Why would an attacker ever want to sit on a zero-day exploit?

Question

I am trying to understand why an attacker would want to wait to use a zero-day exploit.

I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.

Question: What factors would cause the attacker to wait to use a zero-day exploit?

Answer 1

It's more likely that you'll burn a 0day by using it than by sitting on it.

There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.

Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.

There are a few other reasons 0days may be kept for long periods:

1. Some people simply hoard 0days for the sake of it. This is all too common.

2. Maybe you borrowed the 0day from someone, in which case burning it would piss them off.

3. Sometimes a 0day broker is sitting on them while waiting for the right client.

4. The 0day may be useless on its own, needing to be chained with other exploits to work.

There was some interesting research presented at BH US which analyzed the life of 0days.

Answer 2

1. The 0 day depends on another vulnerability being discovered to be effectively used. For example you can't use a privilege escalation if you don't have code execution in the first place. This can also work the other way where you'd like another 0 day to chain after the one you currently have.

2. The attacker doesn't have a worthy target to use it on. I'll also point out that the attacker might not exploit everything at once because if the 0 day is found out you won't be able to use it in the future. What you want to hack into might not even exist when you find the 0 day.

3. Exploiting the 0 day might be illegal. People can still make money off it by selling it to the highest bidder (this includes negotiating for the money you get from a bug bounty program)

Answer 3

Because the old ways are the best. Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result? Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.

Answer 4

From the standpoint of the attacker, a zero-day exploit is a valuable resource because it is not publicly known. This gives the attacker the element of surprise when it is actually deployed, as the target will not be able to proactively defend against it.

Each time a zero-day is used, there's a chance it'll be discovered by the target and the vulnerability patched out by the software vendor. Once the vulnerability is closed, the usefulness of the exploit is greatly reduced and limited to targets who have not updated the software. This is known as "burning" the exploit.

Because the goal of most attackers today is to directly or indirectly gain money (e.g. by stealing personal information from the target and using it to commit identity fraud), zero-day exploits have economic value. The exploit loses its value if it is burned and rendered ineffective. In essence, a zero-day is a valuable and expendable weapon which should be saved for use against high-value targets that cannot be exploited through publicly-known vulnerabilities.

This means, for example, that an attacker targeting a system running an older version of a particular piece of software with known vulnerabilities would want to use an existing, publicly-available exploit rather than use the zero-day exploit and risk burning it. Why waste a valuable resource when you can get the job done with a less expensive solution?

Answer 5

Maybe an attacker with a 0day is waiting for a good opportunity.

Most targets have their highs and lows. If one's goal is to wreck havoc, and make as much dammages as possible, then using a 0day immediately after uncovering it might not be the best idea.

Some targets have frozen periods, where they lack manpower and must not touch their critical environments. Some other have critical periods to launch a new product, or handle a particularily sensitiv set of data.

Exploiting the vulnerability that was found before such event, means there's a risk it'll be discovered before it happens. And so the attacker lose an opportunity to hit pretty hard.

Should he wait until he knows enough about a target to strike exactly where and more importantly when it hurts, and it will be jackpot.

In 2017, there was a crypto ransomware campaign that targeted compagnies during lunch hours.

That worked nicely, people locked their computers, go somewhere to eat, and when everyone get back to their office at 2 P.M everything was already enciphered. No one was there to ring the alarm bell.

Now apply this attack just before an important board meeting at the end of the financial year, or during a period of mediatic attention to the target. It could damage severely the image of this target, and cost millions if not billions. While performing an attack at some other point might not be noticed at all.

Answer 6

When you infect a computer and use a 0-day exploit, evidence of how you got in is often left behind. Preventing yourself from leaving any evidence is about as hard as having software that has no exploits in it; next to impossible.

Many computer systems aren't patched regularly; on such a system, an old exploit will usually get you in just fine. This exploit being discovered ... doesn't do much. I mean, if you took over 20% of the computers on the internet with a specific exploit, you might notice an increase in patch rates. But you might not.

A 0-day exploit, on the other hand, can be used to break into security-conscious targets. If you care about the specific target, and they work at being secure, the 0-day exploit may still get you in.

Your attack may, however, be noticed. And once noticed, they might work out your exploit. And once they work out your exploit, they could share it with the vendor, who might patch it; or they might hack a patch themselves.

And now, your 0-day exploit has patches published, and every security-conscious system on the planet blocks its use. So tomorrow, when you really want to break into a secure server somewhere, you'll need different and new exploit. You burned your exploit.

Not every use of your exploit is going to be noticed, and not every notice is going to result in a patch, but every use increases the chance that a patch will arrive that breaks your exploit.

We can illustrate this with some examples of state-sponsored computer hacking. Stuxnet used four zero-day flaws (that there was no security against). Its discovery led to all 4 being patched, "burning" their usefulness in the future. In exchange, a pile of expensive centrifuges in Iran broke, slowing Iranian nuclear research.

It did the job of multiple cruise missiles, with far less diplomatic, humanitarian and military risks.

Answer 7

Another reason is they can't use it (optimally) at the moment. Examples are:

• They might have a specific target like a diplomat in mind but the exploit requires to be in the same Ethernet-/WiFi-network or physical access. So they have to wait until this condition is met or arrange it so the condition is met.

• They don't have enough information about the target yet. For example they need to find out a way on which server the interesting information is hosted. If they use the exploit to soon before finding the files, the more likely it is they are detected and the exploit gets burned.

• They currently don't have the resources/manpower to launch the attack because they are currently occupied with another target or the employees of their department for launching the attacks are currently sick (even bad guys get sick).

• They lack of other tools required to use effectively. The might have an Email exploit to run their code when the victim opens the mail but all their RAT-tools/botnet-clients/ransom-ware is currently detected by all virus scanner, so it would be useless to burn it.