The dark web is ripe with activities of various kinds. In May, a hacker listed a Windows zero-day vulnerability for sale for $95,000 (£66,640). However, security researchers have now uncovered that the hacker has been forced to lower the price after failing to secure buyers on the dark web.
According to cybersecurity firm Trustware, which has been tracking the exploit's price since it was first listed on sale, this is the second time that the hacker behind the cyber-transaction has been forced to resort to price cuts, in efforts to attract buyers.
When it was first put up for sale, the zero-day vulnerability was attributed with the ability to give cybercriminals administration controls over every Windows device, ranging from Windows 2000 to a fully upgraded version of Windows 10. Security researchers believed the exploit may have been legitimate.
"The seller once again lowered their price on the 6th of June to $85,000USD. This means that the exploit hasn't sold yet and seller may be having problems finding a buyer," said Trustware.
However, the recent price cuts may be indicative of some foul play. Trustware noted that despite "indications that the offer is authentic", there currently seems to be no way to confirm the legitimacy of the zero-day vulnerability "with absolute certainty without taking the risk of purchasing the exploit or waiting for it to appear in the wild". Trustware has cautioned that the LPE (Local Privilege Escalation) exploit could be highly effective in helping hackers execute attacks, if proved authenticate.
Commeting on the price of the exploit, Trustware said: "Even though the price of the zero day was lowered 12 days after the initial post, it was only lowered a mere 5.3% from 95K to 90K. Based on this and the prices we know about, the price here seems on the high end but still within a realistic price range, especially considering the return on investment criminals are likely to make using this exploit in any campaign."
Exploit vendor Zerodium disclosed a list of zero-day prices in November 2015, which shows that Windows zero-day LPEs are generally valued at $30,000. This indicates that the issue with the price drop may have more to do with overpricing than with the legitimacy of the product.