Our reporter Qin Xiao reports from Beijing
Crowdfense, based in the United Arab Emirates, recently publicly announced that it will spend $30 million (about 217 million yuan) to buy "zero-day vulnerabilities" from security researchers.
"Zero-day vulnerability" is a key concept in cyber confrontation, which refers to logical vulnerabilities found in important software and hardware products that have not been fixed, which are highly scarce and potentially destructive.
The reporter of "China Business Daily" noticed that in recent years, various companies around the world have been offering bounties to security researchers, offering bounties for selling vulnerabilities and hacking techniques that exploit these vulnerabilities. This also makes the "zero-day loophole" gray industry "savagely grow".
A number of industry insiders told reporters that the "zero-day vulnerability" is not only the ability to reflect the attacker's technical strength, but also an important indicator of the technical strength of the security defender. With the improvement of the security of the two major operating systems, iOS and Android, it has become more difficult to hack into mobile phones, and there are fewer "zero-day vulnerabilities" for public trading, and the price has also risen.
Huge bounties
From the discovery of a "zero-day vulnerability" to the implementation of an attack, it generally takes five steps. The first step is to patiently look for traces of "zero-day vulnerabilities", the second step is to verify the authenticity of suspected vulnerabilities after they are discovered, the third step is to weave the attack code according to this "zero-day vulnerability", the fourth step is to bypass the defense line of network managers and let the attack code sneak in silently, and the fifth step is to launch zero-day attacks by implanting malware to achieve the desired results.
Previously, Apple was attacked by a "zero-day vulnerability". Information security vendor Kaspersky pointed out that the hacking group uses malware called "Triangulation" to send it via iMessage text messages, which does not require any action from the victim. Once infected, the iPhone transmits microphone recordings, photos, geolocation data, and other sensitive information to a server controlled by the attackers. It is reported that "Triangulation" contains four "zero-day vulnerabilities", which are CVE-2023-41990, CVE-2023-32434, CVE-2023-32435, and CVE-2023-38606.
Vulnerabilities are generally composed of CVE plus year and code, and the CVE number is unique in the world and is used to clearly identify and distinguish different security vulnerabilities. CVE numbers usually follow a certain format, such as CVE-year-sequence number.
And these loopholes are obtained through market transactions. A programmer at a cybersecurity company told reporters that the "zero-day vulnerability" trading market is generally divided into two paths. The first way is for regular companies to actively purchase "zero-day vulnerabilities" in order to improve their program code. Researchers who find a "zero-day vulnerability" can report it to affected companies, many of which reward researchers with bonuses. The other way is the black market, which is also the choice of most people, who sell their holdings of "zero-day loopholes" to some intermediary companies. According to the programmer, it is clear that trading on the "black market" is more rewarding than the bonuses offered by the company.
Guo Tao, an angel investor and veteran artificial intelligence expert, said that while some security companies claim to comply with international regulations and sell details of vulnerabilities only to trusted institutions or countries, the law is unclear about how this behavior is controlled. In fact, finders and sellers of vulnerabilities are often more willing to sell vulnerabilities to black market organizations that are bidding higher, because the rewards from these organizations far outweigh the rewards for submitting vulnerabilities to official agencies or the company where the vulnerability is located.
A few days ago, Operation Zero, a Russian company, announced on its official accounts on Telegram and X (i.e., Twitter) that they will increase the reward for discovering "zero-day vulnerabilities" on mobile terminals with iOS and Android systems from $200,000 to $20 million.
Similar to Operation Zero, UAE-based Crowdfense recently announced that it will launch a vulnerability purchase program, spending $30 million to buy "zero-day vulnerabilities" in mobile terminals such as mobile phones and software.
The reporter noticed that in some "zero-day vulnerability" procurement price lists, the price of "zero-day vulnerability" ranges from thousands of dollars to millions of dollars.
Tian Jiyun, a digital business security expert, told reporters that the price of "zero-day vulnerabilities" is high because of its particularity, first, because of suddenness, destructive power, inability to prevent, and high attack effect; second, there are few "zero-day vulnerabilities" sold in public transactions, and scarcity is expensive; third, "zero-day vulnerabilities" are not only the embodiment of the attacker's technical strength, but also an important indicator of the technical strength of security defenders.
