A Windows zero-day for sale on the black market for $90,000 just received a price drop. The flaw that allegedly leaves all versions of Windows users exposed to a local privilege escalation (LPE) vulnerability can now be snatched up for $85,000.
According to Trustwave, which has been monitoring the price, this is the second price drop the zero-day vulnerability has received since it went on sale in May. Originally the seller offered to sell it for $95,000.
Last month, the sellers claimed to have found a vulnerability that can give attackers admin rights to any Windows machine from Windows 2000 to a fully patched version of Windows 10. At the time, security experts say the zero-day exploit looked legitimate.
With more than a week having passed and still no takers, Trustwave security experts still say they are confident that the zero day is legitimate. In the wrong hands, Trustwave said, the LPE exploit could be an extremely effective tool for hackers who already have a foothold in an existing computer network.
In an update posted to Trustwave’s SpiderLabs blog on Thursday researchers wrote, “The seller once again lowered their price on the 6th of June to $85,000USD. This means that the exploit hasn’t sold yet and seller may be having problems finding a buyer.”
Trustwave stresses there is no way to know with absolute certainty if the zero day is legitimate without purchasing the exploit. However, Trustwave said there are a number of strong indicators that the exploit is legit, such as the seller offering the use of an independent escrow agent to verify the exploit works before payment is made.
Other indicators include two videos that accompany the hacker’s for-sale listing that show the vulnerability in action. One video shows the exploit successfully bypassing all of Microsoft Windows’ Enhanced Mitigation Experience Toolkit (EMET) protections for the latest version of Windows. The second video shows a fully updated Windows 10 machine being exploited successfully, by elevating the CMD EXE process to the SYSTEM account.
“There are a number of things that could account for a delay in the sale of this zero day,” said Logan Brown, president Exodus Intelligence, which runs its own vulnerability purchasing program, among other offerings. He doesn’t believe that the price drop is any indicator that the zero day sale isn’t valid, rather that it reflects a competitive zero-day market for LPEs
“It’s similar to selling a house when you’re talking about prices in that neighborhood,” Brown said. “I would assume that’s a sign of supply and demand, not that the zero day isn’t valuable. LPEs are a common target and there is a lot of demand for them. It’s just that many of the people who want one probably already have one,” Brown said in an interview with Threatpost.
“I would guarantee that the next time Microsoft has a big patch cycle where they fix a lot of kernel issues that there will be a lot more demand for these type of vulnerabilities,” Brown said.