14 DAY TRIAL // Kevin Mitnick, the notorious black-hat hacker of the 90s turned security consultant after serving four and a half years in prison for computer and wire fraud, expanded the activity of his company through trading premium zero-day exploits, the price starting from $100,000 / €78,500.
Named “Mitnick's Absolute Zero-Day Exploit Exchange,” the exploit brokering service offers zero-days developed in-house or purchased from third parties, and sells them to customers, who have to comply with strict standards.
Zero-day exploits take advantage of vulnerabilities that are unknown to the vendor of the targeted product, and no patch exists for them. In the wrong hands, they are highly dangerous as malicious actors could use them for nefarious purposes until the glitch is discovered and fixed.
Buyers and sellers are carefully selected before dealing with them
“We develop trust relationships and establish loyalty with our buyers and sellers to provide the safest platform for exploit exchange,” says the announcement for the service, which functioned silently for half a year and only now became public.
If the party is unknown to the company, they can be charged a fee at the discretion of the firm to qualify to join.
In an interview for Wired, Mitnick said that selling to criminal organizations or repressive regimes was out of the question.
The service could be used by government agencies for targeted surveillance. “When we have a client that wants a zero-day vulnerability for whatever reason, we don’t ask, and in fact they wouldn’t tell us,” Mitnick told Wired.
Only premium exploits are brokered
Absolute Zero-Day is advertised as a closed network that functions based on referrals from trusted parties and provides exploits with a CVSS base score of at least 8 and have wide software distribution.
Two programs are available, Absolute X and Absolute Z, the former allowing customers to retain exclusivity of the exploit for a certain period of time, for an agreed fee; the latter is more expensive and guarantees first knowledge of the availability of an exploit for a targeted system or product.
Security experts can trade their zero-days through the service, details about their identity remaining confidential and the products being exposed to “top-paying government and corporate buyers.”
In order to cash in on their work, the exploit has to be validated and approved. Funds from the buyer are held in escrow in the meantime.
Exploit brokerage services are not uncommon or illegal and there are multiple organizations that offer them. Vupen, Netragard, Exodus Intelligence are just a few of them.
Mitnick’s Absolute Zero-Day relies on the company’s “unique positioning among security researchers and the hacker community” to intermediate the exchange between buyers and sellers.