The launch of a standing offer to pay for Windows virtual private network (VPN) software zero-day exploits came to light this week, even as the U.S. mulls new regulations on the export of tools that could be used in cyberattacks against the U.S. or its interests.
The developments signal that the U.S. cybersecurity community is going on the offensive against nation-state actors, researchers noted — but they may not have much effect.
Zerodium, which operates high-end, high-dollar third-party bug-bounty programs, often on behalf of western governments announced it was on the lookout for exploits impacting Windows ExpressVPN, NordVPN and Surfshark. Specifically, the company wants “information disclosure, IP address leak or remote code execution,” the company’s tweet said. “Local privilege escalation is out of scope.”
We're looking for #0day exploits affecting VPN software for Windows:
Exploit types: information disclosure, IP address leak, or remote code execution. Local privilege escalation is out of scope.
Contact us: https://t.co/R6E2CVU9K3
— Zerodium (@Zerodium) October 19, 2021
Attackers hide behind VPNs to keep their location and IP addresses hidden. Between them, ExpressVPN, NordVPN and Surfshark serve tens of millions of users worldwide.
The effort appears to be a reaction to nation-state attacks like last July’s DevilsTounge surveillance malware deployed against government agencies and officials around the world, thanks to a Microsoft 0-day bug. Prior to that attack, hackers demanded $500,000 for information on a Zoom Windows exploit they discovered that allowed them to spy on private conferences on the platform.
Cybersecurity Export Regulation
The U.S. Department of Commerce Bureau of Industry and Security (BIS) has announced new regulations on the export of “certain items” that could be used in cyberattacks.
“The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights.” U.S. Secretary of Commerce Gina Raimondo said about the new rules. “The Commerce Department’s interim final rule imposing export controls on certain cybersecurity items is an appropriately tailored approach that protects America’s national security against malicious cyber-actors, while ensuring legitimate cybersecurity activities.”
And while the U.S. government efforts are certainly worthwhile, according to Chris Clements, with Cerberus Sentinel, he isn’t convinced the efforts will make much of a dent in attacks.
“First, some of the biggest purveyors of such software are based outside the U.S. where the regulation may not affect them,” Clements said. “Second, many of the most used tools are open source in nature, and it isn’t clear to me how these rules will impact their distribution.”
He added, “Even if common open-source hosting organizations such as GitHub or GitLab were to enact GeoIP restrictions on the download of such designated intrusion software, it would seem trivial for a banned nation to simply VPN through a common VPN provider to bypass such restrictions.”
Clements added attackers don’t really have any moral or ethical issues using pirated versions of software like Cobalt Strike either.
When it comes to Zerodium using cash to draw attention to Windows exploits without working in close coordination with the affected, Ben Pick with nVisium explained to Threatpost it could wind up backfiring.
“Having a third party such as Zerodium look into vulnerabilities in privacy services is a controversial subject,” Pick said. “Discovered vulnerabilities could allow individual, malicious users to be uniquely identified, thus preventing crimes that are otherwise hidden.”
Furthermore, these efforts to guard the security of some could come at the expense of other users’ privacy, he added.
“These vulnerabilities could just as easily be abused to violate countless people’s privacy who are using VPN services for legitimate purposes,” Pick said.
Ultimately, exposing underlying vulnerabilities could, in fact, wind up making government data easier to breach, Pick explained.
“Certain vulnerabilities could be shared among other VPN services which use similar underlying code, putting vast amounts of private and government data at risk,” he told Threatpost. “As Zerodium does not appear to be working with the VPN services themselves to improve their overall security, any identified vulnerabilities will most likely be used to violate the privacy of innocent end-users. This would set a dangerous precedent for bug-hunting services in general.”
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.