Two decades ago, arms dealers focused on physical weapons like missiles, guns and ammo. Today’s weapons include the digital kind. Zero-day bugs – information about security flaws in products that vendors have not discovered or patched – can be the keys to the kingdom, getting attackers inside sensitive systems. They are so important to some players that entire markets have developed for trading them online.
Researchers selling their zero-day bugs through these online marketplaces can earn some serious coin, says Stephen Sims, who teaches courses on advanced exploit writing at training company SANS and regularly sells his exploits through various zero-day markets.
The buyers in these markets are typically intermediaries such as boutique intelligence companies around the DC area that will purchase useful security flaws from researchers and then sell them on.
“They are known to buy research from you at a higher price. Their customers are typically government entities or arms of such,” Sims says, noting an ethical trade-off: “Sales to these types of buyers can yield a much higher return, but your research may be used to attack others as opposed to remediation.”
The Rise of the Zero-Day Market
Once you sell the bug, you are not allowed to talk about it with anyone and it could take up to six months to get paid, Sims explains.
Zero-day markets that enable researchers to sell their exploits for more money include Zerodium, the DC-based organization originally founded by French security firm VUPEN. Zerodium, which did not respond to interview requests, took the unusual step of publishing its security flaw price list in 2015. Since then, it has offered bounties including up to $500,000 for bugs in Linux and BSD variants and $1m for Tor browser vulnerabilities. Zerodium exists on the ‘regular’ internet, and its CEO has publically asserted that it only sells the bugs to “major corporations and government organizations from western countries.”
Some companies have stepped away from zero-day markets, warning that they are more difficult to navigate ethically than they were in the past. Adriel Desautels began his career as a zero-day finder by earning $16,000 for his first vulnerability – an MP3 player exploit – in the early 2000s.
He later founded DC-based Netragard to buy and sell these exploits online, but found the market shifting. “The industry wasn’t mature enough and the players became grayer with their ethical boundaries,” he says.
Netragard listed Italian cybersecurity consulting firm The Hacking Team, which evolved into a zero-day broker, as one of its clients. After someone attacked the Hacking Team and posted its secrets online in 2015, Desautels discovered that his client had been providing exploits to governments with oppressive regimes. Netragard apologized in a now-deleted blog post.
When he realized that he couldn’t tell who he was really selling to, Desautels could no longer participate and left the zero-day brokering market altogether. Instead, he focuses on finding bugs for vendors.
“On the black market, it is a free for all and vulnerabilities are often sold multiple times to multiple people and organizations”
A Lack of Regulation
Part of the problem is that these markets are not regulated, warns Lamar Bailey, director of security at Tripwire. “There are no regulations, especially no enforceable ones,” he says. “The closest thing is an NDA that some companies make researchers sign before compensating them for their vulnerability disclosure. On the black market, it is a free for all and vulnerabilities are often sold multiple times to multiple people and organizations.”
Regulation is difficult in a world where the products are digital and marketplaces can pop up in the internet’s darkest corners. The advent of black markets for zero-day attacks is a good example. These markets include 0day.today, TheRealDeal, 0day.in, and L33ter (the latter selling drugs and other illegal items alongside its core line in digital exploits). They are less scrupulous in who they deal with.
Laurie Mercer, solution engineer at crowdsourced bounty company HackerOne, argues that the dark web markets are unreliable. “You very rarely find hacking kits and if you do it’s quite obvious that it’s a rip-off,” he says. “So most of it now is these private groups and forums which are invite only and these secret, protected barriers around them, which is suspicious.”
The secrecy and elitism of the high-end zero-day world makes it even more sensational for the media, but experts argue that the buzz around zero-day exploits is often overblown.
“The actual usage of zero-days is really very rare. Attackers will use the simplest, cheapest tool to get the job done. In most cases, that does not require a zero-day,” says Ian Pratt, president and co-founder of virtual browsing security firm Bromium.
Nevertheless, the right type of flaw can generate significant rewards from the right buyer. A recent Bromium report on the cybercrime economy put an Adobe zero-day vulnerability at $30,000 and a hitherto unfound iOS-busting bug at $250,000.
Nation states invest in these bugs because they can be powerful weapons against high-profile targets, explains Sims. He cites Stuxnet, the malware used in the 2010 cyber-attack against Iran’s nuclear fuel enrichment system, as an example. “Whoever was responsible for it burned four zero-days against one target and they got in and that campaign lasted a while,” he adds.
