Jump to content

Exploit as a service

Edit links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Leomk0403 (talk | contribs) at 10:35, 13 December 2021 (added Category:Dark web; removed {{uncategorized}} using HotCat). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Exploit-as-a-service or EaaS is a scheme of cybercriminals whereby zero-day vulnerabilities are leased to hackers.[1][2] EaaS is typically offered as a Cloud Service.[3] By the end of 2021, EaaS became more of a trend among ransomware groups.[4]

In the past, zero-day vulnerabilities were often sold on the Dark Web, but this was usually at very high prices, like millions of US dollars per zero-day.[5] A leasing model makes such vulnerabilities more affordable for many hackers.[6] Even if such zero-day vulnerabilities will ever be sold at high prices, they can be leased for some time.[7]

The scheme can be compared with similar schemes like Ransomware-as-a-Service (RaaS), Phishing-as-a-Service and Hacking-as-a-Service (HaaS).[8] [9] The latter includes such services as DoS and DDoS and botnets that are maintained for hackers who use these services.

Parties who offer Exploit-as-a-service need to address various challenges. Payment is usually done in cryptocurrencies like the bitcoin. Anonymity is not always guaranteed when cryptocurrencies are used, and the police have been able to seize criminals on various occasions.[10][11] Zero day vulnerabilities that are leased could be discovered and the software that is used to exploit them could be reverse engineered.

It is as yet uncertain how profitable the exploit-as-a-service business model will be. If it turns out to be profitable, probably the amount of threat actors that will offer this service will increase.[12] Sources of information on Exploit-as-a-Service include discussions on the Dark Web, which reveal an increased interest in this kind of service.[13]

See also

Notes

  1. ^ https://web.archive.org/web/20211123034031/https://portswigger.net/daily-swig/exploit-as-a-service-cybercriminals-exploring-potential-of-leasing-out-zero-day-vulnerabilities
  2. ^ https://web.archive.org/web/20211128180425/https://www.cybertalk.org/2021/11/17/exploit-as-a-service-high-rollers-and-zero-day-criminal-tactics/
  3. ^ https://web.archive.org/web/20210119022451/https://www.trendmicro.com/en_us/research/11/d/new-type-of-cloud-emerges-exploits-as-a-service-eaas.html New type of cloud: Exploits as a Service (EaaS)
  4. ^ https://web.archive.org/web/20211201172230/https://cyware.com/news/zero-day-flaws-and-exploit-as-a-service-trending-among-ransomware-groups-27991876 Zero-day Flaws and Exploit-as-a-Service Trending Among Ransomware Groups
  5. ^ https://web.archive.org/web/20211201172230/https://cyware.com/news/zero-day-flaws-and-exploit-as-a-service-trending-among-ransomware-groups-27991876 Zero-day Flaws and Exploit-as-a-Service Trending Among Ransomware Groups
  6. ^ https://web.archive.org/web/20210811091611/https://whatis.techtarget.com/definition/hacking-as-a-service-HaaS
  7. ^ https://web.archive.org/web/20211123034031/https://portswigger.net/daily-swig/exploit-as-a-service-cybercriminals-exploring-potential-of-leasing-out-zero-day-vulnerabilities
  8. ^ https://web.archive.org/web/20210811091611/https://whatis.techtarget.com/definition/hacking-as-a-service-HaaS Hacking as a Service as saved in the Internet Archive
  9. ^ https://web.archive.org/web/20211123034031/https://portswigger.net/daily-swig/exploit-as-a-service-cybercriminals-exploring-potential-of-leasing-out-zero-day-vulnerabilities
  10. ^ https://web.archive.org/web/20211129101836/https://www.bbc.com/news/uk-england-lincolnshire-59054033 Lincolnshire boy has £2m of cryptocurrency seized by police
  11. ^ https://web.archive.org/web/20211021001236/https://www.theguardian.com/technology/2021/jul/13/met-police-bitcoin-money-laundering-cryptocurrency Met police seize nearly £180m of bitcoin in money laundering investigation
  12. ^ https://web.archive.org/web/20211123034031/https://portswigger.net/daily-swig/exploit-as-a-service-cybercriminals-exploring-potential-of-leasing-out-zero-day-vulnerabilities
  13. ^ https://web.archive.org/web/20211117140438/https://www.2-spyware.com/new-criminal-tactics-exploit-as-a-service-and-buying-zero-day-flaws New criminal tactics: exploit-as-a-service and buying zero-day flaws
Retrieved from "https://en.wikipedia.org/w/index.php?title=Exploit_as_a_service&oldid=1060083385"