Exploit Vendor Zerodium Announces Big Rewards For Cloud Zero-Days (zdnet.com) 27
Exploit vendor Zerodium said today it would pay up to $500,000 for zero-days in popular cloud products and services such as Microsoft's Hyper-V and (Dell) VMware's vSphere. From a report: Both Hyper-V and vSphere are what experts call virtualization software, also called hypervisors -- software that lets a single "host" server create and run one or more virtual "guest" operating systems. Virtualization software is often found in cloud-powered data centers. Hyper-V is the technology at the core of Microsoft's Azure cloud computing platform, while VMware's vSphere is used by Amazon Web Services and SAP.
With cloud services growing in adoption, especially for hosting websites and crucial IT infrastructure, the importance of both technologies has been slowly increasing in recent years. This paradigm shift hasn't gone unnoticed in the exploit market, where Zerodium -- a Washington, DC-based exploit vendor -- is by far the leading company. In a tweet earlier today, Zerodium announced plans to pay up to $500,000 for fully-working zero-days in Hyper-V and vSphere that would allow an attacker to escape from the virtualized guest operating system to the host server's OS.
With cloud services growing in adoption, especially for hosting websites and crucial IT infrastructure, the importance of both technologies has been slowly increasing in recent years. This paradigm shift hasn't gone unnoticed in the exploit market, where Zerodium -- a Washington, DC-based exploit vendor -- is by far the leading company. In a tweet earlier today, Zerodium announced plans to pay up to $500,000 for fully-working zero-days in Hyper-V and vSphere that would allow an attacker to escape from the virtualized guest operating system to the host server's OS.
Re: (Score:2)
Dell/EMC doesn't own VMWare, they are separate entities.
When I worked at VMware, there were massive layoff when EMC got a new president and needed to pad his bonus. That's the only meaningful definition of being EMC's bitch.
"Exploit Vendor" (Score:2)
Ah...Does this make them "Black Hats"?
Re: (Score:3)
Re:"Exploit Vendor" (Score:4, Informative)
No, they are just your garden variety bottom feeding low-lifes. They used to be called Vupen, then rebranded. Their business model is to buy zero day from script kiddies and actual blackhats and sell it for a much higher fee to governments. They are very arrogant about it, too.
Re: (Score:2)
More "Black Hats with good lawyers", but definitely Black Hats. They make money of illegal and immoral attacks and operate themselves in the grey area created by state-owned and state-sponsored hacking groups like the NSA. Terrorism is peanuts compared to this.
isn't this basically blackmail (Score:4, Interesting)
How is it legal to sell an exploit?
Can't some of the authors sue them for having a "blackmail-based business model"?
Re: (Score:2)
Their suppliers most likely waive away all rights when selling. Their customers are the ones making the laws so they are covered.
Re: (Score:3)
How is it legal to sell an exploit?
They mostly sell to governments. Funny how the legal problems just don't come up.
If Zerodium pays big for cloud exploits... (Score:2, Insightful)
...it means that Western governments, most often the U.S. and Israel, want exploits to infiltrate cloud servers.
Re: (Score:1)
Why single out "western" govts? It means there's money in them, because there's money in the cloud. ALLLLLLL countries would like to know about them. NK would love to have a few. Knowledge is power both offensively and defensively.
The weapon-pushers of the internet age (Score:2)
About as moral. These activities need to be outlawed and banned globally.
Spectre is here to stay... (Score:2)
You may use "SPOILER" to improve the data extraction speed. https://arxiv.org/pdf/1903.004... [arxiv.org]
vSphere not a hypervisor, and Amazon doesn't use i (Score:2)
"while VMware's vSphere is used by Amazon Web Services"
VMWare's Hypervisor is VMWare ESX/ESXi. vSphere is the management software for managing ESX/ESXi.
Amazon doesn't use VMWare, but VMWare was the first customer of AWS's bare-metal instance type (i3.metal), allowing VMWare users/customers the ability to easily migrate VMWare VMs to AWS.
However, in theory, customers can run any x86_64 hypervisor they want on AWS using the EC2 .metal instance types (in practice, there may be some work involved, and would be