Last week, Security Affairs reported that hackers were trying to sell a zero-day exploit for Zoom’s Windows and macOS Clients. (See Here) Reportedly, the hackers were asking $500,000 for the Windows and an undisclosed amount for the Mac version. Some people had expressed to me that this was concerning because this could be seen as a new revenue stream for hackers. Now they can also try to extort companies through these vulnerability discoveries. I do not see it this way. In fact, I see this as the natural outgrowth of the Bug Bounty programs and vulnerability disclosure sites such as Hacker One (See Here). I think part of this is the romanticized notion of black-hat hackers. So many people do not understand the role of the white hat or gray hat hackers. There are so many security researchers on the Internet that spend their day looking for these vulnerabilities and reporting them to companies so that they can be patched. There are also a bevy of hackers who hack because of a principle that guides them – some of those are altruistic and some less so. These hackers often discover these flaws and try to notify the victim company. It is also interesting to note how many times victim companies deny these flaws or try to minimize their impact. And in some rare cases, the victim company doesn’t even respond to the notification. These non-responses have often led to some thrilling moments at hacker conferences like Defcon.
What most people do not know is that this kind of underground zero-day exploit selling has been going on for years. Zero-days are often for sale on Dark Web marketplaces and there are even exchanges that are more above boards where governments and large corporations buy and sell these exploits. Sometimes the purchases were to prevent the exploit from being purchased and the US government has been rumored to be one of the largest buyers of these exploits. According to the Journal of International Affairs, the NSA was criticized for not revealing some of these zero-days to Cisco and other manufacturers. When these zero-days were stolen, the NSA was forced to reveal them to prevent widespread damage. (See Here) The United States has long been involved in the Vulnerability Equities Program which was mandated by President Bush in 2008. This program requires government agencies to evaluate each threat it discovers (or purchases) and determine whether they should keep the secret or reveal it. The policies and procedures of this program were modified in 2014 by President Obama. Much of this program’s internal workings were revealed by Edward Snowden including the budget for security vulnerability purchases ($25 million annually) and the NSA subsequently stated that they keep less than 10% of the vulnerabilities they purchase or discover. So this is not a new revenue stream for hackers, this is just a revenue stream that is coming slowly out of the shadows.