Stuxnet is a good example of why governments are prepared to invest in zero-day exploits. Collecting them gives intelligence agencies the tools they need to get important targets in those rare instances when a simple commonplace exploit isn’t enough.
The Dangers of Hoarding
Brian Gorenc, director of Trend Micro’s Zero Day Initiative, which buys bugs from researchers, doesn’t agree with governmental bug stockpiling. “There are multiple examples of hoarded bugs ending up in exploit kits or ransomware,” he says. “We believe bug hoarding by any group creates problems. Just because something is not public doesn’t mean you’re the only one who knows about it.”
Perhaps the most famous of those incidents occurred in 2017, when an anonymous team of hackers called the ShadowBrokers claimed to have stolen a collection of exploits from a hoard of NSA vulnerabilities. After failing to secure a buyer, they decided to publish the whole thing online.
Among the goodies was EternalBlue, an exploit that took advantage of a flaw in the Windows implementation in the Server Message Block (SMB), allowing attackers to create a rapidly-spreading worm. This resulted in the WannaCry ransomware, which overwhelmed Western networks and which the White House attributed to North Korea.
EternalBlue has since shown up in cryptojacking software, and researchers have ported three other exploits in the same leaked NSA weapons cahe, EnternalSynergy, EternalRomans and EternalChampion, to other Windows versions.
US legislators have tried to address this issue. One introduced a 2017 bill – the PATCH Act – to strengthen the government’s existing process for deciding whether to disclose zero-days that it finds. It doesn’t seem to have gained much support, though, and more than a year later, the Bill has gone nowhere.
Vendors Need Deeper Pockets
If lawmakers won’t act, perhaps vendors will. They don’t like governments secretly hoarding their exploits. After the NSA hack, Microsoft’s president and chief legal officer Brad Smith criticized the agency, likening the hack to the US army having missiles stolen.
Vendors that are serious about this issue should embrace market economics and dig deeper to reward security researchers, says Desautels. “You incentivize hackers by having vendors offering the same kinds of rewards for a zero-day that they would see in the real world. Vendors can afford it.”
Incentives can happen in several ways. Vendors can pay researchers directly, or they can issue a bug bounty through a crowdsourced bug discovery program, run by companies like HackerOne. These avenues offer peace of mind to researchers who want to know that their zero-day bugs will be used only to fix the affected products rather than attack them.
Bug bounty programs generally don’t pay enough though, argues Sims. “Most of the bounties are on the web app side,” he says, adding that these generate lower payouts.
Mercer says that the average payout from HackerOne is $500, but adds that payouts follow power distribution laws and that there are some bounties for non-web bugs. In July, Intel made the biggest payout so far via HackerOne: $100,000, for processor-related vulnerabilities linked to the first SPECTRE variant. This aligns with Sims’ suggestion that bugs in browser kernels and hardware are the most profitable and the hardest to find.
An alternative route for researchers wanting to sell their zero-day bugs purely for remediation is to offer them to a ‘white’ zero-day market operated by a security vendor. Gorenc’s Zero Day Initiative passes the bugs that it buys onto vendors. The company benefits from seeing those vulnerabilities first and building its own patches before the vendors get around to it. On average, Gorenc claims that Trend Micro can protect its customers 74 days before the vendor issues a patch.
“In just the first half of 2018, we’ve awarded more than $1,000,000 to researchers,” Gorenc says.
Steps Towards Structured Disclosure
Formalizing the rules for disclosing bugs may also help bring some transparency to the process of finding and paying for them by holding vendors more accountable.
In a report on software vulnerability disclosures, EU think tank the Centre for European Policy Studies (CEPS) recommended an effective policy framework for disclosure. One vehicle for this could be the proposed European Cybersecurity Certification Scheme under the European Cybersecurity Act, which would see companies certifying their products against standard cybersecurity measures.
Governments are unlikely to stop buying bugs if researchers keep selling them. After all, unless all governments agreed to do so, those that stopped hoarding bugs would quickly be disadvantaged. The direction of the zero-day market therefore depends on its capacity to reward researchers for selling zero-days to those that won’t weaponize them. Ultimately, that comes down to the vendors’ budgets, and the researchers’ ethical boundaries