Zerodium seeking zero-days in ExpressVPN, NordVPN, and Surfshark VPN apps
Image: Peter Lagson
Catalin Cimpanu October 19, 2021

Zerodium seeking zero-days in ExpressVPN, NordVPN, and Surfshark VPN apps

Zerodium seeking zero-days in ExpressVPN, NordVPN, and Surfshark VPN apps

Exploit broker Zerodium announced its intention today to buy zero-day vulnerabilities in the Windows clients of three major VPN providers—ExpressVPN, NordVPN, and Surfshark.

Founded in 2015, Zerodium is a security company based in Washington, DC, that has built a reputation over the years for buying exploits for zero-day vulnerabilities in various applications and then reselling the exploits to government and law enforcement agencies.

The company runs a bug acquisition program on its site, where security researchers can sell their exploits for prices of up to $2.5 million — based on the type and nature of their vulnerability.

In addition, across the years, the company has also held so-called temporary “bug acquisition drives,” during which they offer to buy zero-day exploits in non-standard software.

Past acquisition drives have targeted routers, cloud services, mobile IM clients, and even something as niche as the Pidgin app — popular with cybercrime organizations.

Latest bug acquisition drive targets Windows VPN clients

The latest of the company’s bug acquisition drives was announced earlier today via a tweet on the company’s official Twitter account.

The three VPN companies mentioned in Zerodium’s tweet are some of today’s biggest providers of cloud-based VPN services.

These companies manage a network of thousands of proxy servers across the globe that reroute their customers’ web traffic in order to disguise their users’ real location.

In order to connect to these networks, users typically have to install a VPN client on their computer or mobile device, with all the three aforementioned companies providing apps for all the major OS platforms today, such as Windows, macOS, Linux, Android, and iOS.

Today, Zerodium said that it was interested in exploits that target only the Windows clients, and namely in exploits that can disclose a VPN user’s personal information, that can reveal the user’s real-world IP address, or exploits that allow remote code execution on the user’s computer.

The reasons behind this bug acquisition drive are easy to guess, as VPN services are often used by cybercriminals to hide their real-world location when connecting to their hacked victims’ networks or their hacking infrastructure.

But today’s announcement has also riled up some privacy-conscious users who use VPN apps to browse the web from oppressive countries, especially since it’s not clear to whom and which countries Zerodium peddles its hacking tech.

Spokespersons for ExpressVPN, NordVPN, and Surfshark did not return a request for comment before this article’s publication, although Zerodium’s announcement today is bound to ruffle some features and ring some internal alarms.

A Zerodium spokesperson did not reply to a request for comment in regards to the prices it is willing to pay to researchers.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.