Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Who, why and how is engaged in the distribution of tools that can wipe out entire states from the face of the Earth?
Have you ever wondered what it's like to be a hacker? In various movies and TV shows, we often see a hooded man hitting a keyboard, resulting in a lot of numbers and symbols appearing on the screen, leading to the hacking of a secure network. However, in the real world, everything is arranged somewhat differently.
In fact, it takes a lot of time and effort to bypass various security protocols and produce a successful breach, especially when considering large organizations with a high level of security.
However, even in such cases, hackers have a secret hidden up their sleeves, which allows them not to spend months looking for a vulnerability in corporate systems. This secret is the ability to purchase a ready-made exploit to exploit a particular zero-day vulnerability, as well as information on the systems of which companies this exploit can be successfully used.
In this article, we will talk about the so-called "zero-day market", where hackers of the major leagues exchange such tools and data with each other for fabulous sums that can significantly simplify and speed up the process of hacking into the networks of a particular company.
What are Zero-day vulnerabilities?
Zero-day vulnerabilities are those vulnerabilities that are present in certain software products or systems and have not yet been patched by the vendor of these products or systems due to ignorance or a banal lack of time, since the vulnerability became known only recently.
Be that as it may, even a period of a few days when an open vulnerability is exploited by attackers can allow them to do everything they have planned, leading to catastrophic consequences for the corporate sector or critical infrastructure.
It can take professional hackers months or even years to find a truly useful zero-day vulnerability that allows them to successfully exploit it without spending a huge amount of time, which is why they are so valuable in the dark market. Recently, we just wrote about the sale of an exploit for such a vulnerability on the hacker forum Breached for $1.7 million.
How did hackers learn to make money on Zero-day vulnerabilities?
For a long time, various tech enthusiasts really had little interest in looking for bugs out of financial motives. In the beginning, when they found zero-day exploits, they would ask the developers of the software that found the bug to simply fix it. And there was hardly any reward for this, even if there was no counterclaim for hacking.
However, over time, the attitude towards cybersecurity has undergone a significant metamorphosis, and the latter has become much more important for both companies and the attackers themselves. Now, for example, corporations pay significant sums to white hat hackers for conscientious disclosure of vulnerabilities.
Realizing the importance and value of such digital resources, malicious hackers with selfish motives eventually formed a dark market that quickly grew to incredible proportions.
Then there were intermediaries, zero-day brokers, and other characters who specialize in providing cybercriminals with the necessary information and tools for a generous fee, and even take responsibility for the performance of one type of hacking or another. They carefully check everything and vouch for the effectiveness of the software solutions they sell.
How much do zero-day vulnerabilities cost?
According to statistics from Zerodium, a company specializing in both self-search and the purchase of Zero-day vulnerabilities from researchers and hackers, a high-quality vulnerability that allows, for example, to bypass the password or PIN code of a smartphone, currently costs around $100,000. At the same time, a similar bug that allows access to chat applications, a web browser, or email is estimated to be worth up to $500,000.
Zero-day bugs that give access to someone's mobile gadget without any user interaction can cost anywhere from $2 million to $2.5 million. Such astronomical amounts are explained by the potential consequences of successful exploitation of the vulnerability. If it can affect literally every owner of a brand new iPhone, the scale of operation is even scary to imagine.
Government agents
The buyers of information about such vulnerabilities are often the governments of certain countries, which benefit from the ability to freely hack the smartphones of especially dangerous criminals and other persons who threaten national security, without begging for the assistance of the investigation from companies such as Apple and Google. The latter, by the way, even with all their desire, will not always be able to help the police, since they may also not have the necessary level of access to consumer gadgets.
"Some zero days are harmless. You find a bug in the code, but it can be found in a system that is not very widely used, or only by some highly specialized audience. Such systems are of little interest to hackers, so they usually don't spend their time on them," explains New York Time journalist Nicole Perlort. "The systems that hackers and governments are really focusing on right now are iOS, Android, and critical infrastructure."
For example, the cost of hacker campaigns like the recent high-profile Operation Triangulation, allegedly carried out by American intelligence agencies, and exploiting 4 zero-day vulnerabilities in the iPhone at once, is still unknown. It must have cost the United States an astronomical amount, unless all these vulnerabilities were discovered by staff members of local departments.
