For years the secretive market for zero-day exploits — unpatched bugs in software or hardware — thrived in the dark corners of the internet. But vulnerability sales have been all but driven off the dark web, according to experts, and now operate in the open.
The cyber intelligence firm FireEye has only recorded three zero-day sellers on the dark web so far this year, Jared Semrau, a vulnerability and exploitation manager at the firm, told Fifth Domain. That compares to the peak of at least 32 zero-day sellers in that marketplace in 2013, Semrau said.
He explained the drop-off as being caused by a combination of “people being cautious and exploit developers selling on the dark web likely being wrapped up in arrests.”
Semrau also said that manufacturers have increased their bug-bounty programs, offering payouts for hackers to report rather than reveal exploits, which has contributed to the slowdown in black-market sales.
Years ago it was challenging for some to sell or acquire zero-day exploits, said Amit Serper, head of security research at the cybersecurity firm Cybereason. “Now it has changed. That’s the whole point of a bug-bounty program.”
Zero-day exploits can be used for purposes that include overriding systems, breaking into devices or taking data. For instance, there has been an increase in the number of exploits that target routers, Serper said.
For that reason, it’s not just malicious actors buying up exploits. Some companies stage their own bug bounties and even go so far as to purchase zero-day exploits on their own products to eliminate public vulnerabilities.
Today, there are more ways to procure zero-day vulnerabilities than just on the dark web.
Zerodium, a company that purchases bounties of security exploits and sells them to customers, operates a public website that includes a menu of payouts. The company says it will pay up to $1.5 million for a weakness that can remotely jailbreak an Apple iPhone, and $500,000 for remote code executions that work on Windows software.
In the past month the company has announced three times that it is looking for new exploits or is increasing payouts for some zero-day exploits.
Zerodium says its customers are governments and companies that operate in the defense, technology and financial sectors.
Access to a subscription service that offers zero-day exploits costs roughly $150,000 per month, according to a July 2018 paper from the Massachusetts Institute of Technology.
The hacking group Shadow Brokers, which was behind the WannaCry cyberattack, launched a zero-day subscription service in 2017. It is not clear if the program is still running.
And it’s not just the unknowns that pose a threat. Poor cyber hygiene can be just as crippling to an organization as the most devastating zero-day exploit.
Both Semrau and the MIT paper said that one-day vulnerabilities are still valuable because many users do not patch their computers immediately after an exploit is discovered. And the Department of Homeland Security warned Sept. 24 in a webinar that some network administrators are still not using two-factor authentication, making their passwords too easy to crack.
“Cyberattacks start with vulnerability discovery, which finds the weakness that can be used to intrude into the victim’s systems,” the MIT paper said.
“Weakness may be a zero-day/one-day vulnerability in software/hardware, or the relatively simple use of passwords that are not modified for a long time and easy to uncover by brute force.”
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.