Recently, the security insider reported that a company specializing in procuring and vending zero-day vulnerabilities has proffered a sumptuous $20 million to cybersecurity researchers in exchange for hacking tools, facilitating the intrusion of iPhones and Android devices for their clientele.
Domiciled in Russia, the company, christened “Operation Zero”, was inaugurated in 2021. By the end of September, Operation Zero proclaimed, via their official Telegram and Twitter accounts, their intentions to amplify the remuneration for detecting mainstream mobile platform zero-day vulnerabilities from $200,000 to $20 million.
Due to high demand on the market, we're increasing payouts for top-tier mobile exploits. In the scope:
— iOS RCE/LPE/SBX/full chain — From $200,000 up to $20,000,000 (twenty millions).
— Android RCE/LPE/SBX/full chain — The same.As always, the end user is a non-NATO country.
— Operation Zero (@opzero_en) September 26, 2023
Operation Zero avouched, “By increasing the premium and providing competitive plans and bonuses for contract works, we encourage the developer teams to work with our platform.” The company added that “as always, the end user is a non-NATO country.” On its official website, the company says that “our clients are Russian private and government organizations only.”
When inquired about their selective selling to non-NATO countries, Operation Zero’s CEO, Sergey Zelenyuk, remained reticent on the specifics. He simply remarked, “No reasons other than obvious ones.”
Furthermore, Zelenyuk intimated that the bounty amounts proffered by Operation Zero might be ephemeral, mirroring the peculiarity of the current market conditions and the intricacies associated with breaching iOS and Android systems.
In an electronic correspondence, Zelenyuk elaborated, “Pricing for specific projects largely hinges on the ease or complexity of procuring products in the zero-day market. Currently, comprehensive vulnerabilities in smartphones command a premium, primarily deployed by governmental operatives. At times, actors, desiring a specific product, may tender elevated prices, striving to preempt others.”
For almost a decade, myriad corporations worldwide have incentivized security researchers with bounties, encouraging the sale of vulnerabilities and hacker techniques. Contrasting with traditional vulnerability bounty platforms like HackerOne or Bugcrowd, entities akin to Operation Zero abstain from alerting susceptible product suppliers, instead opting to peddle these vulnerabilities to governmental clienteles.
This essentially contours a gray market, characterized by volatile pricing and typically clandestine clientele. Nonetheless, certain firms, paralleling Operation Zero, transparently disclose their price matrix.
For instance, Zerodium, established in 2015, tenders a reward of $2.5 million, spurring the discovery of vulnerability chains that permit client intrusions into Android devices without necessitating interaction with the target. Analogously, targets could be compromised without the prerequisite of clicking on a phishing link. Zerodium’s official portal posits that for such vulnerability chains, they pledge a maximum bounty of $2 million.
Given the relentless augmentation in security mitigations and defenses in contemporary mobile devices, hackers might necessitate a concatenation of zero-day vulnerabilities to consummately compromise and commandeer target devices.
Headquartered in the UAE, Crowdfense emerges as a rival to Zerodium, proffering bounties of up to $3 million for analogous vulnerability chains for Android and iOS systems.
Zelenyuk opined that he deems the bounties extended by Zerodium and Crowdfense too parsimonious. Zelenyuk commented, “The price formation of specific items is heavily dependent on availability of the product on the zero-day market. Full chain exploits for mobile phones are the most expensive products right now and they’re used mostly by government actors. When an actor needs a product, sometimes they’re ready to pay as much as possible to possess it before it gets into the hands of other parties.”
The zero-day market operates largely unfettered by regulation. Nonetheless, in certain jurisdictions, companies might necessitate export licenses from their resident governments. Essentially, this process entails soliciting approval to vend products to potentially restricted nations. Consequently, the zero-day market has become increasingly factionalized and politically influenced.
Via: TechCrunch
