Zero Days of Underground A Zero-sum game

29 Jan 2022 - br0wnboi

Zero Days of Underground: A Zero-sum game

An exploitable vulnerability that a software provider is unaware of and for which no patch has been developed is known as a ‘zero day’.

These flaws are typically caused by incorrect computer settings or programming faults. The vulnerability will remain unpatched as long as the vendor is unaware of it. Trading software exploits between hackers has a long history, and it has grown more fascinating as criminal groups have increasingly leveraged such exploits for their own financial gain. Security researchers consider selling zero-day exploits as an allegedly “legal source of revenue”

Stuxnet, Log4j, Operation Aurora, the OPM hack, WannaCry, and NotPetya are just a few of the high-profile assaults that have used zero-day flaws. The vulnerabilities in the later two examples had previously been patched, but the attacks caused significant harm, proving the usefulness of zero days even after disclosure and patching. The FBI likewise employs zero days and has a policy in place regarding their use. The NSA(National Security Agency) has reportedly purchased a zero day to access the phone of the San Bernardino gunman, as well as using one to identity individuals downloading child pornography over ‘Tor’. As a result, zero days appear to be in high demand by the governments, criminals, and businesses alike.

How do you know the value of a zero-day? A zero day’s worth is essentially determined by two factors: scarcity and secrecy. It’s difficult to accurately estimate the number of zero days in existence, especially when new software is released every day. The confidentiality of a zero-day is the second aspect that determines its worth. Because software vendors and antivirus systems are unaware of an exploit, it has value. Zero days, on the other hand, have a ‘expiration date,’ because corporations periodically upgrade their software, and the longer an exploit is utilised ‘in the wild,’ the more likely it is to be detected.

Two other considerations also impact this decision – the length of time a zero day can be exploited before it is discovered (the lifetime) and the possibility that someone else will find and exploit it (the rediscovery rate).

From the NSA’s perspective, rediscovery by a Western security researcher is inconvenient as it means the exploit will get patched.

Yet rediscovery by a Chinese government hacker could put American systems at risk, without the NSA’s knowledge. Whether the researcher is a friend or foe can make all the difference. A very recent example of this could be the “Log4j” vulnerability which was found by Researcher Chen Zhaojun of Alibaba Cloud which caused a global impact affecting nearly all systems in one way or another and sent all security teams under full drive as systems were being exploited and patched overnight. Right after the bug was made public, ‘Alibaba Cloud’ faced backlash from the Chinese government because they reported the Log4J vulnerability to Apache before submitting it to China’s Ministry of Industry and Information Technology (MIIT). The Cyber Security Administration of the MIIT suspended the information-sharing partnership with Alibaba Cloud for six months, specifically citing the failure to report Log4J as the reason. One can only imagine what China would’ve done if they got the exploit firsthand as it had major security implications. This case clearly highlights the dilemma of a security researcher when reporting a bug.

The Marketplace for 0-days

There are three types of hats in hacking, and there are different shades of markets for these exploits, which are labelled similarly to the metaphorical hats. Some may question the ethics and consequences of this practice; the issues get considerably more complicated when vulnerabilities are purchased by parties other than the software’s makers. Moreover, when the interests of the buyers are best served by the vulnerabilities remaining unpatched.

The White Market

There are three ways for researchers to monetize their findings on the white market.

Disclosure to the original author for free/non-monetary rewards. Companies may run their own Bug Bounty platform, paying for vulnerabilities. Researchers and Organisations alike can use platforms like HackerOne, Bugcrowd, Intigriti and others to reward interested researchers for finding bugs in their software products.

Now it appears that the white market is the reason that the number of 0-days has been increasing due to the simple rule of supply and demand, as more and more companies participate in bug bounty programmes for their security, and more hackers become interested in finding bugs and receiving monetary rewards. It would be reasonable to conclude from this that the largest bugs would be awarded significantly more than the others simply because of their ability to cause damage and security implications, but this appears to be a rare occurrence, as prices in the white market are mostly skew except for a few exceptions.

The Grey Market

Several governments are known to have purchased zero days on the black market for use in espionage and monitoring. The United States, the United Kingdom, Israel, Russia, China, India, North Korea, and other countries in the Middle East are among them. As national cyber capabilities improve, it is likely that this list will continue to grow. The US Navy and the Israeli Ministry of Defence are reported to have contracted for zero days, with the NSA spending over $25 million on zero days alone in 2013.

It’s designed to be unbalanced. Supply is far more difficult to assess. No data comparable to those stated for the white market could be uncovered due to the trade’s exclusivity.

The business Zerodium, formerly Vupen - a known NSA supplier - stands out as one that isn’t hesitant about touting their bounty and relationships with various intelligence organisations. They supply ‘zero-day intelligence, including sophisticated exploits, along with protective measures’ to clients defined as primarily government organisations, according to its website. For ‘extraordinary exploits,’ the company’s public price list varies from $10,000 to $1.5 million and up. The business offered $1 million for a Tor zero-day exploit in 2017, claiming plainly that they intended to sell it to the US government. Last year, Zerodium advertised a $1 million hack that allowed anyone to remotely access an iPhone.Later, the corporation announced the winner: an unnamed hacking group. Governments can even pay a premium to Zerodium to obtain exclusive rights to a hacking method, but the business claims that this is uncommon. According to Zerodium’s CEO, the company is selective in who it conducts business with, only accepting funds from “big enterprises and government organisations from Western countries.”