Skip to content

Zero-day market, the governments are the main buyers

by Pierluigi Paganini on May 21st, 2013
zero-day

Governments, and in particular US one, are principal buyers of zero-day vulnerabilities according a report published by Reuters.

Zero-days exploits are considered a primary ingredient for success of a cyber attack, the knowledge of zero-day flaw gives to the attacker guarantee of success, state-sponsored hackers and cyber criminals consider zero-day exploits a precious resources around which is grown a booming market.

Zero-day exploits could be used to as an essential component for the design of a cyber weapon or could be exploited for cyber espionage purposes, in both cases governments appear the most interested entities for the use of these malicious code.

Recent cyber attacks conducted by Chinese hackers might lead us to think Chinese Government is primary buyer/developer for zero-day vulnerabilities, but a report recently published by Reuters claimed the US government is the “biggest buyer in a burgeoning gray market where hackers and security firms sell tools for breaking into computers.”

Reuters revealed that the US Government, in particular its intelligence agency and the DoD are “spending so heavily for information on holes in commercial computer systems, and on exploits taking advantage of them, that they are turning the world of security research on its head.”, it’s a news way to compete with adversary in cyberspace.

Recent tension between China and US gave security experts the opportunity to discuss about the development of the two countries of efficient cyber strategy that improve both offensive and defensive cyber capabilities.

Both countries are largely invested in the creation of new cyber units, but according intelligence sources, offensive approach seems to be most stimulated by the need to preserve the security in the cyberspace.

NSA chief General Keith Alexander told Congress that the US Government  is spending billions of dollars every year on “cyberdefense and constructing increasingly sophisticated cyberweapons” this led to the birth  of “more than a dozen offensive cyber units, designed to mount attacks, when necessary, at foreign computer networks.”

Popular hacker Charlie Miller, security researcher at Twitter, with a past collaboration with NSA confirmed the offensive approach to cyber security:

 “The only people paying are on the offensive side,”

The emerging zero-day market is fueled by intense activities of talented hackers who sell information on flaws in large use products. According Reuters defense contractors and intelligence agencies “spend at least tens of millions of dollars a year just on exploits”.

The zero-day market is very complex due high “perishability” of the goods, following some key figures of a so complex business

Difficulty finding buyers and sellers – It’s a closed market not openly accessible. Find a buyer or identify a possible seller is a critical phase.

Checking the buyer reliability – The reduced number of reliable brokers able to locate a buyer pushes the researcher to try to tell many individuals about the discovery in an attempt to find a buyer with obvious risks.

Value cannot be demonstrated without loss – One of the most fascinating problems a researcher attempting to sell vulnerability information or a 0-day exploit may face is proving the validity of the information without disclosing the information itself. The only way to prove the validity of the information is to either reveal it or demonstrate it in some fashion. Obviously, revealing the information before the sale is undesirable as it leaves the researcher exposed to losing the intellectual property of the information without compensation.

Exclusivity of rights - The final hurdle involves the idea of the exclusive rights of the information. In order to receive the largest payoffs, the researcher must be willing to sell all rights to the information to the buyer. However, the buyer has no way to protect themselves from the researcher selling the information to numerous parties, or even disclosing the information publicly, after the sale.

Current approaches to zero-day vulnerabilities are to be bought up exploits avoiding that they could be acquired by government’s opponents such as dictators or organized criminals, many security firms sell subscriptions for exploits, guaranteeing a certain number per year.

The trend to exploit zero-day for offensive purposes has been followed by intelligence agencies and also private companies, both actors have started to code their own zero-day exploits.

“Private companies have also sprung up that hire programmers to do the grunt work of identifying vulnerabilities and then writing exploit code. The starting rate for a zero-day is around $50,000, some buyers said, with the price depending on such factors as how widely installed the targeted software is and how long the zero-day is expected to remain exclusive.”

The Reuters report also revealed the participation of government representatives to the Secret Snoop Conference for Government and law enforcement spying, clearly with the intent to acquire new technologies to conduct cyber espionage through malware based attacks able to compromise target  networks.

The choice of a government to acquire a zero-day exploit to use it against a foreign governments hide serious risks for its country, cyber terrorist, cyber criminals or state-sponsored hackers could  reverse engineer the source code to compose new malicious agent to use against the same authors.

The most popular example is the case of Duqu malware, a powerful spyware designed “to steal industrial-facility designs from Iran.”  which code was adopted by cybercrime industry to be the active components in popular Blackhole and Cool exploit kits.

In many cases the efficiency of these zero-day exploits has a long life due the presence of not updated target systems, typical zero-day attack has an average duration of 312 days and once publicly disclosed it is observable an increases of 5 orders of magnitude of the volume of attacks.

Zero day Analysis

Reuters reported to have reviewed a product catalogue from one large contractor, it contained various applications for cyber espionage purposes. The article refer of a product “to turn any iPhone into a room-wide eavesdropping device” and another one “was a system for installing spyware on a printer or other device and moving that malware to a nearby computer via radio waves, even when the machines aren’t connected to anything.

The product portfolio is very wide including tools for getting access to computers or phones and tools for grabbing different categories of data, it’s clear that majority of these products exploits zero-day vulnerabilities on various application and OSs …. most of the programs cost more than $100,000.

Based from my experience the cost of a zero day-day depends on a multitude of factors such as the product target, its diffusion level and of course the scope of use, a zero-day sold to a government could have a price up to 100 times an exploit kit sold to private industry.

Which are the principal mediators for zero-day sale?

The Grugq is the famous one but also small firms like Vupen and Netragard and other defense contractors such as Northrop Grumman operate this growing market.

Netragard’s founder Adriel Desautels says he’s been in the exploit-selling game for a decade, and describes how the market has “exploded” in just the last year.  He says there are now “more buyers, deeper pockets,” that the time for a purchase has accelerated from months to weeks, and he’s being approached by sellers with around 12 to 14 zero-day exploits every month compared to just four to six a few years ago.

Prepare for the worst, the explosion in demand for zero-day leaves little doubt about the true intentions of governments and the impact is certainly not confined to just cyberspace.

Pierluigi Paganini

(Security Affairs – Cyber security, Zero-day vulnerabilities)

Comments are closed.