One of the software success stories of the COVID-19 pandemic era has been videoconferencing service Zoom. Despite already existing in a crowded field of both startups and mature competitors, Zoom became a household name for anyone stuck at home to avoid the coronavirus. But as Zoom boomed, so did Dark Web sales of zero-day vulnerabilities in its software.
A Zoom vulnerability that allowed remote-code execution on Windows computers was allegedly for sale on the Dark Web for $500,000, reported Vice in April. Another zero-day vulnerability for Zoom on Macs confirmed by multiple sources commanded a lower but allegedly still substantial Dark Web price.
The entire black market ecosystem of buyers, sellers, and deal brokers conducts its business through a series of deals and digital handshakes that most people would consider ethically dubious, says Roman Sannikov, director of cybercrime and underground intelligence at cybersecurity research company Recorded Future. His team focuses on tracking and investigating criminal actors, non-nation state-sponsored extremists, and hacktivists.
Hackers who want to sell their zero-day vulnerabilities on the black market have many reasons for doing so, he says. Depending on what the vulnerability is, and for which software, they can make significantly more money than they can from an official bug bounty. They may also want to hurt the organization that maintains the software or an organization that uses it.
But the concept of a lone hacker selling a vulnerability to another in order to facilitate hacking an organization is no longer the primary transaction that Recorded Future is observing on the Dark Web, Sannikov says.
From Zero-Day Sales to Access-as-a-Service
"What we're really seeing is not people selling vulnerabilities, but selling the access that they obtained using those vulnerabilities," he says.
That access is then used to deploy ransomware or malware, create a botnet with the company’s computer system, steal proprietary information, etc. Because of the global COVID-19 pandemic, Sannikov says there's been an important shift toward access-as-a-service where the hacker or hacking group doesn't steal data themselves. He compares it to specialized teams of thieves targeting a house.
"The threat actor makes a key that opens the door. They take a photo [or screenshot, of the content of the system] as proof, then sell or auction off that access to someone else. That person will case the house, maybe leave some sort of a sniffer or device that will collect more information, and they'll sell that," he says. "But researchers won't know what the vulnerability is unless they finagle the info out of the threat actor or buy the vulnerability. This is the commoditization and specialization of the marketplace."
Not surprisingly, the pandemic has driven a huge spike in Dark Web traffic for zero-day vulnerabilities toward exploiting remote workers, says Mike Fowler, director of threat intelligence services at cybersecurity research and defense company GroupSense.
"When COVID hit, it hit so quickly many [organizations] are still playing catch-up," he says. "We're seeing $100 for a non-administrator account, to tens of thousands of dollars just for access to an administrator account."
The Black Market and the Gray Market
While bug bounties represent the legitimization of transactions between organizations and independent hackers (or teams of hackers) who find vulnerabilities in their software and websites according to a series of disclosure rules and are rewarded for it, black market vulnerability marketplaces provide less-than-ethical hackers with an opportunity to sell zero-days at rates they may not otherwise be able to demand.
The tension between who buys vulnerabilities to exploit them and who buys vulnerabilities to fix them can go a long way toward explaining how the overall vulnerability marketplace continues to thrive. While some vulnerability buyers representing software developers and organizations acquire zero-days from the Dark Web in order to patch them, most do not because the payouts are anywhere from 10 to 100 times more lucrative for sellers, according to at least one estimate in 2017 from Queen's University Belfast.
Furthermore, the line between nation-states and cybercrime organizations exploiting vulnerabilities is often blurred. Law enforcement and national intelligence agencies rarely buy zero-days, or "access-as-a-service" on the Dark Web; instead, they'll do business with so-called "lawful intercept" companies like the NSO Group, Gamma International, or Memento Labs.
Lawful intercept companies are controversial, however. Al Jazeera journalists, producers, anchors, and executives had their iPhones compromised by an iMessage zero-day exploited by nation-state clients of the NSO Group, according to a report published by The Citizen Lab.
The transactions for zero-days on the Dark Web are rarely conducted in public view, says a threat intelligence cybersecurity researcher who monitors such deals on a daily basis. They requested anonymity in order to maintain that access. Most zero-day marketplaces, the researcher says, are semi-private or fully private, and run by middlemen who want sellers and buyers to "build their reputations first."
"Most of them are Russian communities, or predominantly Russian-speaking communities," the researcher says.
Some of the marketplaces are password-protected sections of forums for other exchanges, such as illicit drugs or weapons.
"Some are very sophisticated," the researcher says. "You have to pay $1,000 just to see the exploits and their targets. If someone wants to sell an exploit, there are a lot of risks so that you don’t get scammed."
That includes providing the deal broker with a list of references to establish vulnerability-selling bona fides, paying the full sum of the vulnerability into an escrow account controlled by the broker, and providing a piece of code to establish the authenticity of the vulnerability. The broker often handles initial communications between the seller and buyer using vague terms to refer to the organizations affected, such as "a Fortune 100 company" or "a corporate network that did $10 billion in business, with 1,200 employees."
The price for the zero-day depends on the software that contains the vulnerability, the researcher says: "Facebook, iOS exploits, and Edge and Internet Explorer are the most expensive on the market right now, because of their popularity in organizations."
That buyer's drive to acquire vulnerabilities and resell them, or include them in more complicated exploit chains, will continue to fuel sellers' interested in zero-day marketplaces for years to come, Fowler says. It's ultimately a numbers game.
"The return on investment for zero-days on the Dark Web can be in the millions of dollars," he says.