7 min Security US government agencies are eyeing VPN service breaches

7 min Security US government agencies are eyeing VPN service breaches

The emergence of an advertisement looking for zero-day (or zero-day, those unknown since the software’s releases) failures in three popular VPN services has sparked an alert about the potential interest of government agencies in exploring openings in this type of platform. The order came from Zerodium, a company that works in the purchase of breaches of this type, and is focused on the services of Surfshark, NordVPN and ExpressVPN, focusing on vulnerabilities that allow locating users.

  • Free VPN exposes the data of one million users
  • Windows Attracts Ransomware Attacks, Finds VirusTotal Research
  • Hacker explains how he created fake news network to boost Trump’s election

The announcement is clear and, like so many others, it was made by Twitter. According to the post, the company is looking for openings that allow it to obtain the IP address and other information of VPN users, as well as executing codes remotely. There is no interest, according to Zerodium, in failures that allow privileges to be escalated on the user’s machine, indicating that the interest is in the user and not necessarily in the data stored on devices.

Taking into account the company’s official clients, government agencies and law enforcement agencies, the most straightforward conclusion is that the openings would be used in espionage operations or investigations. Authorities who use Zerodium’s services are mainly in Europe and North America, traditionally using such openings in their operations. Despite the clarity of the request, it is clear that the cybersecurity company did not provide further details on the motives behind the search, not even leaving the Twitter post open to third-party responses.

Together, the three services concentrate tens of millions of users around the world, with more than 11,000 servers spread across the globe. Meanwhile, the request follows a recent alert from the US government’s National Security Agency (NSA) that Russian criminals use Surfshark and NordVPN in launching brute-force attacks. In late 2020, the FBI also issued a similar warning about a fake news campaign created by Iranian thugs trying to pass themselves off as members of the American extreme right.

Officially, Zerodium claims to directly moderate the use of vulnerabilities and exploits by its customers, with only a small number of them having access to tools that involve zero day loopholes. The values ​​offered in this case were not disclosed, but in some cases, they may exceed the $1 million mark, as was the case with an opening that allowed remote code playback in the Google Chrome browser’s sandbox mode.

Of the target companies, Surfshark was the only one to respond to international press contacts, claiming to adopt the highest security practices to protect the identity of its customers. The company criticized Zerodium’s efforts to take advantage of security holes and said it worked cautiously on resolving vulnerabilities, with appropriate rewards being paid to those who discover them.

The cybersecurity company itself did not comment on the matter.