#19 - Double zero is not a secret agent
Hi there! My name is Diego Parrilla. I’m a developer that became an entrepreneur and my latest company is Threatjammer. Subscribe now to my weekly digest about tech, threat Intel, privacy, and security!
Pegasus is spyware developed by NSO Group, a company based in Israel that sells the software under the scrutiny of the Government of Israel to other authorized governments to help them combat terror and crime. Sadly such a powerful cyber-weapon was also used to spy on anti-regime activists, journalists, and other persons of interest.
It is a highly sophisticated Trojan horse computer virus that can infect any iOS (iPhone) or Android cell phone over the air without any device owner intervention. As a result, the target can never realize they are being spied on until experts perform a forensic analysis of the device; it’s the perfect spying tool.
An infection without the user's intervention is a Zero-click attack or exploit. And when the attack takes advantage of an unknown or not reported vulnerability, we are talking of a Zero-day exploit. Pegasus used (uses?) extremely sophisticated zero-click attacks based on zero-day exploits. Some of these exploits are technological marvels, the kind of masterpiece that makes you praise its creation as an intellectual achievement, taking the theoretical concept of Weird Machines to reality. Please read these articles from Project Zero of Google (Google elite security researchers) if you want to blow your mind: part one, part two.
A Zero-click attack -based on a zero-day exploit of iOS or Android- capable of Bypassing the Operating System's security measures and effectively taking control of the device and persisting in it is one of the most expensive pieces of software on earth. And so scarce that in the past nation-state intelligence agencies use to compete to find them, and now even more scarce as new cybersecurity companies and cybercriminals are willing to bid high for them.
According to the rewards in Apple’s bug-bounty program, it maxes out at $1,000,000 for Zero-click kernel code execution with persistence and kernel PAC bypass. Same for the Android and Google Devices Security Reward Program. It’s possible to “chain” several exploits and get an extra reward; it looks scarce if you check offers from private vulnerability bug-bounty programs. Or even worse, when the hunter does not have any negotiation capability with these large organizations. When a hunter submits a new vulnerability, they are at the will of Apple or Google to determine how much and when they will be paid. Many researchers complain about how slow and poorly paid they were when submitting their work.
Backed by Venture Capital or large corporations, private vulnerability bug-bounty programs offer sums of money larger than Apple or Google. For example, Zerodium offers up to $2,500,000 for an Android Zero-click kernel code execution with persistence and kernel PAC bypass. Nation-state intelligence agencies, companies like NSO Group, Candiru, or new actors like Boldend (backed by Peter Thiel’s VC branch) also compete to find new Zero-click and Zero-day exploits to feed their business offering sums at least in the range of Zerodium. Scarcity takes the prices up, but there is more.
The Zero-day (Zero-click or not) market is in high demand on the Dark Web. Some threat actors claim that they could go away for up to $10,000,000. Cybercriminals must offer more to compete with them, given the risks (jail and money laundering). The funny thing about this market is some nation-state intelligence agencies use straw men to find the best Zero-days in tough competition with cybercriminals. As all my readers can imagine, the exploit is mainly paid with cryptocurrencies. And I said “mostly” because I recently read in a hacker’s forum somebody saying they could pay in American dollars!
The craziest trend is “exploit-as-a-service”: the exploit-as-a-service model allows cybercriminals to lease zero-day exploits to perform their criminal activities. The democratization to lower the barrier of entry for accessing sophisticated exploits. And it can make a lot of sense: a developer can profit when selling a zero-day exploit, but it often takes a lot of time to complete the sale. This model would enable zero-day developers to generate earnings by renting the zero-day out while waiting for a final buyer.
The music snippet
Zero is the number.