New Apple zero-day traded for €2,5m on the dark web, researchers say


Weeks after Apple had released an emergency security update to patch two zero-day exploits, security researchers stumbled upon another zero-day vulnerability.

In August, the technology giant patched two previously unknown vulnerabilities – CVE-20220-32893 and CVE-2022-32894 – threat actors could use to hijack devices and plant malware on them.

Webz.io, the company that monitors web databases, claims to have discovered a new Apple zero-day vulnerability being traded on the dark web. A few days after the initial vulnerability was exposed, the researchers found a post in which a hacker was offering a new zero-day around the same CVE-2022-32893 for €2.5 million.

An ad on a dark forum

"This is what we consider to be a unique publication of a zero-day because it is rare that a hacker publicly sells zero-day, especially related to a large enterprise such as Apple. This specific hacker has a history of selling zero days for Apple and Android," the company said.

It's common to see a higher level of malicious activity around the time of publication of new vulnerabilities. We've witnessed the Log4j exploitation party after the flaw became publicly known, then the exploitation of the first patch followed. We also saw at least ten advanced persistent threat (APT) groups jumping on the Microsoft Exchange Server exploitation train.

Given Apple's recent zero-days affect the majority of its devices, it's no wonder threat actors tried to exploit the flaws as soon as possible.

Webz.io ran a search of the two vulnerabilities by using their Dark Web API and found threat actors discussing the zero-days on different platforms, from Telegram to Tor.

The image below illustrates a specific discussion between hackers about CVE-2022-32893/4 and looking for additional zero-days around the already existing patch.

Hackers discussing CVE

Cybernews has approached Apple for comment and will update the article accordingly.