Tech | Visa | Scholarship/School | Info Place

Prices for zero-day attacks rise as companies beef up products to defend against hackers

Allowed tools Government hackers’ hacks into iPhones and Android phones, popular software like Chrome and Safari, and chat apps like WhatsApp and iMessage are now worth millions of dollars — and as those products become harder to come by, their prices are rising. It has increased exponentially in the past few years. hacker.

On Monday, startup Crowdfense released an updated price list for these hacking tools, which are often called “zero-days” because they rely on unpatched vulnerabilities in software that are unknown to the software manufacturer. Companies such as Crowdfense and one of its competitors, Zerodium, claim to obtain these zero-day vulnerabilities with the intention of reselling them to other organizations, often government agencies or government contractors, who claim they need the hacking tools to track or monitor criminals.

Crowdfense is currently offering quotes of $5 to $7 million for zero-day exploits that break into iPhones, up to $5 million for zero-day exploits that break into Android phones, and up to $3 million for Chrome and $350 for Safari zero-days. million, and a zero-day exploit targeting $3. WhatsApp and iMessage zero-day exploits cost up to $5 million.

In its last price list published in 2019, Crowdfense offered a maximum payout of $3 million for Android and iOS zero-day vulnerabilities.

The price increase comes as companies like Apple, Google and Microsoft are making it harder to crack their devices and apps, meaning their users are better protected.

“It should be increasingly difficult to exploit any software we use, no matter what device we use,” said Dustin Childs, director of threat awareness at Trend Micro ZDI. Unlike CrowdFense and Zerodium, ZDI pays researchers to obtain zero-day vulnerabilities and then reports them to affected companies to fix them.

“As threat intelligence teams like Google’s discover more zero-day vulnerabilities, and platform protections continue to improve, the time and effort required by attackers increases, causing their discovery costs to increase.” Google’s Threat Analysis Group, Track Hackers and the use of zero-day vulnerabilities.

Google said in a report last month that it found 97 zero-day vulnerabilities exploited by hackers in the wild through 2023. Spyware vendors who often work with zero-day brokers are responsible for 75% of zero-day vulnerabilities targeting Google products and Android. Spyware vendors are responsible for 75% of these vulnerabilities. According to the company.

People inside and outside the zero-day industry agree that exploiting vulnerabilities is becoming increasingly difficult.

David Manouchehri, a security analyst who understands the zero-day market, said, “Hard targets like Google Pixels and iPhones are getting harder and harder to crack every year. I expect the cost will continue to increase significantly over time.”

Paolo Stagno, research director at Crowdfense, said: “The mitigation measures that providers are putting in place are having an effect, making the whole transaction more complex and more time-consuming, so obviously that’s going to be reflected in the price .” Technology Blog.

contact us

Do you know more zero-day brokers? Or about spyware providers? On non-work devices, you can contact Lorenzo Franceschi-Bicchierai securely via Signal (+1 917 257 1382) or via Telegram, Keybase and Wire @lorenzofb or email. You can also contact TechCrunch through SecureDrop.

Stagno explained that in 2015 or 2016, it was possible for just one researcher to find one or more zero-day vulnerabilities and develop them into a full-blown vulnerability for iPhone or Android. Now, he said, “it’s almost impossible to do it” because it requires a team of multiple researchers, which also drives up the price.

Crowdfense is currently offering the highest public price to date outside of Russia, where a company called Operation Zero announced last year that it was willing to pay up to $20 million for tools to crack iPhone and Android devices. However, prices in Russia are likely to increase due to the war in Ukraine and subsequent sanctions, which may deter or completely prevent people from dealing with Russian companies.

Out of public view, governments and companies may pay a higher price.

“Price of Crowdfense’s Personal Chrome for Researchers [Remote Code Execution] and [Sandbox Escape] From what I’ve seen in the zero-day industry, exploit rates are below market levels,” said Manouchehri, who previously worked at Linchpin Labs, a startup focused on developing and selling zero-day exploits. Linchpin Labs It was acquired by U.S. defense contractor L3 Technologies (now known as L3Harris) in 2018.

Alfonso de Gregorio, founder of Zeronomicon, an Italian startup that acquired zero-day vulnerabilities, agreed, telling TechCrunch that the price “definitely” could be higher.

Zero-day vulnerabilities have been used in court-sanctioned law enforcement actions. In 2016, the FBI used a zero-day vulnerability provided by a startup called Azimuth to break into the iPhone of a gunman who killed 14 people in San Bernardino, The Washington Post reported. In 2020, Motherboard revealed that the FBI, with the help of Facebook and an unnamed third-party company, used a zero-day vulnerability to track down a man who was later convicted of harassing and extorting young girls online.

There have also been several cases of zero-days and spyware allegedly being used to target human rights dissidents and journalists in Ethiopia, Morocco, Saudi Arabia and the United Arab Emirates, among other countries with poor human rights records. Similar cases of abuse have occurred in democracies such as Greece, Mexico, Poland and Spain. (Neither Crowdfense, Zerodium or Zeronomicon have been charged in similar cases.)

Zero-day brokers and spyware companies like NSO Group and Hacking Team are often criticized for selling their products to unsavory governments. In response, some of these companies are now pledging to comply with export controls to limit potential abuse by customers.

Stagno said Crowdfense complies with embargoes and sanctions imposed by the United States — even though the company is headquartered in the United Arab Emirates. For example, Stanio said the company will not sell to Afghanistan, Belarus, Cuba, Iran, Iraq, North Korea, Russia, South Sudan, Sudan and Syria, all of which are on the U.S. sanctions list.

“Everything the United States does, we’re watching,” Stagno said, adding that Crowdfense would drop an existing customer if it was placed on a U.S. sanctions list. “All companies and governments subject to direct U.S. sanctions are excluded.”

At least one company – spyware alliance Intellexa – appears on Crowdfense’s specific blacklist.

“I can’t tell you whether it was ever a customer of ours and whether it’s no longer a customer of ours,” Stagno said. “But, as far as I’m concerned, Intellexa is not a customer.”

In March this year, the U.S. government announced sanctions against Intellexa founder Tal Dilian and his business partners. This was the first time the government had imposed sanctions on individuals involved in the spyware industry. Intellexa and its partner company Cytrox are also subject to U.S. sanctions, making it more difficult for the companies and the people who operate them to continue doing business.

According to TechCrunch, these sanctions have caused concern in the spyware industry.

Intellexa’s spyware has reportedly been used to target U.S. Congressman Michael McCaul, U.S. Senator John Hoeven and European Parliament President Roberta Mesola, among others.

De Gregorio, Zeronomicon’s founder, declined to say who the company is selling to. The company posted a code of business ethics on its website, which includes vetting customers to avoid doing business “with entities known for human rights abuses” and respecting export controls.

#Prices #zeroday #attacks #rise #companies #beef #products #defend #hackers

Leave a Reply

Your email address will not be published. Required fields are marked *