Governments pay millions for 0days: more harm than good?
Governments are buying zero-day (0day) exploits for millions of dollars. What are they doing with them? They are supposed to make us safer but is that the case?
Every day, an email or a notification pops up saying we need to update our browser or operating system, often meaning that a vulnerability was fixed and a particular update will make us safer.
However, many exploits go unreported, as Infosecurity researchers sell them to the highest bidder - often a private company claiming to be working with democracies and helping them serve a national security or law enforcement need.
Many ethical hackers participate in bug bounty programs by reporting the vulnerabilities they find in the systems to particular companies. Some researchers, mainly looking for bigger bucks, sell them to exploit acquisition platforms, such as Zerodium, which pays up to $2,5 million for an exploit.
Zerodium is only an intermediary - it further sells these exploits to governments that supposedly use them to serve national security purposes or law enforcement needs. It also means that a particular exploit goes unreported to the responsible company, leaving its clients and users vulnerable to attack.
Zerodium recently announced it is looking to acquire exploits for three highly rated and popular virtual private network (VPN) service providers - NordVPN, ExpressVPN, and Surfshark. Now, you don’t hear such news every day. CyberNews sat down with four experts to discuss just how big this shadow 0day exploit market is.
"Zerodium customers are government institutions (mainly from Europe and North America) in need of advanced zero-day exploits and cybersecurity capabilities. At Zerodium, we take ethics very seriously, and we choose our customers very carefully through a very strict due diligence and vetting process. Access to acquired zero-day research is highly restricted and is limited to a very small number of government clients," Zerodium's website reads.
The company does not specify what their vetting procedure is and what they mean by ethics, which triggers cybersecurity experts.
"It's so ambiguous and wishy-washy. You can't take that at face value," Jonathan S. Weissman, a cybersecurity professor at Rochester Institute of Technology (RIT), told CyberNews. He is suspicious about governments and other organizations that buy these exploits from Zerodium. And even more worrying is the fact that a certain entity is sitting on exploits makes it a high-value target.
"What happened with WannaCry? Its exploit was stolen from the United States government. It was stolen from the NSA. So even if they buy them and they house them, they could still be exploited in the wild by the black hat camp," he said.
WannaCry ransomware spread itself using the EternalBlue exploit, initially developed by the National Security Agency (NSA). It's estimated that WannaCry caused around $5 billion in damage.
By the way, in 2014, the Obama administration ordered NSA to disclose the security flaws it discovers in computer systems in most cases, but to hold those flaws in secret when they can be used to serve "a clear national security or law enforcement need." WannaCry is an excellent example of what can happen when an institution hoards zero-days.
In 2018, TechRepublic pointed out that a mass of startups has entered the market of selling vulnerabilities. Many of them have poor security, which means that when they get hacked, the data of investigation targets will also get leaked.
"It's definitely a risk because these shops have very powerful capabilities on hand, and just that alone makes them a target, and it's a risk," Joe Cortese, R&D director at US-based cybersecurity and compliance company A-LIGN, told CyberNews.
Why do governments need exploits?
Weissman believes that in such cases where exploit platforms announce they are looking for particular exploits, they already have a deal with a client.
"They've got to have a customer waiting for them," he said when asked why Zerodium publicly announced it is looking for exploits for VPN providers. "The government came to them and said, 'we think there's going to be some covert communications going on with VPNs that could threaten national security; we have to get on these VPN conversations, can you help us out?' I think that was why Zerodium tweeted that out last month."
According to him, zero-day exploits have a short shelf life when used. Governments have been known to successfully stockpile zero-day exploits for many years, even with the possibility for the same vulnerability to be discovered by another researcher and reported to the company to patch it. However, once you use the exploit, it could be detected rather quickly.
Cortese said some exploits had been floating around for years, and they didn't necessarily get discovered after five or six months.
"Either people are not looking as deeply as we might like, or they are not looking at the correct component," he said. But as soon as you use it, there's a possibility that it will be detected and patched. Therefore, agencies that use them have to pick their targets carefully. Otherwise, the exploit will quickly lose its value.
What do governments need these pricey exploits that can have a very short shelf life for?
"The exploit is just the surface. Sometimes there's a certain group with a goal in mind, and they can get closer to that goal by using that exploit, or that exploit is the missing piece to their puzzle. There's a big market for this, and people are willing to pay a lot of money for this," Cortese explained.
If we are talking about VPNs, we have to look at what people are using VPNs for. If people use VPNs to stay anonymous and hide whatever they are doing, exploits could help decloak somebody and help snoop into what's going on.
Weissman said the main reason why governments are either buying or developing exploits is to intercept communications from adversaries. Security services could be looking into what rival states are planning and using that information, let's say, to prevent a terrorist attack. Law enforcement could use it to intercept criminals' communication. And we know crooks love VPNs, too. Last December, Europol and law enforcement agencies from around the world took down Safe-Inet.
Active for over a decade, Safe-Inet was being used by some of the world's biggest cybercriminals, such as the operators responsible for ransomware, E-skimming breaches, and other forms of serious cybercrime.
