Most of the exploits for 0-Day vulnerabilities are developed by private companies

The Atlantic Council said that exploits for 0-Day vulnerabilities and other hacking tools developed by private companies are often used to track down and apprehend dissidents, journalists, or politicians.

Over the past few years, the cybersecurity community has repeatedly raised concerns about an ever-growing number of private companies selling offensive cyber capabilities (OCCs) to foreign governments without much oversight.

“Hacking tools developed by private companies often end up in the hands of unscrupulous governments, which then use the software to track down and apprehend dissidents, journalists, or political rivals”, – say the researchers.

The American think tank Atlantic Council has published a report on the OCC market and companies operating on the Access-as-a-Service (AaaS) model that sell these services. The report provides an analysis of three AaaS vendors – the Israeli NSO Group and the UAE-based DarkMatter.

In particular, the experts spoke about the organizations behind the cyberattacks that exploited a zero-day vulnerability.

Of 129 attacks using 0Day vulnerabilities since 2014, 72 of them were associated with a specific attacker. Of these 72 cases, 14 were associated with private companies as creators of the zero-day exploit used in the attack.

“Thus, private companies have proven to be a larger provider of zero days exploited in real attacks than government and cybercriminal hackers combined”, – reported in the Atlantic Council.

Many of the AaaS vendors can hardly be distinguished from legitimate cybersecurity companies providing security solutions, experts say. This business model is now becoming more prevalent and current policies restricting the export and transfer of OCC instruments overseas are becoming less effective as AaaS providers find new ways to circumvent them.

Researchers have called for new and improved policies for the AaaS marketplace and have proposed expanding the range of vulnerabilities found by government intelligence agencies that need to be reported to vendors, establishing post-employment restrictions for government information security employees so that they cannot switch to AaaS service providers.

They also suggested filing lawsuits against AaaS suppliers and their contractors that violate export controls and enforced implementation of “technical restrictions” such as limitation of geographic area for malware spread to prevent OCC tools from being used in certain areas or against certain purposes.

Let me remind you that the number of malicious ads tripled in 2020, as well as that China officially legalized the “Social Credit System”.