An example of a fabulous price tag for an exploit is a broker called Operation Zero, which in September 2023 offered $20 million for a valid attack chain. Thus, the same operation "Triangulation" could cost foreign intelligence services at least $20 million if the exploits for attacks were bought from ordinary hackers.
Such zero-days, bought at a similar price, can easily give interested parties access to desktop computers, industrial controllers, and networks that support the infrastructure of factories, military bases, or entire cities.
Examples of zero days in the "wild"
The Stuxnet malware was one of the most advanced examples of malicious software, which, exploiting a series of "zero days" at once, was used in 2010 to penetrate the Iranian nuclear facility and then disrupt its functionality.
The NotPetya virus also led to one of the most devastating cyberattacks ever recorded in the digital space, using a single zero-day vulnerability to paralyze an entire country and cause billions of dollars in damage to international companies in a matter of days.
Thus, it is quite appropriate to compare critical zero-day vulnerabilities with weapons of mass destruction or the material from which such weapons can be created.
Typically, it is the world's governments that have enough funds to buy such zero-day collections, as well as enough staff to use them. With the right set of such vulnerabilities, any state, in fact, can easily unleash a cyber war against rival governments and even its own citizens.
Conclusion
A zero-day market is a vast multi-level structure with a huge number of actors pursuing their own interests. Despite the fact that large companies are doing everything possible to minimize the malicious use of such vulnerabilities, offering researchers generous rewards for the discovered bugs, some of them still end up on the black market and are bought out by large players for fabulous sums.
This dirty game often involves world governments actively investing in this business and hiding data from the public. They pay hackers for silence and use zero-day vulnerabilities for espionage and cyberwarfare.
The uncontrolled spread and use of such vulnerabilities can lead to catastrophic consequences, ranging from leakage of confidential data to disruption of the critical infrastructure of entire states.
To combat this threat, it is necessary to strengthen international cooperation in the field of cybersecurity, introduce harsher penalties for zero-day vulnerability traders, and possibly further incentivize white hat hackers to report discovered vulnerabilities directly to software developers.
Only a comprehensive approach that combines the efforts of governments, large companies and security researchers will make it possible to establish a strong barrier to prevent the spread of zero-day vulnerabilities, as well as to minimize the risks associated with their malicious exploitation.
Have you ever wondered what it's like to be a hacker? In various movies and TV shows, we often see a hooded man hitting a keyboard, resulting in a lot of numbers and symbols appearing on the screen, leading to the hacking of a secure network. However, in the real world, everything is arranged somewhat differently.
In fact, it takes a lot of time and effort to bypass various security protocols and produce a successful breach, especially when considering large organizations with a high level of security.
However, even in such cases, hackers have a secret hidden up their sleeves, which allows them not to spend months looking for a vulnerability in corporate systems. This secret is the ability to purchase a ready-made exploit to exploit a particular zero-day vulnerability, as well as information on the systems of which companies this exploit can be successfully used.
In this article, we will talk about the so-called "zero-day market", where hackers of the major leagues exchange such tools and data with each other for fabulous sums that can significantly simplify and speed up the process of hacking into the networks of a particular company.
What are Zero-day vulnerabilities?
Zero-day vulnerabilities are those vulnerabilities that are present in certain software products or systems and have not yet been patched by the vendor of these products or systems due to ignorance or a banal lack of time, since the vulnerability became known only recently.
Be that as it may, even a period of a few days when an open vulnerability is exploited by attackers can allow them to do everything they have planned, leading to catastrophic consequences for the corporate sector or critical infrastructure.
It can take professional hackers months or even years to find a truly useful zero-day vulnerability that allows them to successfully exploit it without spending a huge amount of time, which is why they are so valuable in the dark market. Recently, we just wrote about the sale of an exploit for such a vulnerability on the hacker forum Breached for $1.7 million.
How did hackers learn to make money on Zero-day vulnerabilities?
For a long time, various tech enthusiasts really had little interest in looking for bugs out of financial motives. In the beginning, when they found zero-day exploits, they would ask the developers of the software that found the bug to simply fix it. And there was hardly any reward for this, even if there was no counterclaim for hacking.
However, over time, the attitude towards cybersecurity has undergone a significant metamorphosis, and the latter has become much more important for both companies and the attackers themselves. Now, for example, corporations pay significant sums to white hat hackers for conscientious disclosure of vulnerabilities.
