Jun 23, 2020
As detection of backdoor vulnerabilities to the Android Operating System present increasingly lucrative potential, locating them has now become somewhat of a treasure hunt for hackers.
When hackers discover a software vulnerability they have two options - report it to the software vendor through bug bounty programs or sell it on the darknet for a serious financial reward. As the market for zero-day software exploits continues to grow with 71% of breaches in 2019 being financially motivated and a further 25% motivated by espionage, the stakes have never been higher.
Vulnerabilities by the year 1988-2019, source MITRE
The slight decrease in vulnerabilities that were reported to the American National Vulnerabilities Database (NVD) in 2019 has failed to reflect much next-generation cyberthreat activity as well as the prevalence of large-scale cyber risks both for businesses and civilians.
After many years of undercover activity, previously only known to highranking hackers and security researchers, 2019 was a year in which some light was shed on the extent of many malicious and all-pervasive cybercrimes. What was revealed is that the state of overall security has never been so critical.
In late 2018, The news of the brutal murder of Jamal Khashoggi was promptly followed by the news that the Saudis had colluded with an Israeli offensive cyber company in espionage activity for some time leading up to Khashoggi’s murder. In 2019, Google’s Project Zero also shed light on what has been described as a Chinese state-backed attack run on Apple Software targeting the Uighur Muslim community, and this under-the-radar attack went unnoticed and uncensured for two years or more. Facebook filed legal action against NSO for ongoing exploitation of WhatsApp with cyberattacks targeting journalists, dissidents, and diplomats. And in retaliation, a group of employees of NSO filed a lawsuit against Facebook.
While these high profile stories made the headlines for their 007 vibes, what was largely underreported were the zero-day vulnerabilities detected across almost every popular software application including Google Chrome, Instagram, Firefox and Apple FaceTime amongst others. Indeed, data breaches exposed 4.1 billion records in the first half of 2019. The cost of cybercrime and cyber espionage was estimated at $445 billion per year in 2014, and $600 billion in 2018, rising to as much as $2 trillion in 2019, with further year-on-year increases projected.
How strong is the incentive for hackers?
While empirical data regarding the worth of vulnerability exploits on the darknet is pretty hard to gather, Zerodioum’s marketplace prices for threat detection provide a good indicator. Zerodioum, the San Francisco-based bug-bounty company acts and pays just like buyers on the darknet, and inform the vendor once exploit is confirmed. Their payout prices in 2019 indicate dramatic price surges in order to keep pace with the growing competition in the market - during 2019 the cost of exploits has been as high as $2M for a full Chrome takeover or "only" $1.5M for a WhatsApp vulnerability gap. This September alone, the price of Android exploits jumped from $0 all the way up to $2.5M.
Here's the full (and crazy) exploit payout prices for mobile devices:
Here's the full (and-not-less-crazy) exploit payout prices for desktops and servers:
Amid growing interest from governments and the soaring prices for the purchase of software vulnerabilities over the darknet, cyber vulnerability tensions among large businesses and governments have reached an all-time high, even culminating in a bombing earlier this year, a world first. This increased focus of large players does not mean that smaller business is getting by unscathed. In 2018 62% of businesses experienced phishing and social engineering attacks in 2018 and hackers stole five hundred million personal records.
Ginni Rometty, IBM’s chairman, president, and CEO, said in 2015: “Cybercrime is the greatest threat to every company in the world.” This comment still rings true today. Vaccinating your company against cyber threats has never been more mission-critical. A proactive approach will protect businesses before it is too late.
Beyond Subjectivity: Sharpening CVSS with Asset ContextMichael Assraf November 20, 2020
What is the Common Vulnerability Scoring System (CVSS)?Kent Weigle November 17, 2020
What is a Vulnerability Assessment?Kent Weigle October 13, 2020
Prioritizing Vulnerabilities: A Holistic ApproachShani Reiner October 13, 2020
Sealing the Patch GapDavid Asraf September 08, 2020