Transcript for:
Zero-Day Exploits and the Black Market

[Music] how do you hack something we all know the answer you sit by the computer and Bash the keyboard some numbers and symbols fly across the screen if the bashing is intensive enough success you're in it works on the movies and TV shows it should work the same in real life it doesn't no matter how hard you try no matter how many keyboards you break you are not going to break break good cyber security for that you need something special a secret and to get that secret you have to become part of the deepest and darkest community on the internet forget your dark web marketplaces and hacker forums it's deeper than that it's a space whose entire existence rests on its covertness where the world's best hackers trade secrets for lifechanging sums of money where government Mega corporations and criminal cartels compete over Snippets of information that can change the world welcome to the zero day [Music] Market you're standing in front of a high and strong wall how do you get to the other side walls like this are are all over the Internet they guard the data of companies Nations institutions even people like you when somebody purchases a gadget or an app the wall is included in the price people are paying for not getting hacked but how do you hack things then how do you get to the other side of that wall smaller walls can be scaled or broken through that's what things like SQL injections and dos do most w have an even easier access just talking your way in that's called social engineering but for some even the strongest brute force or the cleverest infiltration is not going to work you need a better way in you come closer and inspect the bricks maybe one of them is cracked or protrudes just enough to give you a foothold maybe it can be moved to reveal a secret passage Windows 10 and Mac OS X some of the most popular operational system systems out there have around 80 million lines of code if each line was a brick you could build nearly 300 M of wall with them 300 mil 80 million bricks what's the chance that one of them has a flaw in the code a flawed brick is a bug a vulnerability that can be used and exploited a hole in the system you can slip through the companies that build walls don't want flawed bricks the income of those companies depend on on shipping a secure product they have entire departments dedicated to finding flaws in the code and pay Hefty sums of money to anyone who can reveal a bug and whenever a company finds a vulnerability in its software IT issues a patch a fix that replaces the brick and removes the vulnerability so the importance of a security flaw is measured by how long ago it was discovered weak old bugs are as good as patched two or 3 days old ones are probably being exploited by every wannabe hack out there and the patch is already on the way but if a company has no idea a bug exists in other words if it had known about a bug for zero days it's a whole other story a useful zero day is the Holy Grail of hacking a secret vulnerability that can be exploited to breach the security of a device or an app or an entire network not only are you slipping right through the wall nobody even suspects you're doing it but good zero days are hard to come by to find one you have to be better at spotting flaws than every single engineer hired by the wall Building Company and even then you may spend years staring at the code and looking for a useful flaw or you can look for someone who already did that this is bug track a mailing list that dates back to the early '90s and the place you can find thousands of what used to be zero days for a long time hackers really had very little interest in money and in the beginning when they would find zero exploits and when I say the beginning I'm talking about um mainly the 9s they would go to the companies that had written this sloppy software like HP Oracle Microsoft Sun Microsystems and they would say hey I found this bug in your software it's a zero day by the way this is Nicole peor she's a New York Times journalist who spent years investigating the zero day Marketplace and a lot of what we know about its history comes from her reporting to create this story We reached out to experts like her who have actual hands-on experience finding and contacting them is a bit more difficult than it looks the only reason we can do this is you our viewers and we are thankful for every token of appreciation you can give be it a like a subscribe or a comment a small gesture can go a long way so the early hackers would attempt to contact the companies and notify them about zero in their software and the companies instead of looking at this as oh thank you for the free quality assurance uh often replied with a letter from their general counsel saying if you poke around our software again we'll see to it that you go to prison so bug track you create a Snappy handle you hide behind a proxy you take your zero day and mail it to thousands of hackers across the world the community gets valuable information the company gets punished and you you get street cred sharing and exploring zero days was a major part of the early hacker culture and a source of Pride for many but as the years went by this state of things began changing into something unrecognizable there is a wall and you really really need to get to the other side you have money you have connections you have resources all you need is a hint you go to bug track and look for names there is pneumonics Alf one pack nisty scores upon scores of handles a lot of very skilled people who do a lot of work for free but maybe some of them would like a bit of compensation you choose one an email a polite well-measured offer and a sum more than they earn in a year more than the software company is willing to pay for the same bug there are very few problems a bottomless budget can't solve years pass you do the same again and again you establish stronger connections relationships networks some of the people are reliable others not so much you keep the reliable ones close the Dangerous Ones even closer you are not the only