Business
Improve your risk posture with attack surface management
Security that enables business outcomes
Gain visibility and meet business needs with security
Connect with confidence from anywhere, on any device
Secure users and key operations throughout your environment
Move faster than your adversaries with powerful purpose-built XDR, attack surface risk management, and zero trust capabilities
Maximize effectiveness with proactive risk reduction and managed services
Understand your attack surface, assess your risk in real time, and adjust policies across network, workloads, and devices from a single console
Drive business value with measurable cybersecurity outcomes
See more, act faster
Evolve your security to mitigate threats quickly and effectively
Ensure code runs only as intended
Gain visibility and control with security designed for cloud environments
Protect patient data, devices, and networks while meeting regulations
Protecting your factory environments – from traditional devices to state-of-the-art infrastructures
ICS/OT Security for the oil and gas utility industry
ICS/OT Security for the electric utility
Stop threats with easy-to-use solutions designed for your growing business
Bridge threat protection and cyber risk management
Your generative AI cybersecurity assistant
Stop breaches before they happen
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
The most trusted cloud security platform for developers, security teams, and businesses
Cloud asset discovery, vulnerability prioritization, Cloud Security Posture Management, and Attack Surface Management all in one
Extend visibility to the cloud and streamline SOC investigations
Secure your data center, cloud, and containers without compromising performance by leveraging a cloud security platform with CNAPP capabilities
Simplify security for your cloud-native applications with advanced container image scanning, policy-based admission control, and container runtime protection
Protect application workflow and cloud storage against advanced threats
Defend the endpoint through every stage of an attack
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
Optimized prevention, detection, and response for endpoints, servers, and cloud workloads
On-premises and cloud protection against malware, malicious applications, and other mobile threats
Expand the power of XDR with network detection and response
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
Protect against known, unknown, and undisclosed vulnerabilities in your network
Detect and respond to targeted attacks moving inbound, outbound, and laterally
Redefine trust and secure digital transformation with continuous risk assessments
Stop phishing, malware, ransomware, fraud, and targeted attacks from infiltrating your enterprise
Stop phishing, ransomware, and targeted attacks on any email service including Microsoft 365 and Google Workspace
Learn about solutions for ICS / OT security.
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
See threats coming from miles away
End-to-end identity security from identity posture management to detection and response
Prevent, detect, respond and protect without compromising data sovereignty
Augment security teams with 24/7/365 managed detection, response, and support
Augment threat detection with expertly managed detection and response (MDR) for email, endpoints, servers, cloud workloads, and networks
Our trusted experts are on call whether you’re experiencing a breach or looking to proactively improve your IR plans
Stop breaches with the best response and detection technology on the market and reduce clients’ downtime and claim costs
Grow your business and protect your customers with the best-in-class complete, multilayered security
Stand out to customers with competency endorsements that showcase your expertise
Deliver modern security operations services with our industry-leading XDR
Partner with a leading expert in cybersecurity, leverage proven solutions designed for MSPs
We work with the best to help you optimize performance and value
Discover resources designed to accelerate your business’s growth and enhance your capabilities as a Trend Micro partner
Accelerate your learning with Trend Campus, an easy-to-use education platform that offers personalized technical guidance
Access collaborative services designed to help you showcase the value of Trend Vision One™ and grow your business
Locate a partner from whom you can purchase Trend Micro solutions
See how Trend outperforms the competition
Crowdstrike provides effective cybersecurity through its cloud-native platform, but its pricing may stretch budgets, especially for organizations seeking cost-effective scalability through a true single platform
Microsoft offers a foundational layer of protection, yet it often requires supplemental solutions to fully address customers’ security problems
Palo Alto Networks delivers advanced cybersecurity solutions, but navigating its comprehensive suite can be complex and unlocking all capabilities requires significant investment
Download The Rise and Imminent Fall of the N-Day Exploit Market in the Cybercriminal Underground
The cybercriminal underground is host to a vast market of zero-day and N-day exploits, where the price for an exploit is often dictated by how long it has been out (the newer, the more expensive) and whether a patch for the exploited vulnerability is forthcoming (zero-day) or has already been released (N-day). Over the past two calendar years, we scoured underground forums for N-day exploits to determine how long they stayed in the market. We also examined their life cycle to see whether malicious actors strictly favored newer exploits or also had uses for older ones.
