Why would an attacker ever want to sit on a zero-day exploit?

It's more likely that you'll burn a 0day by using it than by sitting on it.

There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.

Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.

There are a few other reasons 0days may be kept for long periods:

  1. Some people simply hoard 0days for the sake of it. This is all too common.

  2. Maybe you borrowed the 0day from someone, in which case burning it would piss them off.

  3. Sometimes a 0day broker is sitting on them while waiting for the right client.

  4. The 0day may be useless on its own, needing to be chained with other exploits to work.

There was some interesting research presented at BH US which analyzed the life of 0days.


  1. The 0 day depends on another vulnerability being discovered to be effectively used. For example you can't use a privilege escalation if you don't have code execution in the first place. This can also work the other way where you'd like another 0 day to chain after the one you currently have.

  2. The attacker doesn't have a worthy target to use it on. I'll also point out that the attacker might not exploit everything at once because if the 0 day is found out you won't be able to use it in the future. What you want to hack into might not even exist when you find the 0 day.

  3. Exploiting the 0 day might be illegal. People can still make money off it by selling it to the highest bidder (this includes negotiating for the money you get from a bug bounty program)


Because the old ways are the best. Why blow an expensive 0-day when you can just use a sweet SMBv1 attack or SQLi that will give you the same result? Using an 0-day can result in discovery from a forensics response reducing value and eliminating the number of targets it will be effective against.

Tags:

Zero Day