Do You Know the Power of The Dark Side?
Ever since the inception of computing systems and devices, there have also existed many vulnerabilities in these systems as well. These vulnerabilities in the right hands lead to the improvement of a system, but in the wrong hands can cause many damages.
In our article below, we will look at a particular type of vulnerability known as a Zero-Day vulnerability or simply a zero-day vulnerability. We would also be looking at the different markets where one could sell a zero-day along with the pricing and implications of these markets.
📑 Table of Contents
Image Source – “Towards Probabilistic Identification of Zero-day Attack Paths” Scholarly Article by Xiaoyan Sun, Jun Dai, Peng Liu, Anoop Singhal and John Yen
No matter how well secured, every system will have quite a few vulnerabilities present in its software or hardware. The only way a system could have 0% vulnerability, like one of my professors at university would say, is if it were turned off, buried 20 feet underground, and had security guards working 24x7.
An exposed vulnerability in a system that might be unbeknownst to the vendor, which hasn’t been patched yet, is known as a Zero-Day vulnerability. Zero-day vulnerabilities pose a lot of risk the longer they are left unpatched due to the following:
- Various threat actors aware of the zero-day compete to exploit the vulnerability
- The system with said zero-day is exposed to threats until a patch is released
Any exploitation done by a malicious party on such a system before the patch is released for the zero-day is known as a Zero-Day exploit.
The vital point to note here is that a zero-day vulnerability might not immediately be made public by the attacker who found it. They might bide their time to find the right moment to launch an attack so that they can gain maximum results from it.
So, a vendor should always check for flaws and vulnerabilities in their system and patch them regularly to avoid such zero-days.
Zero-day vulnerabilities are one of the most important attributes in the world of cybersecurity. They can be the deciding factor of the future of an entire organisation and can even bring a lot of destruction to it.
Well, I'm exaggerating to make a point. While a zero-day unleashing hell is not very common, it can bring quite a lot of damage to the system's owner with the zero-day.
But, even so, why are zero-days more critical than normal vulnerabilities that are capable of the same? To answer that question, we need to learn about the parties that are interested in the zero-day vulnerability.
There are two main teams competing against each other in every cybersecurity scenario – namely, the black hat hackers and the white hat hackers. These two compete against each other, not in real-time, to find the zero-day before the other and thwart the other’s plans.
The black hats try to exploit a system using a zero-day and try to gather sensitive information to make personal gains or demand ransom. They usually install malicious software on the exposed system to aid with their activities. Black hat hackers are always on the illegal side of the law.
On the other hand, the white hat hackers try to find how a zero-day can be exploited and report these to the vendor or patch it themselves (If they have the permissions). They are always on the good side of the law as they draft contracts with the vendors or owners of a system before looking for and exploiting vulnerabilities.
Image Source – cdn.ttgtmedia.com
Black hats are usually hackers or state-sponsored actors trying to gather sensitive information from victims for personal gains. White hats are usually penetration testers or bug bounty hunters looking to help improve the system by reporting vulnerabilities to the vendor.
Our following discussion will focus on bug bounty hunters and the potential markets where they can sell zero-day vulnerabilities.
Zero-day vulnerabilities are as essential as they are to secure a system and pay quite a lot of money if sold to the right seller.
Usually, a bug hunter who finds a zero-day creates a report of findings and methods of exploitation, which is then submitted to a trusted bug bounty platform or even the vendor. While selling to a vendor yields a higher pay, it isn’t always easy to get in touch with the concerned team of the vendor organisation.
Image Source – zerodium.com
This is why big bounty platforms form a third-party platform where zero-day vulnerabilities can be reported, albeit at a lower price, but with more ease and convenience. They also don't have strict reporting standards that a vendor might have. The bug bounty platform reports all the zero-days submitted by hunters to the vendor to collect their payment.
While the vendor or a trusted bug bounty platform is always the morally good choice, they are not always the highest paying choices. There are other forms of buyers for zero-day vulnerabilities that are not as morally good.
I interrupt this article for a quick disclaimer.
Disclaimer: “All information listed henceforth is for educational purposes only and it isn’t advised to test these practically without proper knowledge. Neither the writer nor the website is responsible for any damage caused or systems compromised.”
Ok. Now that I've got that out of the way, let's resume our discussion.
