Corporates and enterprises into cloud computing are either familiar with or use SaaS, PaaS and IaaS, or a combination of the three. That’s all good. According to IBM, when used effectively, these cloud services reduce time to benefit, lower operational and IT costs, and facilitate scalability and integration. But then there are those cloud services that originate from the dark web. Two weeks ago, you discovered that Distributed-Denial-of-Service (DDoS) attacks are increasing at an exponential rate resulting in prolonged outages of thousands of business websites. And now there’s Exploit-as-a-Service (EaaS), a new trump card in the hands of sophisticated and greedy cybercriminals.


Exploit-as-a-Service is a new business model used by cybercriminals based on the many successes of ransomware attacks and using Ransomware-as-a-Service (RaaS). EaaS would enable hackers to rent or lease zero-day exploits which can then be used to paralyze individual computers or IT networks. Why rent rather than buy? The obvious answer is cost. Research confirms that zero-day exploits can be sold for as much as $10 million on the dark web, a high price to pay for any form of malware. With most threat actors finding this sum unaffordable, renting the exploits is much more viable. It also means that the EaaS vendors make money quicker as there is often not an immediate buyer for the exploit.


Put simply, zero-day is a flaw or vulnerability in software, hardware or firmware. Zero-day can refer to the actual and unknown vulnerability or an attack that has zero days between the time the vulnerability is discovered and the first attack. In most cases when a zero-day security flaw is detected in software, an individual, company, or government agency will notify the software company who will then repair the code and distribute a patch or software update. Zhero-day issues are not immediately as industry guidelines recommend that the developer has time to patch the vulnerability. With Google Project Zero, vendors have up to 90 days to develop and implement a patch before the finder publicly discloses the flaw.


What makes zero-day potentially dangerous is when a hacker discovers a vulnerability first and then implements an attack and catch the victim completely off-guard. What makes this threat real is that zero-day exploits are exceptionally difficult to detect. Zero-day attacks have also been attributed to advanced persistent threat (APT) attackers, who are intent on stealing data rather than targeting an IT network. As the name suggests, APT involves a prolonged and targeted cyberattack in which the cybercriminal gains access to a PC or network, remaining undiscovered for an extensive period of time.


In essence, Exploit-as-a-Service provides a cost-effective means for hackers to proliferate zero-day exploits. Cybercriminals could also test the leased exploit and decide if they will purchase it on an exclusive or non-exclusive basis. Basically, it’s a win-win scenario for EaaS vendors and hackers. As Stefano De Blasi, a cyber threat analyst at Digital Shadows, explains:

“In this way, [developers] can try and monetize that zero-day before they sell it entirely to someone else  — or before the zero-day is discovered by security researchers, for example, and it’s patched and they just lose all the potential money they could have made.”

The bottom line is that Exploit-as-a-Service provides one route to maximizing revenues from zero-day exploits before they are discovered.


The secret to not becoming a zero-day victim is to be prepared. And this is where Zhero will help your business, no matter what it’s size. Zhero specializes in cybersecurity and risk mitigation, with more than 20 years of experience in professional business IT management. We will monitor your IT systems, patch and update software and minimize the risk of your ever falling prey to zero-day exploits. Contact us today and make it your Zhero day