Zero-day disclosure-to-weaponization period cut in half

There’s no doubt about it: the batch of stolen information leaked in the wake of the Hacking Team breach was a boon for exploit kit developers.

Not only did it contain a number of exploits for previously unknown zero-day vulnerabilities, but they were accompanied with instructions that allowed them to minimize the time it took them to implement the exploit in their kits.

The first of those exploits – for CVE-2015-5119 – was found on the same day that the data was leaked (July 6), and was spotted being leveraged by the Neutrino, Angler and Nuclear exploit kits a day later (July 7).

Adobe pushed out a patch for the flaw on July 8. Three more exploit kits – Magnitude, RIG and HanHuan – were spotted using the exploit on July 8, 9 and 10, respectively.

“This particular zero day continues to illustrate the trend of shorter and shorter times between publicly available information of the existence of a zero day and integration into exploit kits,” Malwarebytes’ researchers noted in a report released at Black Hat USA 2015.

This particular instance is unusual, but according to historic data, in the last ten months, the period of time between the discovery of a zero-day vulnerability and its weaponisation by attackers has dropped from eight days to four – it has been essentially cut in half.

“The cyber criminals who develop exploit kits are always on the lookout for additional vulnerabilities to add to their arsenal. Their selection of vulnerabilities directly affects their businesses, their popularity, as well as the prices they can charge malware authors who use their services as a vehicle for delivery. All of this hinges on successful infections, and using zero days yields the highest infection rates possible,” the researchers explained, adding that the example of the CVE-2015-5119 exploit showed which exploit kit makers are the most adept at weaponizing zero-days.