Idaho National Lab researcher shines a light on the market for ICS zero-days

The market for previously unknown, or zero-day, software exploits has come out of the shadows in recent years as exploit brokers openly advertise million-dollar payouts. But while zero-day brokers like Zerodium and Crowdfense sometimes outline the types of exploits they buy — whether for mobile or desktop devices — much less has been said about the market for exploits that affect industrial control systems (ICS), which support critical infrastructure sectors like energy and transportation.

Sarah Freeman, an analyst at the Department of Energy’s Idaho National Laboratory, is trying to help fill that void in data and, in the process, show how the ICS exploit market can be a bellwether for threats.

Freeman’s hypothesis was that “if you track these bounties, you can use them as precursors or tripwires for future adversary activity.”

She argues that current tallies of zero-day exploits with ICS implications are undercounted. In the first quarter of 2019, for example, Crowdfense categorized just 2% of the zero-days it bought as ICS exploits. But that figure doesn’t account for how exploits targeting various technology and operating systems can affect ICS, she said.

“The market for [software exploits], writ large, is growing,” she said Tuesday during a presentation of her research at S4, an ICS security conference in Miami Beach. And within that market, there are signs that ICS-relevant exploits are growing, too.

Dual-use exploits

An exploit for accessing an IT network could offer an attacker an eventual pathway into the more sensitive control networks, but at what point does it become an “ICS-relevant” exploit?

To answer that question, Freeman sifted through data on some 400 requested bounties over the last four years by companies like Zerodium and Crowdfense, which sell the exploits to organizations developing offensive capabilities. She found that there is a growing prevalence of zero-day payouts for mobile platforms and for routers, both of which have implications for ICS security.

Routers, for example, are used in both traditional IT networks and at industrial organizations. VPNFilter, the malware that fueled a botnet of some 500,000 infected routers in 2018, showed how that line can blur.

The malware was capable of monitoring a protocol known as Modbus used in SCADA systems, control systems commonly found in the electric sector. A vulnerability in a router that some people associate with traditional IT networks could be used by attackers for reconnaissance on ICS networks, Freeman pointed out.

In her study, Freeman found two payouts for exploits for routers worth $100,000 last year alone. “Router bounties are likely to continue to be issued with increasing prizes,” she said.

The number of payouts for zero-day exploits for mobile applications has also been growing: Roughly 45% of the payouts reviewed by Freeman were for mobile platforms. While it is unclear how many of those exploits had ICS implications, that issue is generally starting to get more attention. Multiple advisories from the Department of Homeland Security in 2018 pointed to vulnerabilities in mobile platforms that engineers use to monitor industrial processes.

Data from ethical bug bounties — those conducted by cybersecurity researchers to fix software flaws rather than selling exploits for them — also point to a growing interest from researchers in finding ICS-related vulnerabilities. In 2018, a quarter of the security advisories published by Trend Micro’s Zero Day Initiative (ZDI) were related to ICS.

An ICS-related exploit can help an attacker collect information on a sensitive target, giving them a foothold into a network that they otherwise wouldn’t have. The ICS exploit market, Freeman argued, is “a jumping-off point for people to go from having no capabilities to having a working, functional, weaponized capability very quickly.” Of course, to be a threat to a given organization, an attacker would have to know how to leverage those capabilities.

Her research is a stab at pinning hard data to the underworld of exploit sales, and an invitation to others to contribute their own insights and learn more about this dark market.