Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Bug Businesses Cloud Security The Almighty Buck Technology

Exploit Vendor Zerodium Announces Big Rewards For Cloud Zero-Days (zdnet.com) 27

Exploit vendor Zerodium said today it would pay up to $500,000 for zero-days in popular cloud products and services such as Microsoft's Hyper-V and (Dell) VMware's vSphere. From a report: Both Hyper-V and vSphere are what experts call virtualization software, also called hypervisors -- software that lets a single "host" server create and run one or more virtual "guest" operating systems. Virtualization software is often found in cloud-powered data centers. Hyper-V is the technology at the core of Microsoft's Azure cloud computing platform, while VMware's vSphere is used by Amazon Web Services and SAP.

With cloud services growing in adoption, especially for hosting websites and crucial IT infrastructure, the importance of both technologies has been slowly increasing in recent years. This paradigm shift hasn't gone unnoticed in the exploit market, where Zerodium -- a Washington, DC-based exploit vendor -- is by far the leading company. In a tweet earlier today, Zerodium announced plans to pay up to $500,000 for fully-working zero-days in Hyper-V and vSphere that would allow an attacker to escape from the virtualized guest operating system to the host server's OS.

This discussion has been archived. No new comments can be posted.

Exploit Vendor Zerodium Announces Big Rewards For Cloud Zero-Days

Comments Filter:
  • Ah...Does this make them "Black Hats"?

    • It makes them asshats.
    • Re:"Exploit Vendor" (Score:4, Informative)

      by Anonymous Coward on Tuesday March 05, 2019 @02:30PM (#58220532)

      No, they are just your garden variety bottom feeding low-lifes. They used to be called Vupen, then rebranded. Their business model is to buy zero day from script kiddies and actual blackhats and sell it for a much higher fee to governments. They are very arrogant about it, too.

    • by gweihir ( 88907 )

      More "Black Hats with good lawyers", but definitely Black Hats. They make money of illegal and immoral attacks and operate themselves in the grey area created by state-owned and state-sponsored hacking groups like the NSA. Terrorism is peanuts compared to this.

  • by Richard_J_N ( 631241 ) on Tuesday March 05, 2019 @02:45PM (#58220614)

    How is it legal to sell an exploit?
    Can't some of the authors sue them for having a "blackmail-based business model"?

    • Their suppliers most likely waive away all rights when selling. Their customers are the ones making the laws so they are covered.

    • by lgw ( 121541 )

      How is it legal to sell an exploit?

      They mostly sell to governments. Funny how the legal problems just don't come up.

  • ...it means that Western governments, most often the U.S. and Israel, want exploits to infiltrate cloud servers.

    • by Anonymous Coward

      Why single out "western" govts? It means there's money in them, because there's money in the cloud. ALLLLLLL countries would like to know about them. NK would love to have a few. Knowledge is power both offensively and defensively.

  • About as moral. These activities need to be outlawed and banned globally.

  • and you don't need much more than Spectre to compromise cloud VMs sharing the same physical host. https://arxiv.org/pdf/1902.051... [arxiv.org]
    You may use "SPOILER" to improve the data extraction speed. https://arxiv.org/pdf/1903.004... [arxiv.org]
  • "while VMware's vSphere is used by Amazon Web Services"

    VMWare's Hypervisor is VMWare ESX/ESXi. vSphere is the management software for managing ESX/ESXi.

    Amazon doesn't use VMWare, but VMWare was the first customer of AWS's bare-metal instance type (i3.metal), allowing VMWare users/customers the ability to easily migrate VMWare VMs to AWS.

    However, in theory, customers can run any x86_64 hypervisor they want on AWS using the EC2 .metal instance types (in practice, there may be some work involved, and would be

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...