U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A WhatsApp zero-day exploit can cost several million dollars

TechCrunch reported that a working zero-day exploit for the popular WhatsApp can be paid millions of dollars. The research of zero-day exploits for popular applications such as WhatsApp is even more complex due to the security mechanisms implemented by the developers of the mobile OSs and the app. TechCrunch reported that a zero-day exploits for […]

WhatApp zero-day

TechCrunch reported that a working zero-day exploit for the popular WhatsApp can be paid millions of dollars.

The research of zero-day exploits for popular applications such as WhatsApp is even more complex due to the security mechanisms implemented by the developers of the mobile OSs and the app.

TechCrunch reported that a zero-day exploits for popular applications like WhatsApp “are now worth millions of dollars”.

TechCrunch obtained leaked documents that demonstrate that, as of 2021, a zero-click, zero-day exploit for the Android version of WhatsApp had a bounty between $1.7 and $8 million. Someone was willing to pay these great payouts to remotely gain access to the messages of a target.

According to the documents, a company was selling a zero-click exploit for a remote code execution (RCE) vulnerability in WhatsApp for around $1.7 million.

“The document said the exploit worked for Android versions 9 to 11, which was released in 2020, and that it took advantage of a flaw in the “image rendering library.” In 2020 and 2021, WhatsApp fixed three vulnerabilities — CVE-2020-1890, CVE-2020-1910, and CVE-2021-24041— that all involved how the app processes images. It’s unclear if these patches fixed the flaws underlying the exploits that were on sale in 2021.” wrote Lorenzo Franceschi-Bicchierai on TechCrunch.

The surveillance market is literally exploding, intelligence agencies, law enforcement bodies and zero-day brokers are competing to buy exploits that can allow them to compromise devices and apps.

In some cases, the exploit for a single vulnerability can allow to spy on a target, in other cases, threat actors combine multiple issues in an exploit chain to achieve the same effect.

In mid-September, researchers from the Citizen Lab and Google’s Threat Analysis Group (TAG) revealed that the three Apple zero-days (CVE-2023-41993, CVE-2023-41991, CVE-2023-41992) addressed in the same period were used as part of an exploit to install Cytrox Predator spyware.

The three flaws were discovered by Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group. The two research teams have already discovered multiple actively exploited zero-days in Apple products that were exploited in targeted attacks against high-profile individuals, such as opposition politicians, dissidents, and journalists.

The Russian zero-day broker firm Operation Zero, recently increased payouts for top-tier mobile exploits. The company is willing to pay up to $20,000,000 for zero-day exploits for iPhone and Android devices.

The Russian company pointed out that the end user for its exploits is a non-NATO country, it also added that decided to increase the payout due to high demand on the market.

Unlike other zero-day brokers, such as Zerodium and Exodus Intelligence, Operation Zero focuses on the Russian market. Operation Zero’s clients include Russian government agencies and private businesses.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)