Zero-day vulnerabilities of various severity are fairly common in Windows, and some of them are exploited. However, one hacker seems to have turned Windows zero-day vulnerabilities into a thriving business. Over three years, a veiled bad actor has been selling Windows zero-days.

Security firm Kaspersky Lab says the exploits have been sold to cyber-crime groups and at least three cyber-espionage organizations. So-called APTs (advanced persistent threats) are government-backed groups who purchase exploits from third parties.

Kaspersky Lab researchers say the mysterious hacker is among the most successful sellers of zero-days. They name his as Volodya, but he was previously known as BuggiCorp who is know for previously trying to sell a Windows zero-day on the Exploit.in forum.

Costin Raiu, Director of the Global Research and Analysis Team (GReAT) for Kaspersky, said Volodya has become well-respected in the cyber-crime community. By building a dedicated clientele, he has made a business from Windows vulnerabilities. Some zero-day exploits could fetch as much as $200,000 on the market.

“Volodya is a prolific exploit developer and zero-day seller that we have been tracking since 2015,” Raiu told ZDNet recently.

“Volodya is short for ‘Volodimir,’ which is the nickname that appears in some of his work,” Raiu said. “Our observations indicate Volodya is fluent in Russian, although likely of Ukrainian origin. Volodimir is also not a Russian name, but Ukrainian.”

“Volodya appears to be the author of the exploit for CVE-2019-0859, that we reported to Microsoft in March 2019,” he added.

Big Business

Kaspersky discovered the vulnerabilities during a recent investigation on malware for the Windows platform. The company says the flaws could affect server locations on Windows 7, Windows 8.1, and Windows 10. By working the exploit, bad actors can gain full access to a PC.

The active zero-day was exploited by an unidentified cybercriminal group and allowed higher privileges that give the ability to install a backdoor in Windows PowerShell.

Raiu believes Volodya is also creating exploits for one-day exploits, which exploit older vulnerabilities that have become stable. These exploits would not affect updated machines but would make unpatched machines vulnerable.