Roaring trade in zero-days means more vulns are falling into the hands of state spies, warn security researchers
Flaw variety hipper with snoops than cash-hungry crooks right now
Zero-day vulns are increasingly likely to be bought and sold by malware vendors targeting the Middle East with their dodgy wares, according to FireEye.
"While not every instance of zero-day exploitation can be attributed to a tracked group, we noted that a wider range of tracked actors appear to have gained access to these capabilities," said the threat intel group in a blog post published today.
Israeli spyware company NSO Group is a name that keeps cropping up again and again in FireEye's analysis, which found that over the past three years, the number of zero-days in observed circulation has been increasing.
"Furthermore, we noted a significant increase over time in the number of zero-days leveraged by groups suspected to be customers of companies that supply offensive cyber capabilities," said FireEye, which went on to refer to a group of malicious persons variously named by researchers as Stealth Falcon and FruityArmor [sic].
This group "used malware sold by NSO Group", said FireEye, which speculated that it might also be linked to Uzbekistani state spying operations: "The zero-days used in SandCat operations [another online threat activity group] were also used in Stealth Falcon operations, and it is unlikely that these distinct activity sets independently discovered the same three zero-days."
Aside from NSO Group's sales, FireEye also looked at what it called "financially motivated actors", meaning criminals who want to make a quick buck from exploiting zero-days to steal and sell data. These, it said, were doing their thing "with less frequency than espionage groups", suggesting that you're at greater risk from state spies abusing zero-day vulns to pwn your network than you are from common-or-garden crims trying to ransom your stolen data back to you.
Stealth Falcon was identified by eastern European infosec bods Eset last year as using an obscure Windows background service for its command-'n'-control comms with compromised machines in the group's botnet. Before that, Kaspersky found them abusing a vuln in Windows TrueType fonts to remotely execute code on targeted devices.
Kaspersky also recently found an uptick in malicious activity targeting the Middle East as a whole, something that appears to be a rising trend from threat intel companies' findings.
A zero-day is a software vulnerability that has zero days between the time it is discovered and the time that someone is found to be using it for criminal purposes. Responsible infosec researchers find vulns and then privately tell vendors about them so they can be patched before everyone knows; zero days, in contrast, are highly prized by malware vendors and state spies alike. ®