No Takers for Zero-Day Vulnerabilities on the Dark Web
According to experts vulnerability sales have been all but driven off the dark web, which now operates in the open. For years the secretive market for zero-day exploits thrived in the dark corners of the internet.
A recent report on Fifth Domain reads “The cyber intelligence firm FireEye has only recorded three zero-day sellers on the dark web so far this year. That compares to the peak of at least 32 zero-day sellers in that marketplace in 2013.
The drop-off as being caused by a combination of users being cautious and exploit developers selling on the dark web likely being wrapped up in arrests.
Cybersecurity companies have raised their bounty for hackers to report rather than reveal exploits, which has contributed to the slowdown in black-market sales.
Amit Serper, head of security research at the cybersecurity firm Cybereason said “Years ago, it was challenging for some to sell or acquire zero-day exploits. Now it has changed. That’s the whole point of a bug-bounty program.”
Serper said that “Zero-day exploits can be used for purposes that include overriding systems, breaking into devices or taking data. For instance, there has been an increase in the number of exploits that target routers.”
For that reason, it’s not just malicious actors buying up exploits. Some companies stage their own bug bounties and even go so far as to purchase zero-day exploits on their own products to eliminate public vulnerabilities.
Today, there are more ways to procure zero-day vulnerabilities than just on the dark web.
A company called Zerodium purchases bounties of security exploits and sells them to customers operates a public website that includes a list of payouts. The company pays anything in the range of $1.5 million for a weakness that can crack an Apple iPhone, and $500,000 for a remote code for Windows software. The company had in the past has announced increasing payouts for some zero-day exploits.
Zerodium says its customers are governments and companies that operate in the defense, technology, and financial sectors.
Shadow Brokers, the group behind the WannaCry attack, launched a zero-day subscription service in 2017.
The moral of the story is that it is not ignorant who are attacked, but if you have a poor cyber hygiene that is more than enough to invite the wrath of devastating zero-day exploit.
On September, 24th in a Webinar, the Homeland Security warned that some network administrators are still not using two-factor authentication, making their passwords too easy to crack.
Semrau said “many users do not patch their computers immediately after an exploit is discovered.”
Cyber-attacks start with vulnerability discovery, which finds the weakness that can be used to intrude into the victim’s systems.