Threat Research

Zero Day Risks and the Return of Hacking Team

By Anthony Giandomenico and Val Saengphaibul | April 24, 2018

There are basically two kinds of threats organizations and users face today: the ones that security vendors and threat researchers know about, and those they don’t. The ones we know about get vendor patches, signatures are updated across a variety of security tools in order to detect them, and behaviors are documented in order to detect and disrupt the more sophisticated ones. People who are affected by these sorts of attacks usually either don’t have the right security tools deployed in the right places, or they aren’t practicing adequate cyber hygiene

Zero Dayexploits are the ones we don’t know about yet. All traffic in a network falls into one of three categories: known good traffic (such as IT-approved applications) that we permit to move across the network in approved ways, known bad traffic (the stuff detected by traditional security tools) that we block, and unknown traffic, (which is usually the majority of traffic on a network) that we ought to be keeping an eye on, but which in reality we hardly ever do. Zero day exploits fall into this latter category, which means they can be used to successfully attack those systems that over rely on signature-based security and patching.

Fifteen or so years ago, zero days were hard to come by. Threat researchers certainly never saw zero day exploits circulating through the cyber crime ecosystem. Malicious adversaries kept them close to the vest, and only used them for specific targeted attacks. Many tended to be owned by nation state actors and highly skilled individuals for things like cyber surveillance, data interception, and the monitoring of electronic communications. So, unless you worked for a cyber espionage agency or criminal enterprise, being a zero day exploit creator was a hard way to make a living. 

Zero Day Exploits on the Rise

Fast-forward to today, and things have changed dramatically. Some skilled zero day researchers now earn significant money, and have a variety of mature markets they can sell their skills and research to. These include:

White Hat Markets: There are a number of bug bounty programs that will pay for good research. In addition to generic ones, such as GitHub or BugCrowd, a growing number of vendors, including big names such as Apple, Microsoft, and Facebook, and even government agencies such as the Pentagon, now offer bounties to researchers who can detect and document bugs and system flaws. Some programs pay out as much as $200,000+ for an especially good exploit. 

In addition, legitimate threat research companies offer zero-day feeds to their customers, which, of course, they don’t make public. That’s because a zero day has a very short self-life once it’s exposed, which also dictates the price.  At the same time, an interested party, such as a surveillance company or government, will pay top dollar for an exploit but they want the exclusive rights to it. They don’t want someone else gaining access to it, because if they do the value of the service they provide diminishes dramatically. 

Grey Hat Markets:  In addition to the vendor programs and legitimate companies that offer Zero Day bounties, there are also “Zero Day Brokers” that will buy your zero day research for their customers. However, these brokers keep the buyer and seller’s identities anonymous. While this can sometimes be a good thing, there is also the possibility that the buyer is a hostile nation state, an authoritarian government, a cyber criminal enterprise, or even a terrorist group. The seller has no control over what the end purchaser will do with that exploit, and needs to accept the possibility that in addition to it being used to make a product or systems safer, it could also be used in a nefarious way that could cause harm to others.

Black Hat Black Markets:  Of course, if you have no scruples, then you can always sell your exploits to the black market. In this growing marketplace, it’s inevitable that some of these zero day exploits will be exposed to the masses. Which is part of the reason why threat researchers have been able to confirm that that the creation and distribution of zero days by cybercriminals is on the rise.

Some are Built, but Many are Stolen

While some of these exploits are home grown or bought from independent researchers, a growing number of them have been stolen from professional organizations. A recent example is from the group known as Shadow Brokers, which infamously compromised a cache of zero days that they claim were owned by the NSA. Many threat actors use one of these exploits, known as Eternal Blue, to spread their threats faster. A famous is the Wannacry attack, and it is now showing up in the new Wannamine exploit, which is a crypto-jacking threat.  

The Return of Hacking Team

Another great example of this was the cyber surveillance company known as Hacking Team. They were a legitimate company out of Italy selling surveillance software to law enforcement and governments. Their flagship software tool, known as the Remote Control System (RCS), used zero day exploits to extract files from a targeted device, intercept emails and instant messaging, and even remotely activate a device’s webcam and microphone. Ironically, the company was breached in 2015, and many of their zero days were leaked to the cybercrime eco-system. Within days, we saw these exploits popping up in the wild.  

Interestingly, after the Hacking Team was compromised we did not hear much from them, and it was assumed that they had gone out of business. But now it seems as though they have put the band back together, and are selling their zero day-based wares under another name. Threat researchers recently identified samples newly compiled versions of the Hacking Team’s original spyware that can be traced back to a single organization, with signed digital certificates issued to the Hacking Team’s original co-founder. Since that time, FortiGuard Labs has discovered an additional 19 unique samples not covered by the ESET report. Like those originally reported, the majority of these samples were protected with VMProtect, which was purposely done to increase the time and effort of reverse engineering in order to thwart analysis.

Stopping Zero Day Attacks Requires an Integrated Solution

Zero day exploits continue to be a challenge for many organizations. Responding to them requires an integrated approach to security that combines traditional protections with ATP (Advanced Threat Protection) solutions that include distributed sensors and advanced behavioral analytics to detect anomalous traffic and applications, sandboxing solutions to detonate and analyze unknown threats, and solutions interconnected through a common security fabric so all deployed security solutions can be simultaneously updated with new threat intelligence, and to coordinate resources to effectively disrupt any zero day exploits detected anywhere along the potential attack chain, from endpoints to the cloud.


The samples discovered by FortiGuard Labs are all detected using the following signatures:










SHA-256                                                                          Metadata


SlimDrivers (


SlimDrivers (


Toolwiz Care


Toolwiz Care


Toolwiz Care


Advanced SystemCare 9 (


Advanced SystemCare 9 (


Advanced SystemCare 9 (


Advanced SystemCare 9 (


Advanced SystemCare 9 (


Advanced SystemCare 9 (


Advanced SystemCare 9 (


Advanced SystemCare 9 (


Advanced SystemCare 9 (


Advanced SystemCare 9 (


Advanced SystemCare 9 (


Advanced SystemCare 9 (


Advanced SystemCare 9 (


Advanced SystemCare 9 (


Check out our latest Quarterly Threat Landscape Report for more details about recent threats.

Sign up for our weekly FortiGuard intel briefs or for our FortiGuard Threat Intelligence Service.