The underground market for zero-day exploit sales has long been a hidden dark alley to anyone but the hackers and sellers who call it home. But the recent hack of the Italian spyware maker Hacking Team, and the subsequent dump of 400 gigabytes of its internal emails, has shone a bright light on the nature of exploit sales, how they’re negotiated, and how they’ve been kept in check by security protections.
At least three zero-day exploits have been uncovered so far among the trove of data leaked by the attacker who breached Hacking Team. Hacking Team buys zero-day exploits in order to install its spyware, known as RCS, on targeted systems. It provides both the exploits and RCS to government intelligence and law enforcement agencies around the world, and has come under attack for selling to repressive regimes, who’ve used them to target political activists and dissidents. But more interesting than the fact that the company possessed zero days—this was already known—is the correspondence around how Hacking Team acquired these valuable tools, prized equally by criminal hackers and government intelligence agencies.
Security researcher Vlad Tsyrklevich culled through the leaked documents and says they provide one of the first extensive public case studies of the zero-day market. The emails expose a wealth of information about the going-rate for exploits, the terms-of-sale, and the parties negotiating deals with Hacking Team and other buyers.
One so-called Starlight-Muhlen exploit Hacking Team sought, for example, was going for $100,000. Exclusive iOS exploits could cost as much as half a million, according to one of Hacking Team’s sellers. It’s long been known that zero-days can sell for anywhere between $5,000 to half a million or more, but seeing the price negotiations in writing provides new insight into the fluid value of zero-days. Payments by Hacking Team were generally made in two- and three-month installments that instantly dissolved if a vulnerability the exploit targeted got discovered and patched by the software maker, eliminating its value.
The documents also help support assumptions about the effectiveness of some security controls. Hacking Team’s persistent request for exploits that could break out of sandboxes, for example, and its frustration over failed exploits, support assumptions that sandboxes are worth the effort to include them in software.
A sandbox is a security feature that’s meant to contain malware and keep it from breaking out of a browser and affecting a computer’s operating system and other applications. Sandbox vulnerabilities are highly prized because they’re hard to find and allow an attacker to escalate control of a system.
“[H]aving to buy Windows local privilege escalation [exploits] to get around Windows sandboxes is good for defenders,” Tsyrklevich told WIRED. “It’s good to know that [the security measure is] not completely trivial.”
The leaked emails are notable for another reason, however: they also show that Hacking Team struggled to find vendors willing to sell to it, since some suppliers would only sell straight to governments and refused to do business with the firm. Though Hacking Team began seeking zero days in 2009 and contacted a number of sellers over the years, it appears to have failed to secure zero days until 2013.
Furthermore, over the course of the six years that Hacking Team was in the market to purchase zero days, it appears to have only acquired about five, based on what Tsyrklevich was able to uncover in his analysis. This included three Flash zero-days, one Windows local privilege escalation/sandbox escape exploit, and one exploit for Adobe Reader.
“That’s fewer than what I think many people would have expected of them,” he told WIRED.
The emails show that in 2014, Hacking Team attended the SyScan conference in Singapore for the specific purpose of recruiting exploit developers to work directly for them and bypass the problem of reluctant sellers. They also thought it would help them avoid paying middlemen resellers who they felt were inflating prices. The strategy worked. Hacking Team met a Malaysian researcher named Eugene Ching, who decided to quit his job with D-crypt’s Xerodaylab and go solo as an exploit developer under the business name Qavar Security.
Hacking Team signed a one-year contract with Ching for the bargain price of just $60,000. He later got a $20,000 bonus for one exploit he produced, but it was a valuable exploit that Tsyrklevich notes could have sold for $80,000 alone. They also got him to agree to a three-year non-compete, non-solicitation clause. All of which suggests Ching didn’t have a clue about the market rates for zero days. Ching’s talents weren’t exclusive to Hacking Team, however. He apparently also had a second job with the Singapore Army testing and fixing zero-day exploits the military purchased,according to one email.