Figure 1. The typical life cycle of an exploit in the cybercriminal underground
The life of an exploit starts with its creation by a developer, either as an already working exploit or as a proof of concept that other developers could build upon. Once it can be weaponized, it is sold in the underground. If it is a zero-day exploit, it can command a very high price. After a patch for the affected vulnerability is released, the price inevitably drops for what is now an N-day exploit. This does not mean, however, that the exploit has become obsolete, as it can still be sold in the underground for years and can even be bundled with other old exploits.
Figure 2. A forum post advertising an exploit for a zero-day Internet Explorer vulnerability
Aside from selling exploits on underground forums, actors can also choose to submit vulnerabilities to bug bounty programs. This has proved to be a viable option for those who do not want to go through the hassle of developing and selling exploits on underground forums. Surprisingly, we even found guides on how to submit vulnerabilities to bug bounty programs on some forums — further proof that these programs have become a legitimate option for vulnerability hunters or erstwhile exploit developers.
Figure 3. A forum post by a user promoting guides on how to submit exploits to bug bounty programs
Although newer exploits are understandably more sought after, there is still a market for seemingly outdated exploits. For example, we found forum posts mentioning exploits for 20-year-old vulnerabilities, including a post made in 2019 requesting an exploit for CVE-1999-0021. Old exploits are also sometimes offered for free on underground forums.
Arguably the most prominent example of an old exploit that remains in use is EternalBlue, which was most notably used in the infamous WannaCry ransomware outbreak of 2017. The persistence of EternalBlue is evidenced by the prevalence of WannaCry itself, which still emerged as the top malware family in Trend Micro’s detections in 2020.
Subscription services for exploits are also available as an alternative to less experienced actors who do not have the technical knowledge to properly implement exploits. These services often include bundles of old exploits that are already built and automated into the vehicles used in attacks, such as Microsoft Word or Excel documents. An exploit builder we found, for example, bundled exploits for the vulnerabilities CVE-2017-8570, CVE-2017-11882, and CVE-2018-0802 into a single subscription service for a monthly fee of US$1,150. Some services also promise their subscribers periodic updates on their offerings
Figure 4. The distribution of exploits sold by users on cybercriminal underground forums based on the years of disclosure of the vulnerabilities they are for
Perhaps the development in recent years that has been most disruptive to the underground exploit market is the rise of the access-as-a-service model, where vendors provide remote access to entire corporate networks.
Because they bypass the need for setting up complicated infrastructure to compromise a target system, access-as-a-service offerings typically command higher prices, which many customers are willing to pay because of the ease of use and transparency afforded by the model. While some access-as-a-service sellers are less experienced and merely rely on being able to find and capitalize on working exploits, there are other sellers who consider access-as-a-service a more professional operation, offering a wide range of products and services complete with portfolios.
Figure 5. A forum post advertising access, using a zero-day rootkit, to email servers
That the underground exploit market continues to thrive means that organizations should ensure that patches are applied and systems are updated in a timely manner. However, patching multiple machines, let alone a whole system, is not as easy as it sounds. Implementing updates takes time, especially for large organizations. One way of bridging the gap during the time it takes to fully implement security patches is virtual patching, which protects systems and networks from exploits via an additional security layer.
Our paper “The Rise and Imminent Fall of the N-Day Exploit Market in the Cybercriminal Underground” expounds on this security recommendation. In it we detail our two-year research into the underground N-day exploit market, including in-depth discussions of the kinds of exploits that are offered and the types of actors who participate in it.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
View the 2024 Trend Micro Security Predictions
View the report
Try our services free for 30 days
Trend Micro – United States (US)
225 East John Carpenter Freeway
Suite 1500
Irving, Texas 75062
Phone: +1 (817) 569-8900
Select a country / region
Privacy | Legal | Accessibility | Site map
Copyright ©2024 Trend Micro Incorporated. All rights reserved
Copyright ©2024 Trend Micro Incorporated. All rights reserved
