Have you ever asked yourself why is the 0day market is so focused on mobile devices (browsers / OS) and not on other products?
A thread: deep-dive into the offensive cyber security market
(part 1)
A thread: deep-dive into the offensive cyber security market
(part 1)
When we are talking about the offensive cyber security market, we refer mainly to 2 groups of clients that making up the market:
(1) Governments
(2) End to end companies
(1) Governments
(2) End to end companies
End to end companies: are responsible to create the technology that allows the end user (governments) to infect their targets. Being an end-to-end company is not an easy task.
Before we get into details, there are a couple of characteristics you need to know about the e2e companies:
(1) e2e are not allowed to run the operations for the end client. That means that the e2e company sell a product and not a service - the end user runs the operation on the target and tries to infect it.
(2) The e2e company has a Support License Agreement (SLA) with the end client. In the SLA the company state that they will support the client by adopting the technology to different devices / versions / updates / allow the attack vector to be “on” for X months a year etc.
If a company doesn’t meet the SLA – they won’t get paid and there is always the risk that the client will switch vendors.
(3) When e2e company sells their product to an end client, the end client signs a document that says that he is only allowed to use the technology domestically.
(4) e2e companies interest is to sell a product and not vulnerabilities. I’m not saying they won’t sell capability if the client demands it, I’m saying they will make less money on it and they have less incentive to do that (also regulation is part of it).
Another factor is that there are only a couple of selective end users that have the knowledge to take a vulnerability and use it as part of a bigger operation.
Now we can breakdown the end-to-end company into two components:
(1) Infrastructure: The infrastructure contains quite a lot of moving parts, from C2 servers, implants, proxies, analytic systems to analyze the information from the target device, support for an unbelievable number of devices / versions, unknown mobile device manufacturers, etc.
(2) Attack vectors: Different companies focus on different devices. There are companies that are focus on IoT / Mobile / PC or a combination of the different vectors. Most of the companies today are mobile focused and they usually offer one or more of the following attack vectors
(2.1) “1click” solution: the target gets infected by a browser chain (for example, Chrome RCE + Chrome SBX + Android LPE): “1click” solutions are the most common attack vector today. e2e companies have an internal research team that is familiar with the 1click world
and if a company buys a vulnerability from the open market, their researchers will know what to do with it (mature it to a production level).
(2.2) “0click” solution: the target doesn’t need to do anything, just by having a specific application, for example, installed on his device (iMessage) he will get infected: “0clicks” are much more unique and harder to find
– you don’t see them that often on the 0day market and usually are a product of a dedicated research team inside the e2e company.
The number one priority of the company is to keep up with the SLA. The company resources will be invested in the company's core offering.
What happens if a company offers “1click” solution but they have an opportunity to buy a cool / unique vulnerability from the 0day market?
let’s take the Microsoft Exchange vulnerabilities that were published recently as an example.
(1) Let’s assume that those vulnerabilities were offered on the 0day market
(2) The e2e company is PC focused (Windows / Linux / browsers)
(1) Let’s assume that those vulnerabilities were offered on the 0day market
(2) The e2e company is PC focused (Windows / Linux / browsers)
(3) The e2e offering is 1click with Chrome RCE + Chrome SBX + Windows / Linux OS LPE
(4) The company had been approached by a researcher who would like to sell them the Microsoft Exchange vulnerabilities.
(4) The company had been approached by a researcher who would like to sell them the Microsoft Exchange vulnerabilities.
As an e2e company, they are not allowed to:
(4.1) Execute the vulnerabilities by themselves and do a mass collection of data
(4.2) Sell access to compromised machines
(4.1) Execute the vulnerabilities by themselves and do a mass collection of data
(4.2) Sell access to compromised machines
What the e2e company can do with it?
(1) Deal enabler: Buy the item and use it “as is” and don’t put it as part of the company offering (SLA) / portfolio. Or in other words “we have this capability, we don’t know how long it will last, we will give it to you with a discount”
(1) Deal enabler: Buy the item and use it “as is” and don’t put it as part of the company offering (SLA) / portfolio. Or in other words “we have this capability, we don’t know how long it will last, we will give it to you with a discount”
-> by doing this, the company can get new clients for the 1click solution as the new vulnerability is an advantage they have and their competitor doesn’t
(2) Reseller: Buy the item and sell it to end user as one time transaction
I would just mentioned that I also publish part 2
• • •
Missing some Tweet in this thread? You can try to
force a refresh
