Zerodium offers big bucks for cloud zero-days
Exploit vendor Zerodium announced today plans to pay a whopping $500,000 for zero-days in popular cloud technologies like Microsoft's Hyper-V and (Dell) VMware's vSphere.
Both Hyper-V and vSphere are what experts call virtualization software, also called hypervisors --software that lets a single "host" server create and run one or more virtual "guest" operating systems.
Virtualization software is often found in cloud-powered data centers. Hyper-V is the technology at the core of Microsoft's Azure cloud computing platform, while VMware's vSphere is used by Amazon Web Services and SAP.
With cloud services growing in adoption, especially for hosting websites and crucial IT infrastructure, the importance of both technologies has been slowly increasing in recent years.
This paradigm shift hasn't gone unnoticed in the exploit market, where Zerodium --a Washington, DC-based exploit vendor-- is by far the leading company. In a tweet earlier today, Zerodium has announced plans to pay up to $500,000 for fully-working zero-days in Hyper-V and vSphere that would allow an attacker to escape from the virtualized guest operating system to the host server's OS.
"The exploits must work with default configs, be reliable, and lead to full access to the host," the company said on Twitter.
We're paying up to $500,000 for #0day exploits targeting VMware ESXi (vSphere) or Microsoft Hyper-V, and allowing Guest-to-Host escapes.
— Zerodium (@Zerodium) March 5, 2019
The exploits must work with default configs, be reliable, and lead to full access to the host. Contact us: https://t.co/8NeubPvSdj
This kind of tweet and offer isn't anything new from Zerodium. The company usually pays fixed prices for exploits and then hikes up payouts during so-called "exploit acquisition raids," when it's purposely looking to enhance its offering for certain types of exploit classes.
Zerodium previously held acquisition raids for zero-days in iOS, instant messaging apps, the Tor Browser, Linux, Adobe Flash Player, routers, and USB thumb drives.
These acquisition raids are normally limited to a few weeks, and after that payouts return to their normal pricing range.
"Our new payout for hypervisors will last for a couple of months, and we'll then decide if we reduce it or keep it high, depending on the
number of acquisitions we will make," Zerodium CEO Chaouki Bekrar told ZDNet via email.
Previously to today's acquisition raid, Zerodium used to pay up to $200,000 for exploits in vSphere and Hyper-V, according to its price charts.
The company's move to hike up hypervisor exploit payouts comes after Microsoft anted up payments for Hyper-V bugs last summer when it began paying up to $250,000 for similar exploits, outbidding Zerodium and all other exploit buyers.
"Microsoft's bounty for Hyper-V exploits is very attractive for researchers, however, VMWare is not paying anything to zero-day hunters," Bekrar told ZDNet.
"We have decided to fill this gap, and we've been paying $200,000 for such exploits, and we've acquired many of them so far," Bekrar said.
"However, we've recently observed an increase in demand from customers, [and] we have decided to increase the bounty to $500,000 to outbid vendors and all existing buyers."
The customers the company is referring are government and law enforcement agencies.
Their increasing interest in cloud zero-days is only normal, seeing that AWS and Azure have been slowly cannibalizing the web hosting market, with fewer and fewer web hosting providers hosting their own data centers, and more of them choosing to rent cloud servers instead.
With cyber-crime, malware, and APT operations being often hosted on cloud servers, it is only normal that these agencies would be more interested in taking over cloud servers hosting malicious infrastructure.
According to previous statements, Zerodium describes itself as a vendor who buys zero-days from security researchers and sells the vulnerabilities to government and law enforcement agencies. While other exploit vendors have caught selling hacking tools to oppressive regimes, there have been no such reports, at the time of writing, about Zerodium.