Zero-day Black Market: Governments are the biggest customers

zero-dayGovernments, and in particular the U.S. Government, are the principal buyers of zero-day vulnerabilities according a report published by Reuters.

Zero-days exploits are considered a primary ingredient for a successful cyber attack, and the knowledge of zero-day flaw gives the attacker a near guarantee of success. As a result, state-sponsored hackers and cyber criminals consider zero-day exploits a precious resource around which booming market has grown.

Zero-day exploits could be used to as an essential component for the design of a cyber weapon or could be exploited for cyber espionage purposes, in both cases governments appear the most interested entities for the use of these attacks.

Recent cyber attacks conducted by Chinese hackers might lead one to think Chinese Government is primary buyer/developer for zero-day vulnerabilities, but a report recently published by Reuters claims the United States government is the “biggest buyer in a burgeoning gray market where hackers and security firms sell tools for breaking into computers.”

Reuters revealed that the U.S. Government, in particular its intelligence agencies and the DoD are “spending so heavily for information on holes in commercial computer systems, and on exploits taking advantage of them, that they are turning the world of security research on its head.”. It’s a new way to compete with adversaries in cyberspace.

The emerging zero-day market is fueled by intense activities of talented hackers who sell information on flaws in large use products. According Reuters defense contractors and intelligence agencies “spend at least tens of millions of dollars a year just on exploits”.

The zero-day market is very complex due to the high “perishability” of the goods and other factors.The following are some of the key factors in this complex business.

Difficulty finding buyers and sellers – It’s a closed market not openly accessible. Find a buyer or identify of a possible seller is a difficult phase of the transaction.

Checking the buyer reliability – The small number of reliable brokers able to locate a buyer pushes the security researcher to try to tell many individuals about a zero-day discovery in an attempt to find a “reliable” buyer, but this comes with obvious risks.

Value cannot be demonstrated without loss – One of the most fascinating problems a researcher attempting to sell vulnerability information or a zero-day exploit may face is proving the validity of the information without disclosing the information itself. The only way to prove the validity of the information is to either reveal it or demonstrate it in some fashion. Obviously, revealing the information before the sale is undesirable as it leaves the researcher exposed to losing the intellectual property without compensation.

Exclusivity of rights – The final hurdle involves the idea of the exclusive rights of the information. In order to receive the largest payoffs, the researcher must be willing to sell all rights to the information to the buyer. However, the buyer has no way to protect themselves from the researcher selling the information to numerous parties, or even disclosing the information publicly, after a sale.

The trend to exploit zero-day for offensive purposes has been followed by intelligence agencies and also private companies, both of which have started to develop their own zero-day exploits.

“Private companies have also sprung up that hire programmers to do the grunt work of identifying vulnerabilities and then writing exploit code. The starting rate for a zero-day is around $50,000, some buyers said, with the price depending on such factors as how widely installed the targeted software is and how long the zero-day is expected to remain exclusive.”

The Reuters report also reveals the participation of government representatives in the ISS World Americas conference, clearly with the intent to acquire new technologies to conduct cyber espionage.

The choice of a government to acquire a zero-day exploit to use against a foreign government, carries serious risks since cyber terrorists, cyber criminals or state-sponsored hackers could  reverse engineer the attack to compose new malicious agents to use against the attackers themselves.

The most popular example is the case of Duqu malware, a powerful spyware designed “to steal industrial-facility designs from Iran.”  which code was subsequently adopted by the cybercrime industry to be the  components in the popular Blackhole and Cool exploit kits.

In many cases the efficiency of these zero-day exploits has a long shelf  life due the presence of infrequently updated target systems, so a typical zero-day attack has an average duration of 312 days. Once publicly disclosed increases of 5 orders of magnitude in the volume of attacks are observed.

Zero day Analysis

Reuters reports to have reviewed a product catalogue from one large contractor, it contained various applications for cyber espionage purposes. The article refers to a product “to turn any iPhone into a room-wide eavesdropping device” and another one “was a system for installing spyware on a printer or other device and moving that malware to a nearby computer via radio waves, even when the machines aren’t connected to anything.

The product portfolio is very impressive including tools for gaining access to computers and phones and tools for grabbing different categories of data. It’s clear that majority of these products use zero-day vulnerabilities on various application and OS software. And most of the programs cost more than $100,000.

Based from my experience the cost of a zero day exploit depends on a multitude of factors such as the product target, its diffusion level and of course the scope of use.  A zero-day sold to a government could have a price up to 100 times an exploit kit sold to private industry.

Which are the principal mediators for zero-day sale?

The Grugq is the famous one but also small firms like Vupen and Netragard and other defense contractors such as Northrop Grumman operate this growing market.

Netragard’s founder Adriel Desautels says he’s been in the exploit-selling game for a decade, and describes how the market has “exploded” in just the last year.  He says there are now “more buyers, deeper pockets,” that the time for a purchase has accelerated from months to weeks, and he’s being approached by sellers with around 12 to 14 zero-day exploits every month compared to just four to six a few years ago.


Leave a Reply