The Real-World Impact of Bug Bounties and Vulnerability Research

Running the world’s largest vendor agnostic bug bounty program has afforded us the unique opportunity to purchase bugs of all varieties. The submissions to the Zero Day Initiative (ZDI) program range in severity from slightly annoying to hugely impactful. We wouldn’t have it any other way. Generally speaking, the goal of a bug bounty program is to acquire as many bugs as possible. What happens with the bugs once acquired changes depending on the bounty program. At the ZDI, we work not just to kill bugs, which is something we do at a higher rate than other organizations, but we also aim to disrupt the use of exploits used in advanced attacks.

Of course, detecting and defending against advanced persistent threats provides its own challenges. It’s rare that real-world scenarios are laid bare without a time of crisis response. Recently, the WikiLeaks dump of tools reportedly used by U.S. government agencies offered a prime example of the ZDI program altering attack methods. In fact, if the data provided by WikiLeaks is to be believed, the Central Intelligence Agency was forced to change their operational toolset for exploiting targets based on actions taken by the ZDI.

In 2010, the world was introduced to the Stuxnet virus after it caused substantial damage to centrifuges in the Iranian nuclear program. At its core, Stuxnet had three parts: a rootkit to hide itself, a worm to execute the main payload of its attack, and a link file that automatically executed to spread copies of the worm. Microsoft released several different security patches in response, including MS10-046, to address the vulnerability in link files. The patch enabled a whitelist check to ensure only approved files could be used, and many thought the implementation succeeded. However, according to the documents published on WikiLeaks, a tool called “EZCheese” exploited a similar bug in link files until 2015. That change resulted from a set of bugs coming through the ZDI program that showed the MS10-046 patch had failed. This forced a change of operational tactics to what was then an “unknown link file vulnerability (Lachesis/RiverJack) related to the library-ms functionality of the operating system.” Although not explicitly stated by Microsoft, this other link file bug was likely corrected with the release of CVE-2017-8464.

According to the released documents, both EZCheese and its successor Brutal Kangaroo were designed to attack air-gapped networks similar to Stuxnet. What some may not realize is that the link file could also be hosted on a remote drive viewable by the target.

When the ZDI acquires a bug, it isn’t just reported to the vendor for remediation. Information about the bug is provided to Digital Vaccine® Labs (DVLabs) within Trend Micro. They produce a DV filter for the vulnerability that allows TippingPoint customers to protect themselves while the vendor develops a patch for broader release. And yes, after deploying this filter (Digital Vaccine Filter 19340), hits were seen in Europe, South America, and Singapore. While it’s impossible to know the intent or full circumstances surrounding these filters being triggered, the low quantity indicates these were likely targeted attacks.

Earlier dumps from ShadowBrokers show this isn’t the first case of this happening. The vulnerability used by the exploit referred to as “Ewok Frenzy” was submitted to the ZDI program back in 2007. Even though a patch was made available for the exploit, it was reportedly used for almost a decade after our initial disclosure. Bug bounties show their value when they successfully kill vulnerabilities. Without a doubt, the ZDI program kills bugs. In fact, we’ve released 452 advisories this year (as of July 5) with 413 more in our upcoming queue. Each one represents a bug exposed to the light. In some cases, the exploit techniques required to exploit a bug can also be filtered. For example, another vulnerability listed in the documents, EasyBee, worked in the same manner as Ewok Frenzy, so the implemented DV filter covered both attacks.

You can question the veracity of these dumps or whether these exploits were ever actually in the wild, but the scramble by vendors to produce patches has been undeniable. The dumps show adversaries have a complexity and sophistication that requires constant vigilance from network defenders. It also shows how dedicated vulnerability research combined with a world-class bug bounty program increases security for everyone by changing the attack surface. While it’s true there is a difference between zero-day vulnerabilities and zero-day attacks, the value of having protection against bugs prior to their disclosure can’t be measured. The number of software bugs disclosed globally continues to increase year after year. The Zero Day Initiative will continue acquiring and researching zero-day vulnerabilities and working with vendors to increase the overall security posture of their products. We might not ever eliminate all government sponsored, marsupial-based exploits, but we sure can make it harder on them.