This VPN service was sold at a high price to the criminal underworld as one of the best tools to avoid law enforcement interception, offering up to 5 layers of anonymous VPN connections.
"Law enforcement or intelligence organizations may use these exploits to catch criminals or national security threats by exploiting their devices as the threat uses the anonymity of the VPN solution to commit crimes or terrorist acts," Keatron Evans, Principal Security Researcher at Infosec Institute, told CyberNews.
He added that someone using a VPN to do something malicious might be operating with a false sense of security, assuming law enforcement or intelligence organizations have exploits that will allow that agency to infiltrate the criminal’s VPN software and get access to their data without them knowing.
"This opens the possibility for several types of operations against many different malicious groups. We've been exploiting things such as smart TVs for years as criminals use them to communicate and covertly do other things. This is just another variation of that same ideology," Evans said.
It seems like it's for the greater good, doesn't it? "The beauty is in the eye of the beholder," Cortese believes. These exploits can be used for good and for bad. But even if the carefully-vetted customer vows it has the best intentions in mind, how can you know for sure it's true?
We can only speculate on the goals, but experts agree on one thing - the 0day market is massive.
The size of the market
Zerodium is assumed to be the highest bidder in the exploit market. It pays up to $2,5 million for a 0day. Now, as it's only an intermediary, it sells these vulnerabilities further, meaning that they have to add a profit margin on top.
"It's massive, and you can see that by the amount of money that people are buying zero-day exploits are willing to pay. They [exploit platforms] are willing to pay $1,5 million for a full kill chain on an android application. And they are not just buying it and keeping it to themselves. They are selling it to someone willing to pay 3 million," Callum Duncan, director of Sencode, told CyberNews.
Besides legal exploit trading platforms, there's a whole dark market to purchase these vulnerabilities. "It is extremely hard to know how large the market is, but when you look at the amount of money that's floating around, you can definitely get an idea," he added.
And it's not like a government can buy only one exploit and use it for ages. Because of their short shelf life, they need to keep developing or buying 0days to serve the "national interest." If you are going after a high-value target, you are aware of the risk that your exploit can burn. And you also need to have the continuous inflow of exploits if you want to keep going after your target, Duncan said.
"You pay low, and you sell high. These are organizations and governments that can easily afford it," Weissman said.
Exploit trading platforms are competing with bug bounty programs so that a researcher would be willing to sell the exploit to them rather than report it to the company.
"A big difference between Zerodium and other companies, let's say, the regular bug bounty programs, is that bug bounty programs have a wide variety of what they will accept and pay for. And it's usually much smaller fees. Zerodium says, 'I don't care about any of the small stuff.' And as a result, they pay much more than any other system out there, which is worthwhile researchers' time to find and develop zero days. So, if you are a researcher, do you take it to the actual manufacturer and make X, or take it to Zerodium, and maybe make 2X. If you take it to the manufacturer, it gets fixed. But if you take it to Zerodium, that's not going to happen. It's going to be in the hands of governments and rival nation-states most probably," Weissman explained.
Can you become rich by selling exploits?
Exploits are not like other products that you can craft and put on the market. Our interviewees pointed out that an exploit may be used only a limited number of times before technology catches up or someone notices it. Therefore, exploits are being developed constantly.
"I know that these exploit shops do look to get the source code, all of the details around the exploit so they can further develop it and they can change it. It is an evolving process," Cortese said.
Researchers, who submit 0days to exploit platforms rather than report them to the companies, are regulars. Cortese called the exploit artists.
"It is a niche, and it's difficult; you have to understand specific information about systems. You have to love this work, or you will not be good at it. It's not easy to defy a system in a way it was designed to create an exploit," he said. Cortese used to develop exploits himself. And even though he couldn't get into more details on his experience, he confirmed it's hard work. You can earn millions of dollars if you are outstanding. At the same time, it's not that simple as this market is in the grey area.
"How strange it would be if the government found that you accepted a million dollars in your bank account. Wouldn't they wonder where it came from? A lot of these exploits artists accept cryptocurrency," he said.
Zerodium, for example, offers payment in Bitcoin, Monero, and Zcash, though it claims it usually pays researchers through international bank transfers.
"You can make good money doing this. I don't think that there's a ton of people doing this. Again, I think Zerodium did say that they have an estimated number of researchers, somewhere within one to two thousand. I think it's less. I think the hackers that maybe come a second or third time are not going to use the same mail that they did last time; they are not going to accept the same payment that they did last time," he said.
Why are researchers crafting exploits trying to stay anonymous? Well, while ethical hacking it's not illegal, the exploit market is somewhat a grey area. If you found a vulnerability, why didn't you report it to the responsible developer?
"Any criminal charge boils down to intent. It is your certain intent that makes something a severe crime or no crime at all. (...) If a person goes to Apple after their findings and says, hey, this is what I found, I want to give it to you so you can close this hole. That sounds like a security researcher doing something for good. And again, I'm not saying that people who submit Zerodium are doing bad things, but I'm also not saying that they are doing things well," he said.
More from CyberNews:
Subscribe to our newsletter