Every month Microsoft releases software updates to fix vulnerabilities across the company’s vast line of technology products.
The ritual, known as Patch Tuesday, often involves security experts urging users to update their software, and researchers gaining some public recognition after months of quietly working to mitigate the flaws.
A new study from antivirus vendor Trend Micro found that cybercriminal forums continue to advertise exploits for a vulnerability years after a patch has been released, though, with sellers adjusting prices to market demand and bundling multiple old exploits together to maximize profits.
The study, which spanned nearly two years and numerous illicit marketplaces, found that nearly half of the software exploits requested on forums were for vulnerabilities that were at least three years old. The demand for exploits is also catered to the popularity of software: Microsoft products accounted for 47% of the exploits that forum users requested, according to Trend Micro.
The data shows that holes in popular software act as cash cows for criminals in instances when corporate, personal or government users don’t update their software. The findings also come amid an apparent shakeup in cybercriminal forums after the ransomware attack that prompted the shutdown of Colonial Pipeline, the main artery for delivering fuel to the East Coast. XSS, one of the more popular Russian-language forums, claimed it would ban ransomware sales after the incident.
“Patching yesterday’s popular vulnerability can be more important than today’s critical one,” Mayra Rosario Fuentes, senior threat researcher at Trend Micro argued Monday at a presentation at the RSA Conference. She was previewing the research, which Trend Micro will release in July.
While it is unclear if XSS’s supposed ban on ransomware will stick, Trend Micro reported on other market forces that are shaping underground forums. Some vendors rely on their reputation for delivering high-end exploits and only make a handful of sales per year, with the price of an exploit reaching half a million dollars, according to the research. Other exploit sellers count on bargain hunters only willing to cough up $100 here or there.
“Cybercriminals will use the cheapest tool to get the job done,” Rosario Fuentes said.