Exploit Vendor Zerodium Announces Big Rewards For Cloud Zero-Days

Exploit vendor Zerodium said today it would pay up to $500,000 for zero-days in popular cloud products and services such as Microsoft's Hyper-V and (Dell) VMware's vSphere. From a report: Both Hyper-V and vSphere are what experts call virtualization software, also called hypervisors -- software that lets a single "host" server create and run one or more virtual "guest" operating systems. Virtualization software is often found in cloud-powered data centers. Hyper-V is the technology at the core of Microsoft's Azure cloud computing platform, while VMware's vSphere is used by Amazon Web Services and SAP.

With cloud services growing in adoption, especially for hosting websites and crucial IT infrastructure, the importance of both technologies has been slowly increasing in recent years. This paradigm shift hasn't gone unnoticed in the exploit market, where Zerodium -- a Washington, DC-based exploit vendor -- is by far the leading company. In a tweet earlier today, Zerodium announced plans to pay up to $500,000 for fully-working zero-days in Hyper-V and vSphere that would allow an attacker to escape from the virtualized guest operating system to the host server's OS.

Too sheisty

Supply and demand.

Re: Too sheisty

Dell/EMC doesn't own VMWare, they are separate entities.

Re: Too sheisty

When I worked at EMC they were considered separate but they were always under the EMC umbrella.

Re: Too sheisty

[lgw]

Dell/EMC doesn't own VMWare, they are separate entities.

When I worked at VMware, there were massive layoff when EMC got a new president and needed to pad his bonus. That's the only meaningful definition of being EMC's bitch.

A day's work?

So, package this one up in a wrapper and get into the cloud and I get how much money? https://it.slashdot.org/story/19/03/05/1524251/all-intel-chips-open-to-new-spoiler-non-spectre-attack

"Exploit Vendor"

[AtomicSymphonic]

Ah...Does this make them "Black Hats"?

Re:"Exploit Vendor"

[JaredOfEuropa]

It makes them asshats.

Re:"Exploit Vendor"

No, they are just your garden variety bottom feeding low-lifes. They used to be called Vupen, then rebranded. Their business model is to buy zero day from script kiddies and actual blackhats and sell it for a much higher fee to governments. They are very arrogant about it, too.

Re:"Exploit Vendor"

[gweihir]

More "Black Hats with good lawyers", but definitely Black Hats. They make money of illegal and immoral attacks and operate themselves in the grey area created by state-owned and state-sponsored hacking groups like the NSA. Terrorism is peanuts compared to this.

isn't this basically blackmail

[Richard_J_N]

How is it legal to sell an exploit?
Can't some of the authors sue them for having a "blackmail-based business model"?

Re:isn't this basically blackmail

[broknstrngz]

Their suppliers most likely waive away all rights when selling. Their customers are the ones making the laws so they are covered.

Re:isn't this basically blackmail

[lgw]

How is it legal to sell an exploit?

They mostly sell to governments. Funny how the legal problems just don't come up.

Time to make some money!

Here we go peeps!

If Zerodium pays big for cloud exploits...

[Myria]

...it means that Western governments, most often the U.S. and Israel, want exploits to infiltrate cloud servers.

Re:If Zerodium pays big for cloud exploits...

Why single out "western" govts? It means there's money in them, because there's money in the cloud. ALLLLLLL countries would like to know about them. NK would love to have a few. Knowledge is power both offensively and defensively.

The weapon-pushers of the internet age

[gweihir]

About as moral. These activities need to be outlawed and banned globally.

Spectre is here to stay...

[ffkom]

and you don't need much more than Spectre to compromise cloud VMs sharing the same physical host. https://arxiv.org/pdf/1902.051...
You may use "SPOILER" to improve the data extraction speed. https://arxiv.org/pdf/1903.004...

Re:if they give rewards for zero views

You mean creimer who is taking on Wreck It Ralph AND Casey Neistat this week?

vSphere not a hypervisor, and Amazon doesn't use i

[buchanmilne]

"while VMware's vSphere is used by Amazon Web Services"

VMWare's Hypervisor is VMWare ESX/ESXi. vSphere is the management software for managing ESX/ESXi.

Amazon doesn't use VMWare, but VMWare was the first customer of AWS's bare-metal instance type (i3.metal), allowing VMWare users/customers the ability to easily migrate VMWare VMs to AWS.

However, in theory, customers can run any x86_64 hypervisor they want on AWS using the EC2 .metal instance types (in practice, there may be some work involved, and would be easier if an ENA driver is available.

AWS is known to run Xen, their own KVM-based hypervisor they call "Nitro", and their recently open-sourced MicroVM hypervisor (also using KVM), Firecracker ( https://github.com/firecracker... ).

As far as I know, AWS has never run customer instances on VMWare.