Copyright 2018 Trend Micro Inc.
0
50
100
150
200
Qtr1
2012
Qtr2 Qtr3 Qtr4 Qtr1
2013
Qtr2 Qtr3 Qtr4 Qtr1
2014
Qtr2 Qtr3 Qtr4 Qtr1
2015
Qtr2 Qtr3 Qtr4 Qtr1
2016
Qtr2 Qtr3 Qtr4 Qtr1
2017
Qtr2 Qtr3 Qtr4 Qtr1
2018
Predicting the Next

25. 25 Copyright 2018 Trend Micro Inc.
New Regulations

26. 26 Copyright 2018 Trend Micro Inc.
Pwn2Own

27. 27 Copyright 2018 Trend Micro Inc.
Targeted Incentive Program (TIP)
Target Operating System Bounty (USD) Time Frame
Joomla Ubuntu Server 18.04 x64 $25,000 August 2018 through September 2018
Drupal Ubuntu Server 18.04 x64 $25,000 August 2018 through September 2018
WordPress Ubuntu Server 18.04 x64 $35,000 August 2018 through October 2018
NGINX Ubuntu Server 18.04 x64 $200,000 August 2018 through November 2018
Apache HTTP Server Ubuntu Server 18.04 x64 $200,000 August 2018 through December 2018
Microsoft IIS Windows Server 2016 x64 $200,000 August 2018 through January 2019

28. War Stories
28

29. 29 Copyright 2018 Trend Micro Inc.
Living in the Shadow Brokers Reality

30. 30 Copyright 2018 Trend Micro Inc.
Shadow Brokers leaked hacking tools attributed to Equation Group, who have been
tied to the NSA’s Tailored Access Operation unit
EternalBlue, EwokFrenzy, etc.
Revealed an interesting bug collision…CVE-2007-1675
ZDI acquired IBM Lotus Domino 0-day vulnerability in 2006 from Anonymous submitter
• No authentication required
• No check on length of attacker-supplied username
• CVSS: 10
IBM patched this vulnerability in early 2007 and assigns it CVE-2007-1675
ShadowBrokers revealed the NSA hacking tool entitled EwokFrenzy in 2017
EwokFrenzy targets IBM Lotus Domino and exploits CVE-2007-1675
Killing NSA’s Tailored Access Operation exploits

31. 31 Copyright 2018 Trend Micro Inc.
Shades of Stuxnet

32. 32 Copyright 2018 Trend Micro Inc.
Killing CIA’s Closed Network Infiltration Tool

33. 33 Copyright 2018 Trend Micro Inc. 33
Disrupting BlackEnergy

34. 34 Copyright 2018 Trend Micro Inc.
CVE-2018-8174 used in targeted attacks
1. Victim opens a malicious Microsoft Word doc
2. Malicious doc downloads HTML page containing VBScript
3. VBScript triggers Use-After-Free vulnerability
VBScript Double Kill Vulnerability ITW

35. 35 Copyright 2018 Trend Micro Inc.
Matches Trending Data
ZDI Pre-disclosure Guidance Catches CVE-2018-8373
CVE-2018-8373 ITW

36. Disclosure and
Vendor Response

37. 37 Copyright 2018 Trend Micro Inc.
1
54
80 99 101
301
354
203
288
430
666
700
1009
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
Advisories Per Year
Over 4,000 advisories over the
life of the program

38. 38 Copyright 2018 Trend Micro Inc.
1
54
80 99 101
301
354
203
288
430
666
700
1009
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
0-Day Disclosures Per Year
Over 4,000 advisories over the
life of the program
0 0 0 0 0 0
29
20
7
54
61
54
119

39. 39 Copyright 2018 Trend Micro Inc.
Vulnerability Exposure Window
0
20
40
60
80
100
120
140
160
180
2013 2014 2015 2016 2017

40. 40 Copyright 2018 Trend Micro Inc.
Industry by Industry Comparison
0
20
40
60
80
100
120
140
160
180
200
Business Highly-Deployed SCADA Security

41. Conclusion

42. 42 Copyright 2018 Trend Micro Inc.
Conclusion

43. 43 Copyright 2018 Trend Micro Inc.
https://www.zerodayinitiative.com/blog
Plugging In
https://www.zerodayinitiative.com
@thezdi
PGP https://www.zerodayinitiative.com/documents/zdi-pgp-key.asc
Fingerprint: 743F 60DB 46EA C4A0 1F7D B545 8088 FEDF 9A5F D228
zdi@trendmicro.com

44. Questions
Thank you for your time and attention