This week, an exploit was publicly distributed that could break into the computers of those using the Tor Browser or Firefox. The Tor Project and Mozilla patched the underlying vulnerability on Wednesday.
One research company sold details of the exploit method used to a defensive cybersecurity firm last year so it could protect its own clients’ systems. In turn, the exploit research company went on to sell details of the recent Firefox vulnerability to another customer for offensive purposes at the start of this year, according to a source.
The case highlights the often antithetical relationship between companies that research and develop exploits, and those who maintain the affected software. But it also shows an instance of a company selling related exploit information to both defensive and offensive customers.
Back in December 2015, cybersecurity firm Fortinet announced it had added an intrusion detection system (IDS) signature for a Firefox zero-day; that is, a security issue unknown to Mozilla which develops Firefox. IDS signatures are used to protect systems from particular exploits or types of attack.
Fortinet confirmed to Motherboard that the IDS signature from 2015 would detect the recently uncovered exploit. (Some IDS signatures may target techniques or tricks which are common to many exploits at once).
“The IPS signature you linked does protect against the Firefox/Tor Browser Vulnerability,” a Fortinet spokesperson wrote in an email. “The IDS signature defends against the exploit method used and was not specifically developed to defend against the recent Firefox/Tor browser zero-day,” the spokesperson added.
According to a tweet from the company last year, Fortinet was provided details on the exploit method from Exodus Intelligence.
Exodus is a company that researches vulnerabilities, purchases and develops exploits, and then sells them to customers for both offensive and defensive purposes. For the former, customers can use the exploit to break into systems; as for the latter, clients can use the information to patch machines protecting them from attacks, like Fortinet did. (Earlier this year, Exodus announced it would pay $500,000 for vulnerabilities affecting iOS).
But according to a source familiar with Exodus’ operations, the company didn’t just sell related exploit information to Fortinet: Exodus sold the exploit for the newly uncovered Firefox attack to an offensive customer.
“The vulnerability details and working exploit code were sold by Exodus to an offensive customer at the beginning of 2016,” the source told Motherboard.
Recently, Exodus’ website has emphasized the company’s defensive offerings, and said it was moving towards a practice of “coordinated disclosure,” in which Exodus would eventually inform vendors affected by its exploits of the security issues.
Denelle Dixon-Thayer, Mozilla chief legal and business officer, told Motherboard in a statement “If vulnerabilities are known they should be disclosed to vendors right away in order to protect users. Cybersecurity is a shared responsibility and we encourage tech companies, researchers and governments to share information with us so that we can investigate vulnerabilities and fix them.”
In a previous version of Exodus’ website, under a section ended “We Equip A Wide Range of Clientele,” the company points out that the FBI has used exploits in its investigations.
Exodus, including Logan Brown, the company’s president, did not respond to multiple requests for comment, and did not respond to a specific, emailed question on whether Exodus sold this exploit to an offensive customer.
According to a report from Mozilla, someone may have tried to use the same attack in June of this year, although it crashed the browser. As Motherboard reported on Wednesday, the recently publicly disclosed exploit was deployed against users of a dark web child pornography site.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.
Powered by WPeMatico