Analysis: Zero-day hackers exploit security vulnerabilities in software that the developers of that software are often completely oblivious about
Imagine scrolling through your social media feed when a notification pops up, seemingly from a trusted friend. It contains a funny meme or a scandalous news story, but the link takes you to a different website. Clicking it feels harmless, a momentary distraction.
But unbeknownst to you, the link is infected with a zero-day exploit hidden within the seemingly innocuous code. This exploit silently infects your device, turning it into a digital sleeper agent. Millions of devices around the world fall victim to the same attack, their webcams activated, microphones recording conversations, transforming homes into unwitting surveillance hubs. Now, imagine there is a marketplace where these attacks can be sold.
These marketplaces, also known as zero-day brokers, operate in a world of secrecy and calculated risk. Unlike traditional marketplaces, their transactions often occur on invitation-only forums, and encrypted chat rooms, some using cryptocurrencies such as Bitcoin as means of payment. The secrecy and security of their operations is reflective of the goods being sold.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
From RTÉ Radio 1's Morning Ireland, is the use of social media apps on public service devices adding to risk of cyberattacks?
Zero-day exploits are essentially vulnerabilities in software that the makers of that software don't know exists yet. It’s called zero-day because the software developer has been aware of it for zero days, meaning they are completely oblivious to the threat a vulnerability might pose.
These zero-day attacks can inflict extensive damager, and we've seen several examples of them being deployed for a variety of outcomes recently, ranging from intentionally crippling infrastructure to stealing private data. In 2010, the Stuxnet worm stunned the world as it targeted Iran's nuclear facilities, exploiting multiple zero-day vulnerabilities to disrupt uranium enrichment centrifuges.
In 2017, the WannaCry ransomware attack wreaked havoc globally, leveraging a zero-day exploit in Microsoft's Windows operating system to rapidly spread and encrypt data on infected computers. The Capital One data breach in 2019 exposed the personal information of millions of customers due to a zero-day vulnerability in a web application firewall.
From TED, cyber-forensics expert Ralph Langner on how he and his team solved the mystery of the Stuxnet computer worm
Like a thief silently entering your home through an unlocked window, a zero-day attack can wreak havoc before anyone even realizes they’re under threat. As one might expect, the development and emergence of vulnerability identification has evolved significantly over time, reflecting the ever-changing landscape of cybersecurity.
In the early days of computing, vulnerabilities were often discovered serendipitously by hackers or security researchers who stumbled upon flaws while exploring software systems. These discoveries were typically shared within informal networks or underground communities, where individuals exchanged knowledge and techniques for identifying vulnerabilities.
As the internet and digital technologies grew, the need for formalised vulnerability identification processes became increasingly apparent. This led to the establishment of dedicated platforms and forums, such as Bugtraq and the Common Vulnerabilities and Exposures database, where researchers could report and catalog vulnerabilities in a structured manner.
From HackerSploit, how to perform vulnerability identification
Over time, vulnerability identification has become a specialised field within cybersecurity, with professionals using manual code analysis, automated scanning tools and penetration testing to identify and mitigate security weaknesses in software systems. The researchers who are first to discover existing vulnerabilities are now capable of selling this information through the zero-day brokers and reveal their secrets to any interested buyer.
Who might be interested in purchasing this information? Unfortunately, the list of would-be buyers is a long one, ranging from State-sponsored actors and law enforcement agencies seeking new espionage tactics for intelligence gathering and surveillance, to cybercriminals seeking exploits for financial gain, sensitive information, or causing disruption to systems and networks.
The ever-increasing complexity of software creates more vulnerabilities so finding weaknesses can be a lucrative business. For example, the current rate for a zero-day exploit that can remotely access an iPhone's iOS software is $2.5 million. One broker, Crowdfense, now offers even more, approximately $3 million for the same capability. Elsewhere, Zerodium acquires zero-day exploits that target operating systems, web browsers, web servers and applications with bounties that range from $2,500 to $2,500,000 per submission.
From RTÉ Brainstorm, why password rules and regulations don't work
For vulnerability researchers, these are the choices available: you can opt to be ethical and sell your bugs to software makers so they may fix them directly, or you can explore the grey market where vulnerabilities may fetch significantly higher prices from other buyers. This brings with it an element of controversy, as researchers might pursue financial gain over responsible disclosure.
When vulnerabilities are disclosed responsibly, software vendors can swiftly develop and deploy patches, eliminating the window of opportunity for attackers to exploit the flaw. But the existence of a thriving grey market for zero-day exploits poses significant risks to cybersecurity. By selling vulnerabilities to malicious actors or state-sponsored entities, brokers inadvertently contribute to the proliferation of cyber-threats, potentially undermining the integrity and security of digital infrastructure on a global scale.
This shadowy world of zero-day exploits underscores the constant struggle between those who seek to exploit vulnerabilities and those who strive to protect them. As technology continues to evolve, so too will the methods used to find and exploit these digital weaknesses. The question remains: can we stay ahead of the curve and ensure a more secure digital future, or will the ever-growing market for zero-day exploits tip the scales in favor of chaos?
Follow RTÉ Brainstorm on WhatsApp and Instagram for more stories and updates
The views expressed here are those of the author and do not represent or reflect the views of RTÉ
