Conclusion
Our research methodology was to fingerprint an exploit writer’s characteristics and later on use these properties as a unique hunting signature. We deployed this technique twice when tracking down Volodya’s exploits and those of PlayBit. Having these two successful test cases, we believe that this research methodology can be used to identify additional exploit writers. We recommend other researchers try our suggested technique and adopt it as an additional tool in their arsenal.
During this research, we focused on the exploits that are used by or embedded in different malware families, both in APT attacks and in commodity malware (especially ransomware). Although they are widespread, we often found detailed malware reports that neglected to mention that the malware at hand also uses an exploit for escalating its privilege.
The fact that we were able to use our technique, repeatedly, to track 16 Windows LPE exploits, written and sold by two different actors, was very surprising. Considering that 15 of them date to the timeframe of 2015-2019, it is plausible to assume that they constitute a significant share of the exploitation market, specifically for Windows LPE exploits.
Finally, it is impossible to tell the overall number of Windows kernel 0-day vulnerabilities that are being actively exploited in the wild. Nation-state actors are less likely to get caught and thus the infosec community does not have clear visibility to their ammo crate. That said, we can still get insights by looking at the exploits that were caught, while remembering this survivorship bias. Last year, Kaspersky
reported a single actor who distributed an exploit framework that includes 3 more 0-Days. Adding up these numbers, we see that 8 out of 15 zero-day exploits, more than half of the “market-share”, are attributed to only two actors(!). This means that our research technique could potentially be used to track down many of the actors in the seen market, if not all of them.