[TheRecord] Zerodium seeking zero-days in ExpressVPN, NordVPN, and Surfshark VPN apps

Exploit broker Zerodium announced its intention today to buy zero-day vulnerabilities in the Windows clients of three major VPN providers—ExpressVPN, NordVPN, and Surfshark.

Founded in 2015, Zerodium is a security company based in Washington, DC, that has built a reputation over the years for buying exploits for zero-day vulnerabilities in various applications and then reselling the exploits to government and law enforcement agencies.

The company runs a bug acquisition program on its site, where security researchers can sell their exploits for prices of up to $2.5 million — based on the type and nature of their vulnerability.

In addition, across the years, the company has also held so-called temporary “bug acquisition drives,” during which they offer to buy zero-day exploits in non-standard software.

Past acquisition drives have targeted routers, cloud services, mobile IM clients, and even something as niche as the Pidgin app — popular with cybercrime organizations.

Latest bug acquisition drive targets Windows VPN clients

The latest of the company’s bug acquisition drives was announced earlier today via a tweet on the company’s official Twitter account.

We’re looking for #0day exploits affecting VPN software for Windows:

– ExpressVPN
– NordVPN
– Surfshark

Exploit types: information disclosure, IP address leak, or remote code execution. Local privilege escalation is out of scope.

Contact us: https://t.co/R6E2CVU9K3

— Zerodium (@Zerodium) October 19, 2021

The three VPN companies mentioned in Zerodium’s tweet are some of today’s biggest providers of cloud-based VPN services.

These companies manage a network of thousands of proxy servers across the globe that reroute their customers’ web traffic in order to disguise their users’ real location.

In order to connect to these networks, users typically have to install a VPN client on their computer or mobile device, with all the three aforementioned companies providing apps for all the major OS platforms today, such as Windows, macOS, Linux, Android, and iOS.

Today, Zerodium said that it was interested in exploits that target only the Windows clients, and namely in exploits that can disclose a VPN user’s personal information, that can reveal the user’s real-world IP address, or exploits that allow remote code execution on the user’s computer.

The reasons behind this bug acquisition drive are easy to guess, as VPN services are often used by cybercriminals to hide their real-world location when connecting to their hacked victims’ networks or their hacking infrastructure.

But today’s announcement has also riled up some privacy-conscious users who use VPN apps to browse the web from oppressive countries, especially since it’s not clear to whom and which countries Zerodium peddles its hacking tech.

Spokespersons for ExpressVPN, NordVPN, and Surfshark did not return a request for comment before this article’s publication, although Zerodium’s announcement today is bound to ruffle some features and ring some internal alarms.

A Zerodium spokesperson did not reply to a request for comment in regards to the prices it is willing to pay to researchers.

The post Zerodium seeking zero-days in ExpressVPN, NordVPN, and Surfshark VPN apps appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[BleepingComputer] Windows 10 KB5005101 Cumulative Update released with 34 fixes

Microsoft has released the optional KB5005101 Preview cumulative update for Windows 10 2004, Windows 10 20H2, and Windows 10 21H1 with fixes for thirty-four issues. […] Source: Read More (BleepingComputer)

Read More

[SecurityWeek] Zoom to Settle US Privacy Lawsuit for $85 Mn

All posts, Security Week

Zoom, the videoconferencing firm, has agreed to settle a class-action US privacy lawsuit for $85 million, it said Sunday. The suit charged that Zoom’s sharing of users’ personal data with Facebook, Google and LinkedIn was a breach of privacy for millions. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[HackerNews] Hackers Exploiting New Auth Bypass Bug Affecting Millions of Arcadyan Routers

All posts, HackerNews

Unidentified threat actors are actively exploiting a critical authentication bypass vulnerability to hijack home routers as part of an effort to co-opt them to a Mirai-variant botnet used for carrying out DDoS attacks, merely two days after its public disclosure. Tracked as CVE-2021-20090 (CVSS score: 9.9), the weakness concerns a path traversal vulnerability in the web interfaces of routers Source: Read More […]

Read More