Bug bounty hunters’ attempt at patching zero day vulnerabilities
In software development, bugs in the code are inevitable. That’s why companies push out software updates so often.
But there is a specific kind of bug that is especially worrisome, something called a “zero day.” It’s a bug no one knows about — not even the software company — so it hasn’t been patched and is vulnerable to hackers.
Dustin Childs, the head of threat awareness for the Zero Day Initiative at the American IT company Trend Micro, spends his days purchasing bugs and zero days. “We buy Microsoft Bugs, Apple Bugs, Trend Micro, Google, Adobe, you name it,” he said.
His team buys bugs legally so they can fix holes and send out updates. And it’s not cheap.
“Depending on the type of bug, it could be worth $150,” Childs said. “And depending on where it’s sold, it could be worth up to $15 million.”
So, he was surprised to see the news this summer that a Russian ransomware group called Cl0p used a zero-day to steal data from some 60 million people who were using a file transfer service called MOVEit.
Using a zero day is something ransomware groups haven’t done much before. But earlier this year, Cl0p got its hands on a vulnerability in the MOVEit software and wrote a program that would allow it to steal data at scale.
“They were able to write a bot, basically, that would automatically find every MOVEit server in the world, steal the data from it in an automated fashion, and place a backdoor on them,” said Chester Wisniewski, a chief technology officer with the security company Sophos.
Wisniewski had been tracking the hack. And he said that MOVEit, despite its widespread use, is one of those software programs people don’t think much about.
We use it to send taxes to an accountant, or a doctor uses it to send medical files to a hospital. So when Cl0p used a zero day to get inside MOVEit, they immediately got access to hundreds of thousands of computer networks. Then, the group began a mass extortion of companies from whom they’d stolen data.
“When you do a traditional ransomware attack, you’re generally only able to target a few victims per week,” Wisniewski said. “And with something like MOVEit … there was very little labor or human effort going into targeting.”
The U.S. State Department is offering a $10 million reward for information that can lead to the arrest of members of the Cl0p gang.
Dustin Childs, the bug bounty hunter, says this may be the start of something big. He worries ransomware gangs are going to start using zero days on little-known but ubiquitous software to do monster hacks with less work.
“I think it will be a trend for a while, if nothing else, because Cl0p has been incredibly successful,” Childs said. “If one ransomware group is very successful, the other ransomware groups will see that success and try to imitate it.”
Stories You Might Like
The future of this podcast starts with you.
Every day, the “Marketplace Tech” team demystifies the digital economy with stories that explore more than just Big Tech. We’re committed to covering topics that matter to you and the world around us, diving deep into how technology intersects with climate change, inequity, and disinformation.
As part of a nonprofit newsroom, we’re counting on listeners like you to keep this public service paywall-free and available to all.
Support “Marketplace Tech” in any amount today and become a partner in our mission.