Guo Tao believes that there are two main reasons for the high price of "zero-day vulnerabilities": first, the security of the two major operating systems, iOS and Android, which makes it more difficult to hack into mobile phones, and second, due to specific events, some organizations may face the problem of reduced willingness of researchers to cooperate, so they have to buy at a premium.
It cannot be eradicated
The economic benefits of the market are enormous, and the high revenues from the discovery and exploitation of "zero-day vulnerabilities" make it impossible to eradicate the gray industry.
Guo Tao said that while some organizations and individuals are committed to ethical hacking and want to report these vulnerabilities through appropriate channels rather than exploiting them, some still choose to sell them illegally for monetary gain. In addition, the continuous development of technology means that new "zero-day vulnerabilities" are constantly emerging, making it nearly impossible to eradicate the market completely.
"Software programs are written by people, and there are always vulnerabilities, but some have been discovered and some have not yet been discovered. This leads to an endless list of 'zero-day vulnerabilities'. Tian Jiyun said, "In today's popularization of the Internet, 'zero-day vulnerability' transactions have the characteristics of cross-border and anonymous, which makes it difficult to effectively supervise and crack down on 'zero-day vulnerability' transactions." In addition, the lack of clear legal provisions in some countries, and the lack of capacity and resources of regulators, also facilitate zero-day loophole transactions. ”
Not only that, but the rapid development of artificial intelligence has also made "zero-day vulnerability" trading more rampant. ChatGPT is even capable of generating functional code as long as it provides clear, unambiguous instructions. Recently, Aaron Mulgrew, a self-proclaimed malware novice developer, used ChatGPT in a very short time to create a "zero-day vulnerability" that could steal sensitive data from compromised devices. The malware successfully evaded security detection by all of Google's partner vendors on the VirusTotal platform.
"Without an AI-based chatbot, I estimate that it would have taken a team of five to 10 malware developers to take weeks to find such a vulnerability, especially to evade all security detections," Mulgrew said. ”
In some countries, "zero-day exploit" trading is allowed, but only to specify organizations and structures. For example, intelligence agencies use "zero-day vulnerabilities" for national security and anti-terrorism; military departments can use "zero-day vulnerabilities" to conduct cyber attack and defense drills and develop cyber weapons; security companies use "zero-day vulnerabilities" to develop security software and improve network security defense capabilities; and software vendors and service platforms use "zero-day vulnerabilities" to patch security vulnerabilities in their products and improve product security.
However, in China, "zero-day vulnerability" transactions are activities involving cybersecurity, which are strictly regulated to prevent vulnerabilities from being exploited maliciously and to protect the interests of the state, enterprises and individuals.
In recent years, relevant laws and regulations have been introduced in China to regulate the behavior related to "zero-day vulnerabilities". For example, the Cybersecurity Law of the People's Republic of China, which came into effect on June 1, 2017, clearly stipulates that "when it discovers that its network products or services have security defects, vulnerabilities and other risks, it shall immediately take remedial measures, promptly inform users in accordance with regulations, and report to the relevant competent authorities." "Carrying out activities such as network security certification, testing, and risk assessment, and releasing network security information such as system vulnerabilities, computer viruses, network attacks, and network intrusions to the public, shall comply with relevant state provisions. ”
On September 1, 2021, the Ministry of Industry and Information Technology, the Cyberspace Administration of China, and the Ministry of Public Security issued the Notice on the Provisions on the Management of Network Product Security Vulnerabilities, which stipulates that "no organization or individual shall take advantage of network product security vulnerabilities to engage in activities that endanger network security, and shall not illegally collect, sell, or publish information on network product security vulnerabilities; "Where technical support is provided for others to take advantage of network product security vulnerabilities to engage in activities that endanger network security, the public security organs are to handle it in accordance with law; where the circumstances provided for in article 63 of the "Cybersecurity Law of the People's Republic of China" are constituted, punishment is to be given in accordance with those provisions; and where a crime is constituted, criminal responsibility is pursued in accordance with law. ”