Tag Archive for: products

Price of zero-day exploits rises as companies harden products against hackers

/in


Tools that allow government hackers to break into iPhones and Android phones, popular software like the Chrome and Safari browsers, and chat apps like WhatsApp and iMessage, are now worth millions of dollars — and their price has multiplied in the last few years as these products get harder to hack.

On Monday, startup Crowdfense published its updated price list for these hacking tools, which are commonly known as “zero-days,” because they rely on unpatched vulnerabilities in software that are unknown to the makers of that software. Companies like Crowdfense and one of its competitors Zerodium claim to acquire these zero-days with the goal of re-selling them to other organizations, usually government agencies or government contractors, which claim they need the hacking tools to track or spy on criminals.

Crowdfense is now offering between $5 and $7 million for zero-days to break into iPhones, up to $5 million for zero-days to break into Android phones, up to $3 million and $3.5 million for Chrome and Safari zero-days respectively, and $3 to $5 million for WhatsApp and iMessage zero-days.

In its previous price list, published in 2019, the highest payouts that Crowdfense was offering were $3 million for Android and iOS zero-days.

The increase in prices comes as companies like Apple, Google, and Microsoft are making it harder to hack their devices and apps, which means their users are better protected.

“It should be harder year over year to exploit whatever software we’re using, whatever devices we’re using,” said Dustin Childs, who is the head of threat awareness at Trend Micro ZDI. Unlike CrowdFense and Zerodium, ZDI pays researchers to acquire zero-days, then reports them to the companies affected with the goal of getting the vulnerabilities fixed.

“As more zero-day vulnerabilities are discovered by threat intelligence teams like Google’s, and platform protections continue to improve, the time and effort required from attackers increases, resulting in an increase in cost for their findings,” said Shane Huntley, the head of Google’s Threat Analysis Group, which tracks hackers and the use of zero-days.

In a report last month, Google said it saw hackers use 97 zero-day…

Source…

Researcher takes on ransomware and the products for stopping it

/in


Ransomware, one of the most troublesome forms of cyber attacks, is in the crosshairs of a leading cybersecurity research outfit. The researchers at the MITRE Corporation’s Ingenuity program recently called for industry to help find out the effectiveness of cybersecurity products designed to help stop. For the answers, the Federal Drive with Tom Temin spoke with William Booth, the general manager of MITRE’s evaluations program.

Tom Temin And just a brief word on the ingenuity program, which is one of the major channels of MITRE’s work. And then tell us a little bit about the program that you specifically run for evaluating software.

William Booth Yeah. So I run a tech evaluations, which is born out of and based on either attack framework, which is really a way of describing cybersecurity tactics and techniques used in the real world. And we take that knowledge base and we apply it through evaluations to all the leading cohort of cybersecurity products.

Tom Temin In other words, you try to make sure that the products out there actually match and can take on what you know to be the real threats.

William Booth Yes. And that people have insights and a reference for performance on how they’re doing, both on the detections and on the protection side.

Tom Temin All right. And now the latest call out for industry to join with you, you’re looking at specifically what problem and what types of software?

William Booth We’re mostly focused this time on ransomware continues to be a leading issue both for private and for government. And so we’re tackling that through slightly different than before where we chose a single adversary. Here we’re using an amalgamation of multiple very prevalent and relevant ransomware attacks. And in addition to that, we’re also for the first time, introducing Mac OS, which is going to be focused on the DPR case activity. Recently, there’s a lot of products out there that cover Windows and Linux and also have Mac, but that’s kind of unknown right now on performance and where the benchmark is. And so we’re hoping to set that.

Tom Temin So the North Korea then is going after Macs for ransomware. And are they generally going after…

Source…

Spyware behind nearly 50% of zero-days targeting Google products

/in


Google on Tuesday reported that commercial surveillance vendors (CSVs) are behind nearly 50% of the known zero-day exploits targeting Google products.

The news brought to light the increased prevalence of CSVs and the potential threat of spyware being used against not just famous journalists, politicians and academics, but ordinary citizens and businesspeople.   

Google’s 50-page report found that from mid-2014 through 2023, security researchers discovered 72 in-the-wild zero-day exploits affecting Google products with the Google Threat Analysis Group (TAG) attributing 35 of the zero-days to the CSVs.

“The commercial surveillance industry has emerged to fill a lucrative market niche: selling cutting edge technology to governments around the world that exploit vulnerabilities in consumer devices and applications to surreptitiously install spyware on individuals’ devices,” wrote the Google researchers. “By doing so, commercial surveillance vendors (CSVs) are enabling the proliferation of dangerous hacking tools.”

Morgan Wright, chief security advisor at SentinelOne, said Google’s new information means that anyone, anywhere, any place, is at risk.

The proliferation of mobile computing, along with continuous discoveries of zero-day exploits, means spyware will become a booming market that will continue to grow because there’s demand for these capabilities, Wright said. What’s of most concern, Wright continued, is that the spyware capabilities that were once the exclusive province of nation-state intelligence organizations are available off-the-shelf to anyone with a big enough bank account.

“The number of threat actors will grow exponentially, making it a very challenging exercise to identify and defend against these threats,” said Wright. “For the security community, this means there is no rest. Ever. The vectors of attack will change minute-by-minute and hour-by-hour. Once a threat pops up and is identified and dealt with, many more will develop to take its place. This will force certain decisions about open versus closed platforms. To have more freedom and security, it may require tighter controls.”

Marina Liang, threat intelligence engineer at Interpres, said…

Source…

Two zero-days in Ivanti products actively exploited by threat actor

/in


Researchers suspect an espionage-focused threat group linked to China is behind the exploitation of a pair of newly discovered zero-day bugs in Ivanti VPN appliances.

Meanwhile, Volexity disclosed in a Dec. 10 blog its researchers uncovered an exploit chain the threat actor used after detecting suspicious lateral movement on the network of one of its customers. Ivanti confirmed the authentication bypass and command injection vulnerabilities on its website.

The vulnerabilities are an authentication bypass (CVE-2023-46805) and a command injection (CVE-2024-21887) bug affecting fully-patched Ivanti Connect Secure (formerly known as Pulse Connect Secure) and Policy Secure appliances.

“If CVE-2024-21887 is used in conjunction with CVE-2023-46805, exploitation does not require authentication and enables a threat actor to craft malicious requests and execute arbitrary commands on the system, Ivanti said in a Jan. 10 advisory.

CVE-2023-46805 has an 8.2 CVSS rating and is described as an authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure that “allows a remote attacker to access restricted resources by bypassing control check.”

The second bug, CVE-2024-21887, has a 9.1 CVSS rating and is a command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure that “allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. 

In the wild exploitation

In-the-wild exploitation of the bugs was observed by researchers at Volexity who said in a post that while they could not identify the group responsible, they believed it was a Chinese nation-state-level threat actor.

Ivanti said it had created a mitigation to be applied to the gateways as an initial response while patches for the bug were developed. Patches would be released in a staggered schedule beginning the week of January 22.

“We are providing mitigation now while the patch is in development to prioritize the best interest of our customers. It is critical that you immediately take action to ensure you are fully protected,” the vendor said.

“We are aware of less than 10…

Source…