one buying and your contacts are not the only one selling a market begins to form and grow just by sending some emails you get zero days that can bypass any wall and even if you have a a problem finding sellers there might be a solution to that middlen emerge zero day Brokers companies with Shady names and even shadier backgrounds willing to help you in your struggle they can find whoever you need and conduct the transaction they will even confirm if the merchandise works and vouch for its Effectiveness they're very much a matchmaking service right government right could go and and you know post even you know anonymously on on Reddit or you know some underground Forum hey I want to go buy an exploit right but but then you're dealing with some unknown um some unknown party you have issues around escrow all right you know both trust from the buyer side and Trust From the seller side and so these exploit brokers work as middleman and matchmakers they're holding stuff in escrow and then they're confirming the vulnerability or holding funds in escrow and then confirming the vulnerability actually works in many cases before even brokering brokering the deal and then of course for all those Services they take a percentage off so you buy a snippet of information from a broker or an anonymous hacker online you confirm that the vulnerability works and you develop an exploit a piece of malware that can reliably turn one flawed piece of code into a safe Passage through the wall time to use it what you are looking at now is an exploit not an actual one but a reconstruction a researcher managed to piece together after scraping the remains of an attack on his phone it's designed to infect iPhones through an invisible iMessage the user never gets the notification not even a blip on the screen a snippet of code just slips in and stays completely silent it begins working through a particular bug a flaw that existed in Apple software for decades a remnant of a function that has long been discontinued a deformed brick that once supported a wall but no longer does after slipping through the code takes over a small part of the phone's memory just enough to get some minor things done using this memory the message finds another larger hole in the wall another zero day through which an even more malicious code can be brought through it's unexploitable from outside but once you're in you can use it the new code is more potent and it begins a war on the phone's native systems a short battle rages under the fingers of the unsuspecting user until the invading code you uses yet another vulnerability one that allows it to bypass all defenses in several seconds the iPhone is conquered finally one more vulnerability is used to gain access and take over the Safari browser now the phone is at the mercy of the Intruder and will report everything the owner does sees or Hears A String of four zero days an entire attack chain tied together by some very well-written code giving you unrestricted access to any iPhone on the planet the researchers called this chain operation triangulation a weird name for an attack that has four prongs not three but who are we to judge weird naming aide these exploits are incredibly potent and Incredibly dangerous and to get that sort of capability you have to pay the price just like with almost anything on an open market the price is a reflection of the usefulness one of the very few glimpses we get into the cost of a tax like operation triangulation is a list by zerodium a major broker company that actually publishes its prices according to zerodium a zero day that allows you to bypass a phone's passcode or a pin nowadays is up to $100,000 a zero dat that allows you to access their chat application a web browser or an email could cost up to a half a million zero days that give you access to somebody's phone without any interaction on their part can that two to $2.5 million so millions of dollars to break into a phone and that's not even counting the salaries of the small army of hackers who wrote the exploit making the zero day usable these are not the amounts of money you pay to keep tabs on your cheating fiance the people who use these attacks aim a lot higher the biggest demographic of buyers um you know on open markets is is probably governments I mean I I you know they they have they have money that cyber criminals you know can't touch um you know or can't possibly you know can't possibly Mass even some these larger ransomware gangs and the value right that they get out of the um you know out of the intelligence that they gain with these zero days is not measured in dollars and cents either some zero days are harmless you know you find a mistake in the code and it might be in a system which is not widely used or if it's even used by some Niche audience it's not uh that interesting not worth your effort to break into that system but the systems that hackers and nation states spend a lot of time on right now are iPhone software Android software software that touches critical infrastructure software that touches um like I said you know cryptocurrency systems uh wallets that could get you a lot of cash uh in cryptocurrency we may never know the actual cost of operation triangulation there's only a small handful of broker companies that publish their prices and countless more that don't the actual cost of a zero day let alone an exploit can vary a lot a good example of that is Operation zero a broker that popped up just a few years ago in September 2023 it offered the highest price for an exploit that has ever been recorded $20 million for an attack chain things like operation triangulation could cost at least as much or even more all of that to give give you access to a phone a small device that tracks its users but some targets of such attacks are bigger zero day bought for a similar price might net you an entrance to a desktop computer or an industrial controller or an entire network that maintains infrastructure of a factory a military base a city stuck net one of the most advanced examples of malware used a string of four zero days to enter an