Hacker Selling Windows Zero-Days to Cyber Espionage Groups

Hacker Selling Windows Zero-Days to Cyber Espionage Groups

Malicious actors have been selling windows zero-days to advanced persistent threat (APT) groups and cybercrime gangs. The actor has sold the zero-day vulnerabilities to at least three APT or cyber-espionage groups, within the last three years. The zero-day exploits have been sold for as much as $200,000.

Costin Raiu, Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab called the actor:

” a prolific exploit developer and zero-day seller”

The hacker,Volodya, began this malicious business in 2015 when he put up an advertisement in a public forum. It is believed the hacker is from Russia or Ukraine. Additionally, the zero-days are being sold to APT groups are located in Russia and the Middle East.

Further, researchers at Kaspersky stated that Volodya is the same threat actor from 2016, BuggiCorp, who was selling windows zero-days on the public forum, Exploit.in cyber-crime. BuggiCorp was able to build up a business selling zero-days and gained loyal customers. He has since dropped the name BuggiCorp but continues to sell zero-day vulnerabilities with a wide set of clients. Many of his clients range from government intelligence agencies to cyber crime gangs.

Kaspersky researchers having been tracking the hacker under the name Volodya since 2015. He has since begun developing and selling one day exploits as well.

Raiu has commented saying:

“in addition to zero days, Volodya is also developing exploits for patched vulnerabilities, such as one-days, or exploits for older vulnerabilities, that are considered stable and reliable and could still work for unpatched machines.”

Further, Kaspersky researchers found that Volodya created the CVE-2019-0859 exploit a Windows exploit targeted mostly financial related groups. The exploit CVE-2016-7255 was also tracked back to Volodya, who sold them to the Fancy Bear Russian APT. A group known for executing the 2016 DNC hack.



Contact LIFARS immediately if your organization was hit with a zero-day