Have you ever wondered what it’s like to be a hacker? In various films and TV series, we often see a hooded man hitting the keyboard, as a result of which a lot of numbers and symbols appear on the screen, leading to the hacking of a secure network. However, in the real world, things work a little differently.

It takes a lot of time and effort to bypass various security protocols and carry out a successful hack, especially when considering large organizations with a serious level of security.

However, even in such cases, hackers have a secret hidden up their sleeves, allowing them not to spend months searching for a vulnerable spot in corporate systems. This secret is the opportunity to purchase a ready-made exploit to exploit a particular zero-day vulnerability, as well as information on which companies’ systems this exploit can be successfully used.

In this article, we will talk about the so-called “zero-day market”, where, for fabulous sums, major league hackers exchange with each other tools and data that can significantly simplify and speed up the process of hacking the networks of a particular company.

What are Zero-day vulnerabilities?

Zero-day vulnerabilities are those vulnerabilities that are present in certain software products or systems and have not yet been fixed by the supplier of these products or systems due to ignorance or a simple lack of time since the vulnerability became known only recently.

Be that as it may, even several days when an open vulnerability is used by attackers can allow them time to carry out everything they have in mind, leading to catastrophic consequences for the corporate sector or critical infrastructure.

It can take professional hackers months or even years to find a truly useful zero-day vulnerability that allows them to successfully exploit it without a huge investment of time, which is why they are so valued on the dark market.

How did hackers learn to make money from Zero-day vulnerabilities?

For a long time, various tech enthusiasts had little interest in finding bugs for financial reasons. In the beginning, when they found zero-day exploits, they approached the developers of the software in which the bug was found, so that they would simply fix it. And there was hardly any reward for this – even if they didn’t file a counterclaim for hacking.

However, over time, attitudes toward cybersecurity have undergone significant metamorphoses, and the latter has become much more important both for companies and for the hackers themselves. Now, for example, corporations reward white hat hackers with significant sums for conscientiously disclosing vulnerabilities.

Realizing the importance and value of such digital resources, malicious hackers with selfish motives eventually formed a dark market that quickly grew to incredible proportions.

Then came intermediaries, zero-day brokers, and other characters who specialize in providing cybercriminals with the necessary information and tools for a generous fee, and even take responsibility for the performance of a particular type of hacking. They carefully check everything and vouch for the effectiveness of the software solutions they sell.

How much do zero-day vulnerabilities cost?

According to statistics from Zerodium, a company that specializes in both self-searching and purchasing Zero-day vulnerabilities from researchers and hackers, a high-quality vulnerability that allows, for example, to bypass a smartphone password or PIN code, currently costs around $100,000. At the same time, a similar bug that allows you to gain access to chat applications, a web browser or email is estimated to cost up to $500,000.

Zero-day bugs, which give access to someone’s mobile gadget without any interaction from the user, can cost between 2 and 2.5 million dollars. Such astronomical amounts are explained by the potential consequences of successful exploitation of the vulnerability. If it can affect every owner of a brand-new iPhone, the scale of exploitation is even scary to imagine.

Government agents

The buyers of information about such vulnerabilities are often the governments of certain countries, who benefit from the ability to freely hack the smartphones of particularly dangerous criminals and other individuals threatening national security, without asking companies such as Apple and Google for assistance in the investigation. The latter, by the way, even with all their desire, will not always be able to help the police, since they also may not have the necessary level of access to consumer gadgets.

“Some zero days are harmless. You find a bug in the code, but it may be found in a system that is not widely used, or even only by some highly specialized audience. Such systems are of little interest to hackers, so they usually do not spend their time on them,” explains New York Time journalist Nicole Perlort. “The systems that hackers and authorities are focusing their attention on now are iOS, Android, and critical infrastructure.”

Thus, the cost of hacker campaigns like the recent high-profile Operation Triangulation, carried out, as expected, by American intelligence agencies, and exploiting 4 zero-day vulnerabilities in the iPhone at once, is still unknown. Surely it would have cost the United States an astronomical sum unless all these vulnerabilities were discovered by staff members of local departments.

An example of the exorbitant price tag for an exploit is a broker called Operation Zero, which in September 2023 offered $20 million for a valid chain of attacks. Thus, the same Operation Triangulation could cost foreign intelligence agencies at least $20 million if exploits for attacks were purchased from ordinary hackers.

Such “zero days”, purchased at a similar price, can easily provide interested parties with access to desktop computers, industrial controllers, and networks that support the infrastructure of factories, military bases, or entire cities.

Examples of zero days in the wild

The Stuxnet malware was one of the most advanced examples of malicious software, which, exploiting a series of zero days at once, was used in 2010 to infiltrate an Iranian nuclear facility and subsequently disrupt its functionality.

The NotPetya virus also resulted in one of the most devastating cyberattacks ever recorded in the digital space, using a single zero-day vulnerability to paralyze an entire country in a matter of days and cause billions of dollars in damage to international companies.

Thus, it is quite appropriate to compare critical Zero-Dau vulnerabilities to weapons of mass destruction or the material from which such weapons can be created.

As a rule, it is the world governments that have enough funds to buy such collections of “zero days”, as well as enough personnel to use them. With the right set of such vulnerabilities, any state can essentially easily wage cyberwar against rival governments and even its citizens.

Discover: How To Use Nmap for Vulnerability Scanning

Conclusion

The zero-day market is a vast multi-level structure with a huge number of actors pursuing their interests. Even though large companies do everything possible to minimize the malicious use of such vulnerabilities by offering generous rewards to researchers for discovered bugs, some of them still end up on the black market and are bought by large players for exorbitant sums.

World governments are often involved in this dirty game, actively investing in this business and hiding data from the public. They pay hackers to keep quiet and use zero-day vulnerabilities for espionage and cyber warfare.

The uncontrolled spread and use of such vulnerabilities can lead to catastrophic consequences, ranging from leakage of confidential data to disruption of the critical infrastructure of entire countries.

To combat this threat, it is necessary to strengthen international cooperation in the field of cybersecurity, introduce tougher penalties for traders of zero-day vulnerabilities, and perhaps further encourage white hat hackers to report discovered vulnerabilities directly to software developers.

Only an integrated approach, combining the efforts of states, large companies, and security researchers, will make it possible to establish a strong barrier that prevents the spread of zero-day vulnerabilities, as well as to minimize the risks associated with their malicious use.

❤️ If you liked the article, like and subscribe to my channel Codelivly”.

👍 If you have any questions or if I would like to discuss the described hacking tools in more detail, then write in the comments. Your opinion is very important to me!

Shares:

Leave a Reply

Your email address will not be published. Required fields are marked *