Iranian nuclear facility and disable it not Peta the most damaging Cyber attack ever recorded used one single zero day to paralyze an entire country for several days causing billions of dollars worth of damage to International companies that operated there the phone of Jamal kosagi a journalist murdered by the Saudi Arabian government in 2018 was monitored and tracked by the government after infecting his devices through zero days so far we've been comparing a zero Day to a flaw in a wall a brick that reveals a hidden entrance this comparison is quite harmless maybe a bit too harmless a zero day could also be compared to a weapon or more correctly a material from which a weapon can be made a more powerful weapon than almost anything in the world with the right set of zero days a government can wage cyber war against both competing governments and its own citizens for for a government with enough funds to buy such a collection and enough skilled Personnel to correctly exploit it any security is no longer an obstacle and most of these zero days have at some point been traded on the zero day Market they were bought sold and shared this happens every day right there under the noses of law enforcement regulators and corporations that can't and won't do anything to fight it why how is trading zero days even legal and why nobody treats it with at least a fraction of the seriousness people treat the sale of weapons of mass destruction well the answer to that is a bit complicated the zero day Market is a sprawling structure with several levels and a huge variety of players it seems harmless on the surface nowadays unlike 20 or 30 years ago lots of companies offer bug Bounty programs they pay for any vulnerabilities found in their software encouraging hackers to earn their income legally and make the internet more secure in the process some firms and researchers do the same but independently they look for bugs on the code of popular software and notify the vendors sometimes they get paid in any case they get exposure the corporate version of hacker street cred this is how the White Market works the tip of the iceberg something most people mean when they talk about zero days but there is a level below that the part of the market where companies don't have catchy names and aren't too fond of being noticed where researchers don't atise their findings and a lot of them get redacted you can go search LinkedIn um and find people that are um you know hiring contractors right that are hiring for vulnerability research um you know requiring security clearance that's not an anomaly in the US but make no mistake about it right all all all governments are are either researching these or purchasing them and probably some combination thereof this is the gray Market strictly speaking it's not legal but it's not illegal either the governments are investing in research and hiding what they find from the public they pay the hackers for their silence and use the zero days for spying and cyber warfare it's hard to comprehend morally dubious and entirely unregulated but there's a level below that too finally we the black mark which is sometimes governments if there are international regulations limiting their ability to buy du the exploits on the gray Market a lot of illegal activity goes on on black market and the value is much higher than white Market could be 10 to 100 times as high for exploits as on the White Market so you will find a lot of international crime networks and organizations some Rog governments non-state actors of various types operating there illicitly recently the world witnessed a very telling example of exactly that this is an app called move it a file transfer protocol similar to Wi transfer or one drive it has a boring interface and a moderate market share safe to say you've probably never used it unless you worked at a major corporation or government office before 2023 most of its clients were the big shots the likes of shell Sony and the US Department of energy in June 2023 three Klo a major ransomware gang acquired a zerod day vulnerability in Move It software immediately it was used to breach the service and steal the data of all its clients and what resulted was the largest ransomware attack in recent years clops list includes over 22,000 companies and nearly 90 million people more than the population of such countries as Germany or France K began extorting the companies threatening to release their secrets if they didn't pay Ransom we'll never know how many companies budged but the payouts quite certainly made a lot of criminals very very rich all thanks to one single zero day so it started with nation states and their contractors and like most of these techniques and tools it has now migrated to cyber criminals and over the past few years we've seen cyber criminals use zero day exploits in various r ransomware attacks um or hacks of cryptocurrency exchanges or wallets and that kind of thing so that's the black part of the zero day Market with it the whole thing seems quite neat and organized you have the good guys who work openly and hunt for zero days to expose them and make everyone safer you have governments and Shady companies who trade zero days to stay on top of the cyber warfare game and you have the criminal organizations that buy zero days to steal data you can read all about this on Wikipedia or well anywhere but this structure is clear only from the surface when you begin looking at the market closer the lines begin to blur and things get worse let's get back to operation triangulation an exploit that used 4 zero days to gain access to any iPhone this operation was discovered after researchers at kasperski a Russian cyber security company accidentally detected its traces on their phones the researchers admitted it is the most complex and most advanced attack they've ever dealt with it has all the telltale signs of a state- sponsored hacker Army and a very powerful one at that at the same time the Federal Security Service the Russian analog of America's NSA announced discovering the same attack patterns on thousands of phones of