Others who didn’t have a problem selling to Hacking Team included the French firm VUPEN security, as well as the Singapore-based firm Coseinc, the US-based firms Netragard and Vulnerabilities Brokerage International and individual exploit developers like Vitaliy Toropov and Rosario Valotta.
Tsyrklevich notes that despite increasing publicity over the last few years about Hacking Team’s nefarious customers, the company suffered little blowback from exploit sellers. “In fact, by raising their profile these reports served to actually bring Hacking Team direct business,” he notes. A year after the research group at CitizenLab published a report that HackingTeam’s spy tool had been used against political activists in the United Arab Emirates, Hacking Team took on a number of new suppliers.
Among them was Vitaliy Toropov, a 33-year-old Russian exploit writer based in Moscow, who approached the company in 2013 offering a portfolio with three Flash zero-days, two Safari zero-days, and one for Microsoft’s popular Silverlight browser plug-in, which Netflix and others use for online video streaming.
His asking price? Between $30,000 and $45,000 for non-exclusive exploits—meaning they could be sold to other customers as well. Exclusive zero-days, he wrote, would cost three times this much, though he was willing to offer volume discounts.
Hacking Team had three days to evaluate exploits to determine if they worked as advertised. The company offered to fly Toropov to Milan to oversee testing, but he declined.
“Thanks for your hospitality, but this is too unexpected for me,” he wrote in an email, promising that his exploit code would lead to “fruitful collaboration.”
He turned out to be right about that. Although Hacking Team was disappointed in his offerings—the spy firm really wanted privilege-escalation and sandbox exploits that Toropov didn’t have—they were satisfied enough to buy Flash exploits from him. And when one of these got patched a month after purchase, he even gave them a replacement for free.
Another seller was the information security firm Netragard, despite the company’s stated policy against selling to anyone outside the US. Hacking Team got around the restriction by using a US middleman, Cicom USA, with Netragard’s approval. That is, until the relationship with Cicom deteriorated and Hacking Team asked to deal directly with Netragard. Netragard agreed to waive its US-only requirement, telling the Italian firm in March 2015 that it had recently begun to relax its customer policy. “We do understand who your customers are both afar and in the US and are comfortable working with you directly,” Netragard CEO Adriel Desautels told Hacking Team in an email. Netragard offered a fairly rich catalogue of exploits, but Desautels claimed in a recent tweet that his company “only ever provided one exploit to [Hacking Team] ever.”
Notably, Netragard abruptly announced last week that it was closing its exploit acquisition and sales business, following the public disclosure that it was doing business with a firm selling to repressive regimes. In a blog post, Netragard CEO Adriel Desautels wrote: “The HackingTeam breach proved that we could not sufficiently vet the ethics and intentions of new buyers. HackingTeam unbeknownst to us until after their breach was clearly selling their technology to questionable parties, including but not limited to parties known for human rights violations. While it is not a vendors responsibility to control what a buyer does with the acquired product, HackingTeam’s exposed customer list is unacceptable to us. The ethics of that are appalling and we want nothing to do with it.”
Another controversial supplier was VUPEN, a company whose sole business is selling exploits to governments. Its relationship with Hacking Team was apparently fraught with frustration, however. Hacking Team accused VUPEN of keeping its best exploits for other customers and only providing them with old or non-zero-day exploits. They also accused VUPEN of intentionally burning some exploits—for what purpose is unclear.
Altogether the trove of leaked data from Hacking Team underscores that the market for zero days is robust, but it only exposes one sector. Other more important ones remain opaque. “Hacking Team is a second-rate company that had to work hard to find people who weren’t going to treat it as such,” notes Tsyrklevich. More interesting would be comprehensive data on what the market looks like these days for the first-rate buyers who pose the greatest threat—well-resourced governments and intelligence agencies.
One good thing about the leak, however. The three zero-days exposed so far in Hacking Team’s possession have now been patched, and the leaked data contains a lot of additional information that security researchers can now use to investigate additional vulnerabilities that have never been disclosed and patched.
“There are some bugs described by these vendors (primarily VBI and Netragard) that people can audit for and fix,” Tsyrklevich told WIRED. “We can fix bugs that Hacking Team didn’t even buy!”