Exploit as a service (EaaS) is a scheme of cybercriminals whereby zero-day vulnerabilities are leased to hackers.[1] EaaS is typically offered as a cloud service.[2] By the end of 2021, EaaS became more of a trend among ransomware groups.[3]
In the past, zero-day vulnerabilities were often sold on the dark web, but this was usually at very high prices, millions of US dollars per zero-day.[4] A leasing model makes such vulnerabilities more affordable for many hackers.[5] Even if such zero-day vulnerabilities will later be sold at high prices, they can be leased for some time.[6]
The scheme can be compared with similar schemes like Ransomware as a Service (RaaS), Phishing as a Service and Hacking as a Service (HaaS).[7][8] The latter includes such services as DoS and DDoS and botnets that are maintained for hackers who use these services.
Parties who offer exploit-as-a-service need to address various challenges. Payment is usually done in cryptocurrencies like Bitcoin. Anonymity is not always guaranteed when cryptocurrencies are used, and the police have been able to seize criminals on various occasions.[9][10] Zero day vulnerabilities that are leased could be discovered and the software that is used to exploit them could be reverse engineered.
It is as yet uncertain how profitable the exploit-as-a-service business model will be. If it turns out to be profitable, probably the amount of threat actors that will offer this service will increase.[11] Sources of information on exploit-as-a-Service include discussions on the Dark Web, which reveal an increased interest in this kind of service.[12]
^"Exploit-as-a-service: Cybercriminals exploring potential of leasing out zero-day vulnerabilities". 16 November 2021. Archived from the original on 2021-11-23.
^"New type of cloud: Exploits as a Service (EaaS)". 2021-01-19. Archived from the original on 2021-01-19. Retrieved 2023-08-11.
^"Zero-day Flaws and Exploit-as-a-Service Trending Among Ransomware Groups | Cyware Alerts - Hacker News". 2021-12-01. Archived from the original on 2021-12-01. Retrieved 2023-08-11.
^"Zero-day Flaws and Exploit-as-a-Service Trending Among Ransomware Groups | Cyware Alerts - Hacker News". 2021-12-01. Archived from the original on 2021-12-01. Retrieved 2023-08-11.
^"What is hacking as a service (HaaS)? - Definition from WhatIs.com". whatis.techtarget.com. Archived from the original on 11 August 2021. Retrieved 13 January 2022.
^"Exploit-as-a-service: Cybercriminals exploring potential of leasing out zero-day vulnerabilities". 16 November 2021. Archived from the original on 2021-11-23.
^"What is hacking as a service (HaaS)? - Definition from WhatIs.com". 2021-08-11. Archived from the original on 2021-08-11. Retrieved 2023-08-11.
^"Exploit-as-a-service: Cybercriminals exploring potential of leasing out zero-day vulnerabilities". 16 November 2021. Archived from the original on 2021-11-23.
^"Lincolnshire boy has £2m of cryptocurrency seized by police - BBC News". 2021-11-29. Archived from the original on 2021-11-29. Retrieved 2023-08-11.
^"Met police seize nearly £180m of bitcoin in money laundering investigation | Bitcoin | The Guardian". TheGuardian.com. 2021-10-21. Archived from the original on 2021-10-21. Retrieved 2023-08-11.
^"Exploit-as-a-service: Cybercriminals exploring potential of leasing out zero-day vulnerabilities". 16 November 2021. Archived from the original on 2021-11-23.
^"New criminal tactics: exploit-as-a-service and buying zero-day flaws". 2021-11-17. Archived from the original on 2021-11-17. Retrieved 2023-08-11.
and 20 Related for: Exploit as a service information
system, and aservice contract which can deliver value to a business by providing reliable power more economically. Exploitasaservice (EaaS) is a scheme...
written in PHP. Exploit kits are often sold on the black market, both as standalone kits, and asaservice. Some of the first exploit kits were WebAttacker...
an exploit is the use of a bug or glitch, or use elements of a game system in a manner not intended by the game's designers, in a way that gives a substantial...
Exploitation is a concept defined as, in its broadest sense, one agent taking unfair advantage of another agent. When applying this to labour (or labor)...
Exploiting the behavior of a buffer overflow is a well-known security exploit. On many systems, the memory layout of a program, or the system asa whole...
known asExploits Valley Air Services or EVAS, is a Canadian aviation services company, based in Gander, Newfoundland and Labrador. It provides a variety...
conferred on individuals who have recorded outstanding and brave exploits in combat, combat service, training, force building, consolidation of the all-people...
humans exploit is subsoil minerals, such as precious metals, mainly used to produce industrial commodities. Intensive agriculture is an example of a mode...
other than 32 bit x86 (such as MIPS, PowerPC, Alpha, Itanium and x86_64) required return-oriented programming to exploit because those architectures had...
Secret Intelligence Service (SIS), commonly known as MI6 (Military Intelligence, Section 6), is the foreign intelligence service of the United Kingdom...
Scores are calculated based on a formula that depends on several metrics that approximate ease and impact of an exploit. Scores range from 0 to 10, with...
EternalBlue is computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that...
A heap overflow, heap overrun, or heap smashing is a type of buffer overflow that occurs in the heap data area. Heap overflows are exploitable in a different...
and Mexico, has been identified asa leading hotspot of child sexual exploitation. Paedophiles, in particular, exploit the lax laws of the country and...
country at large, there has been opposition to political exploitation of what was seen asa day of mourning. One controversy occurred in 1960 with the...
Also, the Secret Service investigates missing and exploited children and is a partner of the National Center for Missing & Exploited Children (NCMEC)...
Fan service (ファンサービス, fan sābisu), fanservice or service cut (サービスカット, sābisu katto) is material in a work of fiction or in a fictional series that is...
and publish it in real-time, using Web service APIs" (from Data asaService) where the KaaS is able to exploit context - both the context of the user...