Zero-Day Markets: Inside the Shadow Economy of Exploits

by XCM  (xcm@tuta.io)

Zero-day.  A term that occasionally finds its way into the news and blog articles, usually preceded by a cascade of security patches.

What is a zero-day?  In essence, it is a software bug that can lead to some level of compromise.  However, what makes this one particularly special is that the bug is unknown to the software vendor, most likely to all of its customers, and, occasionally, to everyone else on the planet.  Why is this a significant advantage, you might ask?  Because it's a unique weapon.  It's the only known copy of a key that could get you into many systems, wherever that particular vulnerable software runs.

As you can imagine, this can translate to tremendous power.  A power that many are willing to pay a mountain of cash for.

But let's not get ahead of ourselves.  How are zero-days discovered to begin with?  Well, it varies.

Sometimes it's pure accident.  Imagine a researcher poking around at a web application (with permission!), and they realize they can manipulate an HTTP parameter to run system-level commands on the web server.  Specifically, this could be classified as a Remote Code Execution (RCE) vulnerability.  If no such bug has been reported, jackpot: they are the lucky owner of a zero-day.  And I say lucky because zero-days are not something most researchers often come across.

Of course, these precious vulnerabilities are also specifically hunted and can be the result of bug bounty campaigns, where vendors encourage hackers to find and report vulnerabilities.  So what does our researcher do with the knowledge at their disposal?  It depends on who they are and how they have come across the vulnerability.  If they are an independent researcher, they should immediately contact the software vendor and allow them time to release security patches before writing that blog article about how they have found the zero-day.  This is to ensure that the clients of the software company are not at risk.

Now, imagine our researcher is instead working for some government, either directly or via a third-party contractor, and they are in possession of a new, shiny exploit for a vulnerability nobody knows about.  In this case, the knowledge would most likely become the property of the employer and be guarded jealously for future use.  To do what?  To craft cyber weapons with which to attack their foes, of course.

Do you remember (((Stuxnet))), the malware used to cripple Iran's uranium enrichment efforts?  It used four zero-days:

• LNK Vulnerability (CVE-2010-2568):  Allowed malicious code to execute when a specially crafted shortcut icon was displayed, even without user interaction.
• Print Spooler Vulnerability (CVE-2010-2729):  Enabled remote code execution by exploiting the print spooler service, allowing the worm to spread across networked computers.
• Privilege Escalation Vulnerabilities (CVE-2010-2743 and CVE-2010-3888):  Allowed the malware to gain higher privileges on infected machines, making it easier to access protected areas and spread further within targeted networks.

This is a significant effort because this level of exploitation against a state can be performed only once effectively.  Once done, someone at the receiving end will reverse engineer the payload used to exploit the vulnerability, and the bug will become known to the defenders, which will, in turn, trigger software patches or IPS/XDR signatures and render the exploit code harmless.  To use four of these in one go denotes a huge investment in resources and money and highlights an unshakable commitment.  This led to the understanding that Stuxnet was created by a state actor (now it is assumed to be a U.S.-Israel collaboration).

But let's not digress.  What if you do not have enough zero-days to craft the cyber weapon you are dreaming about, and the researchers that work for you have not found the bugs that you really need?  You might be able to buy the exploits you are missing, of course.

This is a summary of what we know and what we suspect about the options available in the zero-day market:

Private Brokers:  Brokers are the middlemen in the gray market.  They usually have insider connections, probably some ex-hacker cred, and they only work with "trusted" clients such as governments, defense contractors, and sometimes large corporations.  They offer exclusive and high-quality exploits, often priced in the hundreds of thousands to millions of dollars.  Brokers handle deals with discretion; it's all about exclusivity.¹

Dark Web Marketplaces:  The black market marketplaces of the dark web are not just about drugs and weapons.  It is also where actors gather to buy and sell exploits.  But here's the problem: you're dealing with an online flea market of dubious quality.  Some zero-days sold on the dark web are as good as junk, and scams are rampant.  You're just as likely to pay a fortune for an "exclusive" exploit that's already been sold to 50 other people.²

Legit Markets:  The good guys aren't completely out of the game.  Big companies like Google or Microsoft run bug bounty programs, paying out money for zero-days.  Platforms like HackerOne and Bugcrowd give hackers/researchers a legitimate place to sell their finds.  But let's be real: these markets pay peanuts compared to black market prices.  Additionally, there might not be any bug bounty for the specific exploit you came up with.³

Exploit Broker Platforms:  Platforms like Zerodium and Crowdfense are like the high-end boutiques of the zero-day market.  They buy premium, high-value exploits from independent researchers and then resell them to carefully vetted government and defense clients.  Unlike the sketchy dark web markets, these platforms are legitimate operations.  They follow the law, which is good news if you're a researcher hoping to cash in without needing a secret identity.  These platforms don't compromise on quality either.  They vet every exploit thoroughly, and they usually only sell to "friendly' governments (as far as we know, and depending on who's friendly for you).⁴

The Researcher's Ethical Conundrum

Returning to our hypothetical independent researcher with knowledge of a novel exploit technique for, say, Apple iOS: Imagine they found a way to reach total compromise with persistence and no interaction from the user.  Our fellow hacker faces an important decision with two realistic options:

• They do not know any brokers and wish to avoid the black market, so they could realistically sell to Zerodium.  At the time of writing, this type of zero-day could fetch up to two million dollars.
• They might instead decide to contact Apple's Product Security Incident Response Team (PSIRT) and disclose the finding.  In this case, they might receive a pat on the back, a sticker of a half-eaten fruit, a shy acknowledgment in the small print of a security bulletin, or, if they are lucky, a symbolic prize in money.

If you have followed so far, the conundrum will be clear.  If our researcher does the right thing to protect the millions of iPhone users in the world, they will receive little or no monetary recognition but will walk away with a clean conscience knowing they have literally made the world a better place.

On the other hand, should they decide to sell, they may find themselves pondering, most likely during sleepless nights or while choking on caviar, about those dissidents in some oppressive regime who have been incarcerated thanks to some monitoring malware enabled by the very exploit the researcher sold.

What would you do?

References

1. Dellago, M., Simpson, A. C., & Woods, D. W.  Exploit Brokers and Offensive Cyber Operations  The Cyber Defense Review, 7(3)
2. SOC Radar: Top 10 Dark Web Markets
3. HackerOne - Trusted Security Platform and Hacker Program
4. Zerodium - The Premium Exploit Acquisition Platform