Mysterious Hacker Has Been Selling Windows 0-Days To APT Groups For Three Years (zdnet.com) 71
For the past three years, a mysterious hacker has been selling Windows zero-days to at least three cyber-espionage groups, as well as cyber-crime gangs, researchers from Kaspersky Lab have told ZDNet. From a report: The hacker's activity reinforces recent assessments that some government-backed cyber-espionage groups -- also known as APTs (advanced persistent threats) -- will regularly buy zero-day exploits from third-party entities, besides developing their own in-house tools. APT groups believed to be operating out of Russia and the Middle East have often been spotted using zero-days developed by real-world companies that act as sellers of surveillance software and exploit brokers for government agencies. However, Kaspersky's recent revelations show that APT groups won't shy away from dipping their toes in the underground hacking scene to acquire exploits initially developed by lone hackers for cyber-crime groups, if ever necessary.
not a problem (Score:4, Funny)
the free market will fix this through competition or something
Re: not a problem (Score:4, Insightful)
It's not about migrating to an OS with no zero-days exploits, it's about moving to an OS with (a lot) less zero-days exploits.
Re: (Score:2)
Indeed, it was! Who's the moran now, eh?
Oh wait...
Re: (Score:2)
At some point you get tired of counting them and vulnerabilities becomes a mass noun.
Re: not a problem (Score:4, Informative)
Does it really matter when Windows 10 itself is an exploit?
Comment removed (Score:4, Funny)
Re: (Score:2)
Free Markets do self correct, however the problem is the level of volatility. A well regulated economy will often follow the same trends as a Free for all Market. However the Free Market will have Higher Highs (which is good) and Lower Lows (which is bad) while a well managed economy will have a gradual climb, and when a recession hits, it is a slight decline.
Back 20 years ago (Numbers are adjusted for inflation), I could live comfortably at $40k a year, now after a few decades, of getting raises and promo
Could be worse (Score:1)
At least the he’s not selling them to APK.
There is nothing illegal here (Score:1)
There is nothing illegal about finding vulnerabilities and reporting them. What is actually done with those zero days may be illegal, but it is none of this person's concern.
Even if profit is a motive, this person should be able to go about their business with no fear of retribution. If Microsoft wants these zero days reported to them, then they can offer higher bounties.
Re: (Score:2)
Aiding and abetting is illegal.
But as long as you only supply weapons to US allied governments to hack people it's highly unlikely to cause you any trouble, even when used to commit crimes against US citizens.
Victims won't have the means to identify you and the three letter agencies won't have the desire.
Re: (Score:1)
Windows does not need to buy exploits. It has plenty of its' own.
Re: (Score:2)
FSB? You mean they're installing spyware directly into the RAM now?!
Re: (Score:2)
If there was a zero-day out there that their opponents had, and they didn't have, and they simply had to pay a researcher to go get it.... do you think they wouldn't? Do you have any idea the lengths that military types have gone to to acquire the cutting edge weapons of other nations? Any idea the price-tag on those operations?
If they didn't, they're simply being arrogant, penny-pinchers, or irrationally sceptic. Remember, we busted Osama because they didn't believe in "western encryption" and rolled th
Re: (Score:1)
Droot droot hatstand no more cocoa for me, vicar! (Score:2)
Well, they clearly don't do it, then. Because obviously they inform you about all the stuff they get up to, same as they do with me. Well they tell the voices, and the voices tell me.
Point being ... (Score:5, Insightful)
... there's a lot of fucking zero days in Windows.
Re: (Score:1)
Kinda makes you wonder if there isn't someone inside MS slipping these in to support an illicit market.
Re: (Score:3)
Sure, writing a secure OS is difficult, but it is far from impossible. We have most of the technology. We lack the will to actually do it, because it would break backwards compatability and it would certainly not be based on any version of the windows kernel.
We should also not forget that windows is more than just an OS. It also includes a tightly coupled windowing system, which could be much more secure if it were less tightly integrated. And the driver system is a complete fuckup and a source of many, man
Re: (Score:2)
"It turns out that writing a secure OS is hard"
depends on how you look at it. i think we all agree that writing bugless code is near impossible, even with all the tools and code analyzers we have at our disposal these days.
but if you look at the level of design, then windows just fails. sometimes it looks as if they tried their very best to pick the worst design possible.
Re: (Score:2)
There will be people in tech companies, there will be people in the espionage agencies, there will be people in the security companies, all who want more and simply sell it where they can, to get it. Probably the source of the worst leaks, the various espionage agencies, they already carry out criminal activities in other countries, have awareness of the contacts and know the methods to transfer funds and so, they do exactly what they have been trained to do. What that pompous Pompeo arsehole bragged about,
Re: (Score:2)
My thought as well. Sadly, the article doesn't include numbers, but by the wording he's sold quite a few of those 0-days. And he's not the only person doing it.
Main message: Windows is still so full of holes, it could have a brilliant secondary career as a swiss cheese.
More QA (Score:2, Interesting)
Re: (Score:2)
M$ did have 1 years ago, but got rid of 'em. So did many other companies. :(
Kaspersky Lab (Score:3)
It's a shame that we don't have an outfit like this available to us to identify and track down such security problems.
Build vs buy (Score:2, Insightful)
All organizations, even criminal ones, have to make decisions about whether it's more cost effective to buy or build the inputs to their process.
If you don't pay for it, someone else will (Score:1)
Re: (Score:2)
Just shoot them if they sell them somewhere else and you find out, it will lower the value of doing so.
Your taxes pay for these... (Score:1)
Advanced nation states are suspected of selling exploits to other nation states through middle-men. By doing so, they can then see who tries to use the exploit, and who they use it against. It's a good way to keep tabs on other countries security services. They are usually network-based exploits so use of them can be tracked by anyone with network-sniffing ability on the internet.
So, where are these coming from? (Score:2)
This guy (just one guy?) who's selling these zero day alerts to everyone in the world -- is he just really really smart to discover all of these, or is this perhaps someone at Redmond with a side business?
Re: (Score:2)
Sigh. That should have been "exploits", not "alerts".
Who the fuck wrote this? (Score:1)
"some government-backed cyber-espionage groups -- also known as APTs (advanced persistent threats)"
An APT is not the group that delivered the malware. The APT is the suite of malware that lingers in a network and slowly escalates and exfiltrates information over time to make it appear that nothing is wrong. The names for people that create APT's are usually associated with some government state somewhere.
Re: (Score:1)
They can run consumer AV all day on the OS level, update, make OS changes. The gov/mil code stays hidden and active.
The "persistent" part is what gov/mil crave and pay for.
The other ATPs. (Score:4, Interesting)
"APT groups believed to be operating out of Russia and the Middle East".... and Maryland. Does anything think the NSA and CIA aren't Advanced or Persistent? Surely everyone thinks they're a threat to SOMEONE out there. If they're not, they're not really doing their job. Does anything think they WOULDN'T buy this sort of knowledge?
Multiple revenue streams. (Score:2)
But Paul Thurrott and /. said otherwise! (Score:2)
Paul Thurrott (shown leaning on a real-life replica of the Microsoft logo [thurrott.com]), cited an unnamed Microsoft insider to claim [thurrott.com]: