Whenever a company is notified about or discovers a critical flaw in their system/application that has the potential to be exploited by malicious elements, it’s termed a vulnerability.
However, every time a flaw being actively exploited is discovered, code red is punched as the organization’s IT team officially has a Zero-Day vulnerability/exploit on their hands! A zero-day vulnerability is a software vulnerability discovered by attackers before the vendor has become aware of it. Because the vendors are unaware, no patch exists for zero-day vulnerabilities, making attacks likely to succeed.
A zero-day exploit that can compromise the security of an application, device, or network is often viewed as the ultimate prize in hacking. This term signifies a situation where the developer/IT team has no time to address the issue. As attackers can immediately exploit or are already exploiting the vulnerability to infiltrate the affected system, the organization is left with ZERO days to address the risk.
A mailing list known as BugTraq, which has been operational since the early 1990s, has been making the rounds for years facilitating the discovery of numerous zero-day vulnerabilities.
"For a considerable period, hackers showed minimal interest in pursuing financial incentives. Initially, upon uncovering zero-day exploits, they would approach the creators of the flawed software, including Sun Microsystems, HP, Oracle, and Microsoft."
Nicole Perlorth
Journalist - The New York Times.
In the beginning, hackers attempted to contact these companies to alert them about the zero-day vulnerabilities in their software.
"However, instead of viewing this as beneficial quality assurance feedback, companies often responded with legal threats, warning that any further probing would lead to legal consequences," explained Nicole Perlorth.
Thus, BugTracq emerged as a response to the threats issued by these companies. Users would adopt pseudonyms, shield themselves behind proxies, identify zero-day vulnerabilities, and disseminate them to hackers worldwide. This practice lay at the core of early hacking culture.
The market's origins are modest: you visit BugTraq and explore a few usernames. You notice Mnemonix, Aleph One, or Hacknisty, then send a courteous email with an offer significantly higher than their annual earnings. The image below is an excerpt from the original BugTraq mailing list featuring the email thread by an unidentified person (or group) named Malvuln. The thread announces the availability of multiple variants of the fabled Win32 DarkGate Loader Trojan, a virus that executes Arbitrary Code Execution (ACE) techniques on the HTTP POST API requests to view field IDs, data etc.
Zerodium, a controversial cybersecurity company, operates in the shadowy realm of exploit acquisition. Known for buying zero-day vulnerabilities from hackers, the company perpetuates a market that many argue incentivizes unethical behavior. Instead of promoting responsible disclosure to software vendors, Zerodium's lucrative payouts encourage the sale of critical software flaws to the highest bidder.
Zero-day exploits that grant access to a chat application, web browser, or email can be valued at up to $500,000.Whereas zero-day vulnerabilities that allow access to someone's phone without any user interaction can command prices all the way up to
$2.5 million.
This practice raises significant ethical and security concerns, as it prioritizes profit over the broader interests of public safety and technological integrity, casting a dark cloud over the cybersecurity landscape. One such incident that comes to mind is the infamous Kaseya-REvil debacle, which occurred in July 2021.
Targeting the IT management company Kaseya using a ransomware exploit executed by the REvil gang, the attack leveraged a vulnerability in Kaseya's VSA software, a tool used by managed service providers (MSPs) to administer client networks. By exploiting this flaw, REvil deployed ransomware to thousands of businesses globally through Kaseya's clients. The incident disrupted operations for many small and medium-sized enterprises, demanding multimillion-dollar ransoms (approximately $70 million).
The flipside to this market has definitely been the entry of government militaries, who have joined in to utilize Zero-Days to up their cyber-warfare game! While no government can, or has, ever denied their involvement in the Zero-Day marketplace, experts believe that many dangerous trojans and exploits have been scrubbed off the marketplace by third-party entities and brokers on the behest of governments.
The zero-day market is a multifaceted ecosystem with multiple tiers and participants. Unlike in the past, numerous companies today have bug bounty programs that reward individuals for discovering vulnerabilities in their software. By incentivizing hackers to earn money lawfully while bolstering internet security, firms and independent researchers actively seek out bugs to inform vendors of their system weaknesses in exchange for recognition and compensation.
In other words, this forms the legitimate white market.
Beneath this is the gray market, where businesses quietly purchase vulnerabilities for government surveillance and next-gen cyber warfare.
At the lowest level is the "black market," where criminal entities procure zero-days to facilitate data theft.
The continuous demand for stolen data sustains the market for zero-day vulnerabilities. As long as cybercriminals leverage these flaws for profit, the cycle of identifying and exchanging zero days will endure.
Organizations must stay vigilant, allocate time, and invest resources in developing robust security measures. By fostering a culture of cybersecurity awareness, businesses can mitigate risks and protect sensitive information from malicious entities.