Three concerning zero-day exploits up for sale on the dark web

by Jack Chapman
Published on 22nd Jun 2022

Our threat intelligence have shared several threats they’ve uncovered through monitoring our B2B platform in our recent report: Keeping Pace with Emerging Threats. One of the standout threats to keep your users aware of is the risk of zero-day exploits targeting widely used software and applications.

Quick summary of these attacks

  • Vector and type: Zero-day exploits
  • Targets: Facebook users, Gmail users, and countries using electronic voting
  • Platform: Facebook and Gmail

We’ve recently found three zero-day exploits that have been posted to Empire Market, a DarkWeb forum where exploits, phishing tools, and templates are available to purchase.

What the attacks look like

As you can see in figure 1, the DarkWeb forum works like any legitimate online marketplace, with categories, filters, and reviews.


Figure 1: Empire Market dark web forum

At the end of April 2022, our analysts found an electronic voting exploit for sale (figure 2). This exploit claims to allow malicious software to be loaded onto a voting machine via a USB and then cause a score bias per voting machine. For example, it could ensure that every third vote goes to a particular candidate, regardless of what the voter selected. This could have serious impacts on the fairness of an election.

Figure 2: Electronic voting machine zero-day exploit

The second involves an exploit to takeover a victim’s Gmail account. As you can see in the product description in figure 3, the poster claims the exploit can be deployed remotely via a code injection. It then sends the attacker an authentication code via a burner email (an address which cannot be linked to an attacker’s real-world identity).

This exploit allows attackers access to all Gmail accounts, regardless of two-factor authentication (2FA). It goes to show that 2FA is not enough on its own, despite the peace of mind it might give to users. People should be advised that 2FA is not a magic bullet against phishing. They need to make sure software is updated and stay alert to warnings about suspicious logins.

Figure 3: Gmail zero-day exploit

The final zero-day exploit we’ve found doing the rounds is a way to takeover a Facebook account through a password reset vulnerability (figure 4). This exploit bypasses any two-factor protection through an SMS or App authenticator. As the product description explains, most people link their Instagram to their Facebook account, so it’s a ‘two-in-one’ exploit.

These accounts can be taken over and then used to harvest even more information about victims to make further phishing attacks more believable. Social media accounts contain a host of information about people, such as date of birth, geographic locations, mother’s last name, and plenty more.


Figure 4: Facebook zero-day exploit

The takeaway

New zero-day exploits are being discovered all the time. Keep your people abreast of the latest threats by staying up to date with advice from your threat intelligence network. They should also be advised to make sure they’re always using the latest software versions.

Get the full emerging threat report

This is just one of the emerging threats our Threat Intelligence team picked up on in the past few months. For the latest info on cryptocurrency charity scams exploiting the Ukraine crisis, LinkedIn impersonation phishing, and sextortion blackmail, download your full report here.