Zerodium Paying $500K for Cloud Exploits, Crowd Prediction Market Coming

grarpamp grarpamp at
Wed Mar 6 13:19:37 PST 2019

NSA's / CIA's / In-Q-Tel's / FBI's / FVEY's partners... Zerodium,
Vupen, Azimuth, and Crowdfense ...

Predict and shift from this closed market
to one openly in your favor instead.

Exploit vendor Zerodium announced today plans to pay a whopping
$500,000 for zero-days in popular cloud technologies like Microsoft's
Hyper-V and (Dell) VMware's vSphere.
More security news

    All Intel chips open to new Spoiler non-Spectre attack: Don't
expect a quick fix
    Japanese police charge 13-year-old for sharing 'unclosable popup'
prank online
    Phishing alert: One in 61 emails in your inbox now contains a malicious link
    Hide yo' kids, hide yo' clouds: Zerodium offering big bucks for
cloud zero-days

Both Hyper-V and vSphere are what experts call virtualization
software, also called hypervisors --software that lets a single "host"
server create and run one or more virtual "guest" operating systems.

Virtualization software is often found in cloud-powered data centers.
Hyper-V is the technology at the core of Microsoft's Azure cloud
computing platform, while VMware's vSphere is used by Amazon Web
Services and SAP.

With cloud services growing in adoption, especially for hosting
websites and crucial IT infrastructure, the importance of both
technologies has been slowly increasing in recent years.

This paradigm shift hasn't gone unnoticed in the exploit market, where
Zerodium --a Washington, DC-based exploit vendor-- is by far the
leading company. In a tweet earlier today, Zerodium has announced
plans to pay up to $500,000 for fully-working zero-days in Hyper-V and
vSphere that would allow an attacker to escape from the virtualized
guest operating system to the host server's OS.

"The exploits must work with default configs, be reliable, and lead to
full access to the host," the company said on Twitter.

This kind of tweet and offer isn't anything new from Zerodium. The
company usually pays fixed prices for exploits and then hikes up
payouts during so-called "exploit acquisition raids," when it's
purposely looking to enhance its offering for certain types of exploit

Zerodium previously held acquisition raids for zero-days in iOS,
instant messaging apps, the Tor Browser, Linux, Adobe Flash Player,
routers, and USB thumb drives.

These acquisition raids are normally limited to a few weeks, and after
that payouts return to their normal pricing range.

"Our new payout for hypervisors will last for a couple of months, and
we'll then decide if we reduce it or keep it high, depending on the
number of acquisitions we will make," Zerodium CEO Chaouki Bekrar told
ZDNet via email.

Previously to today's acquisition raid, Zerodium used to pay up to
$200,000 for exploits in vSphere and Hyper-V, according to its price

The company's move to hike up hypervisor exploit payouts comes after
Microsoft anted up payments for Hyper-V bugs last summer when it began
paying up to $250,000 for similar exploits, outbidding Zerodium and
all other exploit buyers.

"Microsoft's bounty for Hyper-V exploits is very attractive for
researchers, however, VMWare is not paying anything to zero-day
hunters," Bekrar told ZDNet.

"We have decided to fill this gap, and we've been paying $200,000 for
such exploits, and we've acquired many of them so far," Bekrar said.

"However, we've recently observed an increase in demand from
customers, [and] we have decided to increase the bounty to $500,000 to
outbid vendors and all existing buyers."

The customers the company is referring are government and law
enforcement agencies.

Their increasing interest in cloud zero-days is only normal, seeing
that AWS and Azure have been slowly cannibalizing the web hosting
market, with fewer and fewer web hosting providers hosting their own
data centers, and more of them choosing to rent cloud servers instead.

With cyber-crime, malware, and APT operations being often hosted on
cloud servers, it is only normal that these agencies would be more
interested in taking over cloud servers hosting malicious

According to previous statements, Zerodium describes itself as a
vendor who buys zero-days from security researchers and sells the
vulnerabilities to government and law enforcement agencies. While
other exploit vendors have caught selling hacking tools to oppressive
regimes, there have been no such reports, at the time of writing,
about Zerodium.

More information about the cypherpunks mailing list