Exploit trader Zerodium – which pays out fees to hackers who find weaknesses in cybersecurity systems so it can sell them on at a profit – has raised its reward for special malware that targets users of Microsoft Outlook.
More worryingly for users of the software giant, the malware – known as zero-click – does not require victims to click on infected links or fall for fake emails.
“A zero-click exploit does not even give the device owner a chance to be tricked – the malware is installed without their knowledge,” said Jonathan Mandell, head of Teepee, a risk management firm, adding that zero clicks instead use weaknesses in operating systems to install malware on devices such as iPhones.
The virulence of the technology makes Zerodium’s augmented bounty offer to cyber mercenaries all the more disturbing.
“We are temporarily increasing our payout for Microsoft Outlook to $400k,” Zerodium announced. “We are looking for zero-click exploits leading to remote code execution when receiving/downloading emails in Outlook, without requiring any user interaction such as reading the malicious email message or opening an attachment.”
To put this into perspective, Microsoft Outlook was estimated to have 400 million active users in 2018. That means if hacker bounty hunters turn over such exploits to Zerodium for the fee, millions of email users could be left vulnerable to cyberattack from whoever subsequently acquires the data from Zerodium.
The exploit trader typically sells to state-sponsored threat actors who can afford its high prices, meaning the private data of ordinary civilians could theoretically end up in the hands of pariah regimes such as Iran and North Korea.
Other web browsers have not been overlooked by the exploit trader, and Zerodium has also declared it will offer $200k to zero-click exploits targeting Mozilla Thunderbird. That means users of the popular browser could also risk having their accounts hacked without lifting a single misguided finger.
Because they don’t require the victim to click on any external links, zero-click attacks are very good at covering their traces. Such malware can copy your entire email inbox and address folder before deleting itself. This ability means that even if not initially successful, a zero-click exploit can repeatedly attempt to gain access to an account without being spotted.
“Detecting these attacks is extremely difficult,” said Isla Sibanda, cybersecurity specialist at Privacy Australia. “Attackers inject a code that compromises the device in the shape of hidden texts by targeting applications that provide messaging or voice calling services. The same features of the software that make it secure are the ones that make this attack harder to detect. These attacks have become more common with the emerging reliance on smartphones and other digital devices.”
Allan Buxton, director of forensics at Secure Data Recovery Services, agreed that proactively defending against zero-click attacks poses a major challenge to businesses.
“General internet paranoia, such as not visiting suspicious sites and blocking ads, only works for attacks that target web browsers,” he said. “To prevent a zero-click that targets a messaging app, the user either has to disable the service or block all messages from unknown users. Of course, doing so would limit communication to the extent that might not be sustainable in a business or social environment.”
The first zero-click exploit - which used a revamped version of the Pegasus spyware – is thought to have been developed by Israeli cybersecurity firm NSO Group. It was deployed against activists in Bahrain between 2020 and 2021 before being used again later that year to bypass Apple’s much-touted new security feature BlastDoor.
In this case, one of iMessage’s defenses – its end-to-end encryption – was turned into a weakness, because the security feature made it much more difficult to detect the zero-click attack. Likewise, any system that parses data to make sure it’s being sent from a trusted source is vulnerable to a third-party attack using this technology.
“The Pegasus spyware made use of two different zero-click attacks to target iMessage users,” said Buxton. “Because the iMessage has to be sent directly to the intended recipient, this kind of targeted attack requires advance knowledge of the recipient’s contact number.”
What you can do
“Ensuring that your device and all its installed applications are updated is perhaps the best protection against any exploit, such as Pegasus, already known to be in circulation,” said Buxton.”
Edward Eugen, a cybersecurity engineer and tech reviewer, agrees. “Keep your devices updated since it will help you automatically change your software to one that the hacker may not be so familiar with,” he said. “Small things like this count since what you need is time to identify that an attack is happening.”
More from CyberNews:
Subscribe to our newsletter