Symantec researchers tell TechWeek that dark market crooks are getting big bucks from selling zero-days, despite the rise of legitimate bug bounties
Previously unknown, unpatched vulnerabilities, known as zero-day flaws, are often selling for between $50,000 and $100,000 (£30,ooo-£60,000) on underground hacking forums, according to Symantec researchers.
Despite bug bounty programmes from major software vendors like Microsoft and Google that offer researchers thousands of pounds for their vulnerabilities, underground criminals are still able to offer more, said Candid Wueest, from Symantec’s Security Response team.
Big zero-day money
“For code execution through a browser… it often takes a few vulnerabilities together to execute code,” he told TechWeekEurope. “This makes it more difficult to find one and then the prices rise.”
Wueest said it was “a small market but definitely regular” and even if the likes of Microsoft can offer money via bug bounty programmes, there will be someone offering more on the dark web forums.
In 2012, TechWeek heard that a vulnerability affecting Oracle Java was selling for $100,000, but such high sales were a rarity.
Microsoft recently raised the maximum amount it would pay for reported vulnerabilities and also said it would give money out to those who simply alerted the company to zero-days, without having to show how an exploit would work.
Even Tesla, the car manufacturer, has adopted a vulnerability reward programme, indicating there will be more legitimate money on offer for researchers in the coming years.
Yet attackers are still keen to get their hands on such flaws. Symantec told TechWeek it had seen the attackers thought to have been involved in breaching Google in 2009 in action in the last couple of weeks.
The Elderwood hacker group was seen targeting various industries, including government defence contractors, with a number of zero-days, and has continued to operate despite much attention from the security community.
Are you a security pro? Try our quiz!