The Zero Day Grey Market

Last blog post, I talked about the Bird Flu and its potential impact on us. For this post, I’m going to write about something…well lets just say it’s going to have the same level of cheeriness the bird flu one had (basically none)... I swear I don’t always talk about bad news! So what am I going to talk about? Well my topic for today is the zero day grey market and its potential impacts on us. Now I know what you’re probably thinking, “What is a zero day?” or “What is a grey market?” But fret not, I will explain what both of these are before getting into the larger issue. A zero day is a software or hardware exploit that is unknown to the developer. So they have known about it for zero days. This can make the particular exploit very dangerous since there won’t be an immediate fix if a bad actor decides to take advantage of it. A grey market is when the products being sold are not illegal, but the means that they are being sold are through unofficial or unauthorized channels. So if we put the two together, the zero day grey market is any activity related to the buying and selling of these zero day exploits through unofficial or unauthorized means. 

The Problem?

“So what?”, you might be saying. Hackers exist in the world, and sure they can cause problems but nothing world ending, right? While I don’t think the zero day exploits or the zero day grey market will cause the end of the world, I think it can definitely lead to a situation that can make life unpleasant for a lot of people in the world. So that is exactly why I want to write about this, to try and find out the true dangers of zero days and what all of you should know about them.

So we have people buying and selling powerful exploits, but who are the buyers? Well as it turns out, world governments love getting their hands on these. As a matter of fact, it was revealed that in 2013, the NSA set aside $25 million to acquire “software vulnerabilities from private malware vendors.” It makes sense from their perspective, since they would have a very powerful tool to use against an adversary. However, this presents us with a massive issue. If governments are buying them for possible use later on, they have no incentive to actually inform the developer about the exploit. This can leave millions if not billions of people open to cyber attacks. And like I said before, these cyber attacks could be very destructive given that there would be no immediate fix. After all, we live in a very digital world. So anyone with access to these exploits could potentially get into many digital systems around the world, and possibly take them down.Traffic lights, transportation networks, financial institutions, the payment systems at grocery stores are all things that could be affected by a large-scale cyber attack. It gets even worse when you consider how interconnected a lot of our digital systems are. If one system goes down, it could cause many others to go down with it.

Alright, so I know saying all of this makes me sound crazy, but stuff like this has actually happened before. To get my point across better, I’m going to go over two of the most infamous cyber attacks that utilized zero day exploits.

NotPetya

So, just how powerful can one of these exploits be? To answer that, we’ll have to look back to June 2017 NotPetya cyberattack on Ukraine. NotPetya was created by taking advantage of multiple Windows zero day vulnerabilities (I’m going to talk about one of them later), and it was used by a Russian backed hacker organization, presumably to destabilize Ukraine. Disguised as ransomware, NotPetya would seek to destroy every important file on a computer while trying to find other computers nearby to infect. Once the first couple of computers in Ukraine were infected, the bug quickly spread throughout the country. The attack disrupted many different sectors throughout Ukraine, including the power grid, transportation networks, financial institutions, even the radiation monitoring system at the Chernobyl Power Station was taken offline. Due to the destructive nature of NotPetya, the attack also caused a temporary paralysis of Ukrainian government function as it made its way through many government computers and systems. However, the damage caused by NotPetya wouldn’t stop with Ukraine. Global corporations also experienced major disruptions, mainly companies who had offices in Ukraine were heavily affected by the NotPetya attack. Some of the biggest corporations affected were Maersk and FedEx. In total, this cyber attack caused around $10 billion worth of damages and remains as one of the most destructive cyber attacks to date.

WannaCry

The next cyber attack I am going to talk about happened just one month before the NotPetya attack. Labelled WannaCry, this ransomware exploit took advantage of several Windows zero day vulnerabilities. Unlike NotPetya, this one was not designed to destroy files, just to encrypt them until the ransom was paid. This attack, however, was not targeted towards a single country or organization. Instead it spread all over the world affecting around 150 countries and 200,000 computers worldwide. But one of the hardest hit agencies by this attack was the National Health Service hospitals in England and Scotland. During the attack, many hospitals were not able to access patient records, which led to delays for non-critical emergencies and appointment cancellations. On top of that, some ambulances had to be rerouted to other hospitals. Furthermore, just like NotPetya, companies all across the world like FedEx…they really could not catch a break with these cyber attacks. As far as who is responsible for this attack, there is evidence to suggest that it was a North Korean backed hacker group.

Eternal Blue

Alright, so clearly zero day vulnerabilities can be used to cause a lot of damage. But how does the grey market come into this? Well like I said before, governments love to buy them up, which also means that some have a stockpile of zero day exploits. Now you might think that this in itself isn’t a huge issue if they aren’t being used to destabilize a country, but unfortunately, that is not the case. Remember that I mentioned that both the NotPetya and WannaCry attacks both took advantage of a Windows zero day vulnerability? Well that wasn’t a coincidence. The viruses used in both of these attacks were both propagated by an existing exploit developed by the U.S. National Security Agency, called EternalBlue, that took advantage of the same zero day vulnerability. Yep, that’s right, two of the most destructive and infamous cyber attacks in history took advantage of an exploit developed by the NSA. Now you might be wondering how this even happened. As it turns out, nothing digital will ever be 100% secure, not even something developed and kept secret by the NSA.

EternalBlue was stolen by an organization called the Shadow Brokers, and after failing to find a buyer for it, they publicly released it in April of 2017. And not even 3 months later, it was utilized in the WannaCry and NotPetya cyber attacks.

My Thoughts

Now I already had some vague knowledge about this topic before researching it. But after doing some research on it, I think I can say that it is a pretty important issue and something that people should know. Based on the cyber attacks I talked about in this post, I don’t think governments should be buying/developing and hoarding these exploits as it exposes billions of people worldwide to cyber attacks. For me personally, it’s a little scary how out of nowhere, an entire country can be thrown into chaos and there would be nothing we could immediately do about it. It’s particularly scary when you look at WannaCry and see how hospitals were affected, and how Chernobyl’s radiation detection was taken offline during the NotPetya attack. Luckily, nothing terrible happened, but something very easily could have. 

Now, do I think this issue will ever be resolved? Probably not. You might say, “Just get better at cybersecurity, duh.” But it’s hardly that simple. If we make better cybersecurity systems, hackers will make better hacks. Which makes this into a digital arms race of sorts. But who knows, maybe tech companies will put pressure on countries to stop hoarding these exploits and start informing the companies about the exploits they do find. As a matter of fact, that is exactly what Microsoft did after EternalBlue leaked. I think that this is something that other companies need to do if we’re ever going to get to a point where countries will stop buying/developing/hoarding these exploits for use against other countries. But until then, please install those security updates I know you’ve been ignoring.