The document discusses the modern zero-day exploit market and economy. It describes how vulnerabilities are found by researchers and sold through brokers to various parties, including governments, criminals, and exploit kit creators. It also outlines trends in the market, such as the impact of new mitigations, regulations, and events like Pwn2Own on the sale of exploits. Finally, it shares some examples of vulnerabilities the Zero Day Initiative has helped patch and the conclusion encourages questions.
2. 2 Copyright 2018 Trend Micro Inc.
Director of Vulnerability Research at Trend Micro
Leads the Zero Day Initiative
Organizes Pwn2Own
Approver of Payments
Past Experiences
Lead Developer at Lockheed Martin
Past research:
Microsoft Bounty submission
Patents on Exploit Mitigation Technologies
Bug hunting in many products
BS in Computer Engineering – Texas A&M University
MS in Software Engineering – Southern Methodist University
Twitter: @MaliciousInput
Brian Gorenc
4. 4 Copyright 2018 Trend Micro Inc.
How it works
Trend Micro Customers Protected Ahead of Patch
Other Network Security Vendor’s Customers at Risk
Vulnerability
submitted to the
ZDI program
Vendor Notified
Digital Vaccine®
Filter Created
Vendor Response
Window
Vulnerability is
Patched or Remains
Unfixed
Public Disclosure
8. 8 Copyright 2018 Trend Micro Inc.
Variety
High-Profile
SCADA/IIoT
Infrastructure
Virtualization
IoT
Enterprise
Security
Misc
Open Source
Web
Other
Mobile
Top Vendors
27. 27 Copyright 2018 Trend Micro Inc.
Targeted Incentive Program (TIP)
Target Operating System Bounty (USD) Time Frame
Joomla Ubuntu Server 18.04 x64 $25,000 August 2018 through September 2018
Drupal Ubuntu Server 18.04 x64 $25,000 August 2018 through September 2018
WordPress Ubuntu Server 18.04 x64 $35,000 August 2018 through October 2018
NGINX Ubuntu Server 18.04 x64 $200,000 August 2018 through November 2018
Apache HTTP Server Ubuntu Server 18.04 x64 $200,000 August 2018 through December 2018
Microsoft IIS Windows Server 2016 x64 $200,000 August 2018 through January 2019
29. 29 Copyright 2018 Trend Micro Inc.
Living in the Shadow Brokers Reality
30. 30 Copyright 2018 Trend Micro Inc.
Shadow Brokers leaked hacking tools attributed to Equation Group, who have been
tied to the NSA’s Tailored Access Operation unit
EternalBlue, EwokFrenzy, etc.
Revealed an interesting bug collision…CVE-2007-1675
ZDI acquired IBM Lotus Domino 0-day vulnerability in 2006 from Anonymous submitter
• No authentication required
• No check on length of attacker-supplied username
• CVSS: 10
IBM patched this vulnerability in early 2007 and assigns it CVE-2007-1675
ShadowBrokers revealed the NSA hacking tool entitled EwokFrenzy in 2017
EwokFrenzy targets IBM Lotus Domino and exploits CVE-2007-1675
Killing NSA’s Tailored Access Operation exploits
37. 37 Copyright 2018 Trend Micro Inc.
1
54
80 99 101
301
354
203
288
430
666
700
1009
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
Advisories Per Year
Over 4,000 advisories over the
life of the program
38. 38 Copyright 2018 Trend Micro Inc.
1
54
80 99 101
301
354
203
288
430
666
700
1009
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
0-Day Disclosures Per Year
Over 4,000 advisories over the
life of the program
0 0 0 0 0 0
29
20
7
54
61
54
119