Zero-day black market shifts from selling vulnerabilities to selling access

One of the software success stories of the Covid-19 pandemic era has been that of videoconferencing service Zoom. Despite already existing in a crowded field of both startups and mature competitors, Zoom became a household name (and verb, and noun) for businesses, schools, and other groups trying to stay connected while “sheltering” at home. But as Zoom boomed, so did Dark Web sales of zero-day vulnerabilities in its software.

A Zoom vulnerability that allowed remote-code execution on Windows computers was allegedly for sale on the Dark Web for $500,000, Vice reported in April. Another zero-day vulnerability for Zoom on Macs, confirmed by multiple sources, commanded a lower but allegedly still substantial Dark Web price.

The entire black-market ecosystem of buyers, sellers, and deal brokers conducts its business through a series of deals and digital handshakes that most people would consider ethically dubious, says Roman Sannikov, director of cybercrime and underground intelligence at cybersecurity research company Recorded Future. His team focuses on tracking and investigating criminal actors, hacktivists, and extremists that are not state-sponsored.

READ MORE ON ZERO-DAY VULNERABILITIES

Primer: What’s a zero-day?
For critical systems, “just patch it” is a paradox
When to disclose a zero-day vulnerability
Bug bounties have bugs of their own
What’s in a bug bounty? Not extortion
Bug bounties break out beyond tech
The dark side of bug bounties

Hackers who want to sell their zero-day vulnerabilities on the black market have many reasons for doing so, he says. Depending on what the vulnerability is, and for which software, they can make significantly more money than they can from an official bug bounty. They may also want to hurt the organization that maintains the software or an organization that uses it.

But the concept of a lone hacker selling a vulnerability to another in order to facilitate hacking an organization is no longer the primary transaction that Recorded Future is observing on the Dark Web, Sannikov says.

“What we’re really seeing is not people selling vulnerabilities, but selling the access that they obtained using those vulnerabilities,” he says.

That access is then used to deploy ransomware or malware, create a botnet with the company’s computer system, or steal proprietary information. Sannikov says that over the course of the pandemic, there’s been an important shift toward access-as-a-service, where the hacker or hacking group doesn’t steal data themselves. He compares it to specialized teams of thieves targeting a house.

This story was originally commissioned by Dark Reading. Read the full story here.