Java Zero-Day Offered On Russian Dark Market For $100k

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Java zero-days can make as much as $100,000 on the Internet underground, but the buyers will earn even more, RSA analysts tell TechWeek

Java zero-day software flaws aren’t just worth tens of thousands, they can fetch hundreds of thousands, according to RSA security experts.

When asked how much vulnerabilities were selling for, one cyber intelligence agent, tasked specifically with infiltrating Russian dark markets on the Web, told TechWeekEurope he had seen a Java vulnerability on sale for $100,000.

“The latest Java vulnerability, that went for $100,000,” he said. But crooks are happy to pay such large amounts because they know they can turn their investment into something hugely lucrative, the RSA researcher said. “They could make up to a few millions of dollars in a week or a month,” he added.

java-flaw1“We see a lot of different software [vulnerabilities for sale]. Of course, the more popular are Java and the various Microsoft products because of how widespread they are.”

Russian darkweb sites are home to plenty of zero-day vulnerability salesmen and women. As RSA told TechWeek, during our visit to the company’s Anti-Fraud Command Center in Tel Aviv, Israel, Russian cyber crooks are the most advanced, and perhaps most terrifying, fraudsters on the planet.

Java zero-day sales

He did not go into detail which Java zero-day flaw he was talking about, although it was selling on a Russian forum, another RSA analyst subsequently confirmed. Many security holes have been discovered in the Oracle-run programming language and software platform, some of which have been widely exploited by cyber crooks.

Last month, security blogger Brian Krebs said he had seen a zero-day on sale for $5,000, although subsequent conversations he had online indicated the price was considerably higher.

RSA researchers’ comments indicate market prices for software vulnerabilities on the darkweb are almost equalling those sold by professional outfits, like French merchant VUPEN or US firm Errata Security, who say they primarily work with governments and large private organisations.

A TechWeekEurope report into the exploit seller market discovered exploits had been sold for $500,000, for a single vulnerability and the tools needed to infect machines.

Some complain the massive cost of vulnerabilities, which continues to grow exponentially, is bad for security in general. That’s because crooks and certain vulnerability sellers alike don’t hand their findings to vendors. If software makers were informed of zero-day flaws, they would be able to patch, protecting all users of their technology, rather than a select few.

Talking about why the vulnerability market was so profitable, Idan Aharoni, head of cyber intelligence at RSA’s Anti-Fraud Command Center in Tel Aviv, told TechWeekEurope zero day flaws could easily be translated into money.

“You buy an exploit, you get a lot of people infected, you don’t even need to know what to do with those infected machines, you just sell them on to someone who is interested,” Aharoni said. “If you buy an exploit for $100,000 and you infect machines, you can sell those machines for $500,000.”

What do you know about online security? Try our quiz and find out!