The dark web or deep web, or whatever you like to call it, is a market for almost everything you can dream of, from stolen credit card credentials to illegal guns and other goods. Zero-day exploits aren’t an exception to this.
Image Source – Hansa Marketplace
However, if you sell a zero-day exploit in the deep web or the black market, it is almost certain that it would not be put to good use, even though this isn't always the case. There will be certain buyers on the black market buying zero-days on behalf of the concerned vendor or for research purposes.
The latter scenario discussed happens quite less often than the former. But either way, it does pay almost the same. From the right buyer, a zero-day, will fetch you many times more the price in the black-market based on the system or software in question.
As explained in the previous section, you are always bound to make more by selling a zero-day vulnerability on the black market than a bug bounty platform. This higher price also comes with a few risks, which we will look at in the next section.
Let’s take the most recent exploit of the video conferencing platform, Zoom. In 2020, due to the COVID-19 pandemic, Zoom rose in prominence for many individuals and organisations due to the “Work from Home” set-up. But it wasn’t long before a zero-day vulnerability for the software also rose to prominence on the Dark Web.
Image Source – blog.0patch.com
The zero-day allowed remote-code execution on Windows computers once exploited which means that an attacker can run code on the victim system from a remote location. This allows an attacker to install software or tools that help in further compromising the victim system.
This zero-day was sold for almost half a million dollars on the black market and, if left unchecked, would have caused quite a lot of damage, totalling in the magnitude of few millions, to Zoom users.
Comparing this to the bug bounty program, a user who manages to find a zero-day on Zoom is rewarded only with around $100,000 to $200,000.
This difference is seen in almost all platforms, with the highest bounty offered being $2.5 million (Zerodium) for a really impactful zero-day vulnerability. This price would be possibly paid out to bugs such as a system breaking zero-day for tech giants like Google, Facebook, Apple, etc.
The same zero-day on the black market would easily pay in the tens of millions of dollars. An exact quote cannot be given for this due to it being quite rare.
Image Source – wiki.cas.mcmaster.ca
Just because you can perform a crime, should you? It might earn you huge profits, and you might think it won't come back to bite you in the behind. In this section, we will look into the risks associated with selling zero-days on the black market and help you not stray to the Dark Side.
Like we discussed extensively in the previous section, the zero-day vulnerabilities on the black market are bound to fetch you an above average price based on the system. But with great prices come great risks.
Unlike the bug bounty platforms, the black-market buyers of a vulnerability also share the risks associated with their work with you, the seller. They pay the enormous amount of money only because they hope to exploit the system with the vulnerability to (illegally) make an even higher sum of money
Meaning, the hacker who bought the Zoom zero-day discussed earlier for $500,000 was probably planning and probably could make millions by exploiting the vulnerability. This higher price is associated with all risks taken by the hacker while using the vulnerability.
If the hacker who bought your zero-day gets caught while trying to illegally exploit a system, you are likely to be listed as an accomplice and receive a serious penalty. It's not that the person who bought your vulnerability on the black market will try to save you, a random stranger on the internet.
They might even try to sell you out with hopes of getting a reduced sentence. On top of that, you might even be charged for not reporting the found vulnerability to the concerned vendor.
However, in recent years, the market for zero-days has diminished greatly. Not to say that a zero-day can’t be sold, but it isn’t as important in order to exploit a system. The number of zero-days sellers has gone down from almost 32 in 2013 to a mere 3 in recent years, according to a report by FireEye.
This is mainly due to the reason that a zero-day vulnerability is not necessary to exploit any system; it can be usually done with pre-existing vulnerabilities in systems that haven't installed the latest updates.
This eliminates all the hard work and resources required to find a zero-day vulnerability and makes the entire process faster and easier from a hacker's point of view.
A zero-day vulnerability is a flaw in any system that hasn't yet been patched by its vendor and can be exploited by a malicious third party. In the above article, we discussed zero-day vulnerabilities, bug bounty, as well as prices of zero-days in different markets.
We then went on to look at the implications of selling zero-days on the black market for illegal uses, and hopefully, by now, I have reformed you to join the light-side of bug hunting.
If you liked this article, or have any interesting information about zero-days, or even hated the article trying to bring you to reform you, please let us know and leave a comment below.