Russian government officials the service said they managed to identify the attacker a American intelligence agencies who spied on Russian citizens in this unparalleled International attack according to the FSB such an attack had to be coordinated with apple which would not allow bugs like those to remain in their systems without any reason but then there is Operation zero the company which offered $20 million for the same attack chain hinting that the attack is more than possible without Apple's input just like with most vendors we know very little about operation zero but one thing we know and it's a thing the company is out louded and proud about is that it sells its exploits only to Russian intelligence agencies and companies another thing we know is that it was founded by a former employee of kasperski the same company that was later attacked by operation triangulation for a citizen of the United States selling a zero day to zerodium which would pass it on to the NSA would be the work on the gray Market to sell the same bug to operation zero the citizen would have to enter the black market and for a Russian hacker who discovered the same zero day the situation would be strictly reversed contacting operation zero would make them a millionaire and contacting zerodium would likely land them in jail but only a small minority of hackers live in the United States or Russia every country in the world aims to get an edge in cyberspace and each one of them sets its own rules in accordance with its alignment each one has its own white gray and black markets and thanks to the world being as interconnected as it is absolutely nothing prevents one government from reaching out to a black market of another governments that are not looking for morally dubious uh things generally use gray and white markets uh to get those types of vulnerabilities if they go in the black market It's really because they can't get to it in any other way and it gets pretty complicated both zerodium and operation zero are pretty straightforward they sell to their governments and are transparent about it but when it comes to Brokers those two are an exception most companies that trade in zero days work entirely in the shade what they sell and who they sell to and who works for them is a total secret and from what we know they often use that to blur the lines between the markets even more either on accident or not entirely so they may actually um you know sell to not sanctioned regimes because that would obviously be illegal but they probably aren't doing like as much due diligence as you might otherwise you know want um and they might even in some cases um you know through that lack of due diligence be working with you know some possibly unwittingly with some cyber promote but then we have these high-profile incidents where groups like hacking team which was based in Milan Italy um um get hacked themselves and we say oh they're selling to uh African nations that have horrific human rights records or to Russia which might not have initially fit these hackers uh moral calculus on who's a good country who's a Bad Country who has free press and who doesn't and thanks to all this secrecy and all of this blurring imposing any kind of regulation on the zero day Market or even going after anybody who crosses the line becomes nearly impossible a Prosecuting somebody who is you know themselves Anonymous and who facilitates Anonymous purchases is very complicated even when you know the part is involved and no one likes doing that um because they also want to see Brokers as sources of information so for them it's better to give the broker immunity and get them to cough up whatever they know about uh the deal then to go after them and make additional parties within interest to cover everything up even more that's why they're not very likely to be prosecuted and this is how the zero day Market operates with no regulation with no prosecution always on the border of legality and morality it is sprawling and complex and at the same time mostly invisible and entirely opaque for people who first learn about it it's difficult to have any kind of positive reaction after all we are speaking about the underground sale of weapons that can be and sometimes are used against every one of us so an urge to regulate or straight up ban can be overwhelming no matter how difficult or impossible that might seem but there can be a different perspective on this a perspective held by a lot of people who used to work in intelligence agencies and witness what governments use their zero days for yeah this one's a rather you know complex one for me um you know I don't speak purely from opinion a little bit of it's from experience um I think it's known at this point uh you know that I'm a Former Intelligence professional and a former government hacker right um and so you know I've seen firstand the value of um you know the value of retaining an oday um purely for uh you know purely for offensive purposes of course there's a risk there right and that's why the US government um you know has the vulnerability equities process um where you know very smart people um very smart and very educated people from across different agencies in the government meet about zer days that we have knowledge of and may have may or may not have weaponized may be available for sale what have you and discuss the um you know the value of using it for intelligence versus the value of making our infrastructure safe right and and globally infrastructure say it it's it's a bit complex for me I I I absolutely can't side with the folks that say all zero days are equ that's that can't be that that can't be the case what you're looking looking at now is a theoretical exploit of a vulnerability in PHP a scripting language that forms the backbone of the internet both the visible one such as the page you are on right now and the invisible one the dark web a place you've probably heard of websites and servers there are based on the same principles as regular websites and they are susceptible to the same vulnerabilities sometime in late 2023 somebody somewhere