Realizing the importance and value of such digital resources, malicious hackers with selfish motives eventually formed a dark market that quickly grew to incredible proportions.
Then there were intermediaries, zero-day brokers, and other characters who specialize in providing cybercriminals with the necessary information and tools for a generous fee, and even take responsibility for the performance of one type of hacking or another. They carefully check everything and vouch for the effectiveness of the software solutions they sell.
How much do zero-day vulnerabilities cost?
According to statistics from Zerodium, a company specializing in both self-search and the purchase of Zero-day vulnerabilities from researchers and hackers, a high-quality vulnerability that allows, for example, to bypass the password or PIN code of a smartphone, currently costs around $100,000. At the same time, a similar bug that allows access to chat applications, a web browser, or email is estimated to be worth up to $500,000.
Zero-day bugs that give access to someone's mobile gadget without any user interaction can cost anywhere from $2 million to $2.5 million. Such astronomical amounts are explained by the potential consequences of successful exploitation of the vulnerability. If it can affect literally every owner of a brand new iPhone, the scale of operation is even scary to imagine.
Government agents
The buyers of information about such vulnerabilities are often the governments of certain countries, which benefit from the ability to freely hack the smartphones of especially dangerous criminals and other persons who threaten national security, without begging for the assistance of the investigation from companies such as Apple and Google. The latter, by the way, even with all their desire, will not always be able to help the police, since they may also not have the necessary level of access to consumer gadgets.
"Some zero days are harmless. You find a bug in the code, but it can be found in a system that is not very widely used, or only by some highly specialized audience. Such systems are of little interest to hackers, so they usually don't spend their time on them," explains New York Time journalist Nicole Perlort. "The systems that hackers and governments are really focusing on right now are iOS, Android, and critical infrastructure."
For example, the cost of hacker campaigns like the recent high-profile Operation Triangulation, allegedly carried out by American intelligence agencies, and exploiting 4 zero-day vulnerabilities in the iPhone at once, is still unknown. It must have cost the United States an astronomical amount, unless all these vulnerabilities were discovered by staff members of local departments.
An example of a fabulous price tag for an exploit is a broker called Operation Zero, which in September 2023 offered $20 million for a valid attack chain. Thus, the same operation "Triangulation" could cost foreign intelligence services at least $20 million if the exploits for attacks were bought from ordinary hackers.
Such zero-days, bought at a similar price, can easily give interested parties access to desktop computers, industrial controllers, and networks that support the infrastructure of factories, military bases, or entire cities.
Examples of zero days in the "wild"
The Stuxnet malware was one of the most advanced examples of malicious software, which, exploiting a series of "zero days" at once, was used in 2010 to penetrate the Iranian nuclear facility and then disrupt its functionality.
The NotPetya virus also led to one of the most devastating cyberattacks ever recorded in the digital space, using a single zero-day vulnerability to paralyze an entire country and cause billions of dollars in damage to international companies in a matter of days.
Thus, it is quite appropriate to compare critical zero-day vulnerabilities with weapons of mass destruction or the material from which such weapons can be created.
Typically, it is the world's governments that have enough funds to buy such zero-day collections, as well as enough staff to use them. With the right set of such vulnerabilities, any state, in fact, can easily unleash a cyber war against rival governments and even its own citizens.
Conclusion
A zero-day market is a vast multi-level structure with a huge number of actors pursuing their own interests. Despite the fact that large companies are doing everything possible to minimize the malicious use of such vulnerabilities, offering researchers generous rewards for the discovered bugs, some of them still end up on the black market and are bought out by large players for fabulous sums.
This dirty game often involves world governments actively investing in this business and hiding data from the public. They pay hackers for silence and use zero-day vulnerabilities for espionage and cyberwarfare.
The uncontrolled spread and use of such vulnerabilities can lead to catastrophic consequences, ranging from leakage of confidential data to disruption of the critical infrastructure of entire states.
To combat this threat, it is necessary to strengthen international cooperation in the field of cybersecurity, introduce harsher penalties for zero-day vulnerability traders, and possibly further incentivize white hat hackers to report discovered vulnerabilities directly to software developers.
Only a comprehensive approach that combines the efforts of governments, large companies and security researchers will make it possible to establish a strong barrier to prevent the spread of zero-day vulnerabilities, as well as to minimize the risks associated with their malicious exploitation.
