author photo
By Bruce Sussman
Fri | Apr 17, 2020 | 9:29 AM PDT

Zoom-bombing created security concerns about Zoom as cybercriminals and pranksters joined corporate and student meetings on the platform.

While most did things that were inappropriate, at least they made their presence known.

Now imagine a Zoom meeting where you are discussing proprietary information or intellectual property as a cybercriminal or nation-state hacker is secretly watching or recording it.

That is the point of a new Zero-Day exploit reportedly being marketed on the Dark Web, with a price tag of $500,000. 

Zoom Zero-Day exploits for sale

Motherboard broke the news through anonymous sources:

"Industrial espionage is making millions now. Zoom, GTM, WebEx... all meetings where you needed an insider to get in before [videoconference meetings became widespread]," he said.

"From what I've heard, there are two zero-day exploits in circulation for Zoom... One affects OS X and the other Windows," said Adriel Desautels, the founder of Netragard, a company that used to run an exploit acquisition platform, told Motherboard.

Motherboard further confirmed the existence of the two exploits for Zoom Windows and macOS zero-days by two other sources who wished to remain anonymous.

One of them said that the Windows zero-day is a remote code execution vulnerability that could allow potential attackers to execute arbitrary code on systems running a Zoom Windows client and even take full control of the device if coupled with other bugs.

The $500,000 price tag attached to this exploit might be justified as the independent source said that it's "perfect for industrial espionage."

Expert interview: what is the Zero-Day market like right now?

Zero-Day exploits are newly discovered security flaws for which there is no patch yet available. In other words, the new attack will work to get a cybercriminal access they should not have.

Brian Gorenc is at the center of this cat and mouse game between criminal hackers and cyber defenders. Gorenc directs the Zero Day Initiative (ZDI), which is the world's largest vendor-agnostic bug bounty program.

His organization pays bounties to security researchers who discover Zero-Days and then privately report them, so the security vulnerability can be patched before a cybercriminal discovers it.

SecureWorld asked Gorenc about the new Zoom Zero-Day exploits and the state of the Zero-Day market right now.

As you can imagine, the cybercrime market is focused on ways to infiltrate your organization's digital communications.

[SecureWorld]  Does this move to exploit Zoom's rise to prominence surprise you? Have you seen similar parallels with other organizations in the past?

[Gorenc]  We're in an unprecedented time with regard to the amount of people working remotely. All of the products that enable this—VPNs, video chat, 2FA [and others]—will receive increased scrutiny from researchers and attackers alike. What Zoom is experiencing is what all major software goes through, just in a much shorter timeframe.

For example, Microsoft had years to understand security problems, establish a response process, engage in researcher outreach, etc. Zoom has had to go through all of that and more in a just a few weeks.

[SecureWorld]  What drives threat actors to create Zero-Days? Money or fame?

[Gorenc]  Different people have different motivations. For security researchers, it may start with simple curiosity, however, when they see they can profit from their research through bug bounties, financial compensation becomes a big motivator.

There are still those out there just looking to prank users (think Zoom-bombing). And then there are the serious threat actors looking either disrupt normal operations or steal intellectual property. When it comes to bug bounties, most are motivated by a combination of financial reward and public recognition.

[SecureWorld]  How many Zero-Days has your organization successfully  helped vendors shut down?

[Gorenc]  The ZDI program has resulted in over 6,000 Zero-Days being patched in its nearly 15-year history. During this time, certain targets went through phases of popularity: Java, operating systems, Adobe Flash, web browsers, Microsoft Office. In recent years, we've seen a rise in the popularity of virtualization targets and ICS/SCADA products. We've also help lower the response time from vendor from over 180 days to under 120.

Related podcast: Zero-Day and bug bounty insights

We previously interviewed Brian Gorenc after his keynote at a SecureWorld conference. Listen to our conversation below, or on your favorite podcast platform:

Gorenc is optimistic that the bug bounty market still has a lot of room to grow.

If you're looking for a side hustle, this could be the time to jump in.