discovered a cracked brick in the wall that forms a part of PHP we don't know who that was and why they did it maybe they found the zero day themselves maybe they bought it on the market and then they took that cracked brick and turned it into a passage with that passage they could have accessed any server overtake any website in the world but the website they did attack looked like this it's the dark web blog of lock bit one of the largest criminal organizations in the world and several years of their existence lock bit attacked thousands of people and extorted billions after stealing their data and demanding Ransom at the height of their activity they comprised almost half of the entire ransomware Market in the world in early 2024 lock bit was taken down their whole infrastructure spanning dozens of servers and the accounts of hundreds of cimber criminals was taken over by a combined task force of law enforcement from 11 countries they hit the gang so hard that it practically had to recreate itself a new and might never return to the top of the food chain and this entire operation was most likely conducted thanks to a zero day so yes it can be difficult to admit but sometimes the governments and law enforcement agencies just do their job and sometimes that job requires a well-placed exploit well it could be unethical but the problem is it works both ways yes could facilitate governments looking to spy on opposition members journalist and and so forth and there are many campaigns constantly attacking governments and companies for doing exactly that it could also be the RSE it could be other governments going after the oppressive governments and trying to cause them problems uh it could also be private initiatives looking for exploits to attack these governments such as what Anonymous Affiliates we doing against Russia during the war with Ukraine so if you start going after this Market it will end up hurting both sides and more likely the government will win anyway in that scenario because they have more money to spend they're not operating at a risk when they those markets they will use third parties who they'll burn but they then they'll find somebody else so everything is a lot blurrier than it might seem the zero day Market is a huge Tangled mass of legal and moral questions of companies that sell to criminals and governments alike of agencies that seek exploits and pay millions but call it illegal to use the same exploits against them of criminals attacking governments and governments attacking criminals and of hackers who are the source of it all people who earn their living staring into the [Music] wall most of the zero day Market is completely secret but after all we know about it right so somebody is definitely breaking the first rule of Fight Club sometimes it's former government employees who say as much as they can without crossing the line sometimes it's brokers who want to attract attention both from potential sellers and buyers and sometimes it's hackers themselves who decide to talk despite what others tell them as I document in the book there are various cases where um certain uh Brokers there was a very famous One based in uh Thailand I don't know where he is now the gr he's a very well-respected member of the hacking Community um spoke to a Forbes reporter a friend of mine Andy Greenberg at one point and thought he was speaking off the Record basically the gr shared a lot of information Priceless uh you know some rules of the game at one point even posed for a photo next to a duffel bag with which I don't know whether there was actual cash in it but it looked like there was Cash in it I don't know if it was real or not and from what I understand after that appeared he was visited by Thai police and basically according to friends and colleagues of his um lost half his business because there were a lot of governments who had been buying zero days from him who said I don't want to do business with someone who's going to pose next to a bag a deel bag of cash in Forbes Magazine that is the antithesis of who I want to be working with and so that became a very um public example to other zero day Brokers that they would do well to keep their mouth shut we tried contacting grug for this story and it seems he learned his lesson just like almost any zero day seller or broker you can find on the internet some of them have public profiles some reveal some details of their operations some even share their names but the overwhelming majority have to operate through multiple layers of encryption and when you get to that point of secrecy there's just no way to know who you're dealing with and frankly it's dangerous for you to do to know and that's why it's done particularly in that way so the reason why no one wants to talk about this is one you know their customers require um complete discretion no one no government wants to purchase a zero day from someone who's out there mouthing off about what they have who they're selling it to you know they they need to be able to trust these people to keep these sales quiet so discretion is is critical which is why while we know a lot about the zero day Market there's much more we don't and probably never will even despite the impact it has and will have on our lives so there you go the zero day Market the digital underworld full of elite hackers and horrific Secrets a world that sometimes spills into our reality causing massive harm but also a world that is inseparably intertwined with ours with ties That simply can't and probably won't be broken the walls are built by people and as long as that happens some bricks in them will be flawed and as long as there are flawed bricks there will be people who will pay money to have them found and so the zero day Market will persist we hope you enjoyed this short dive into another extremely complicated topic we're very thankful to nle peror whose book on zero days served as an inspiration for this story don't hesitate to give a chance to our other explainers we cover all things cyber and usually upload one every other week stay informed and have a nice stay