Shenzhen User Association (SZCUA) has announced a desire to buy undocumented vulnerabilities in iOS and Android

A number of Russian companies working in the field of IT security have received an offer to sell information about undocumented vulnerabilities in iOS and Android, as well as various browsers and other software, the Kommersant newspaper reports citing its sources in Russian companies.



Potential buyers, they say, are representatives of the SZCUA - ShenZhen Computer Users Association, represented as the Chinese association of large IT companies. SZCUA allegedly includes organizations such as Kingdee International Software Group and China Greatwall Computer Shenzhen Co. Theoretically, further undocumented vulnerabilities that SZCUA representatives are looking for can be used to conduct cyber attacks by government hacker groups.



The main sales representative of SZCUA is a certain Robert Nevsky, who turned to the Russian companies working in the field of information security with the proposal of “cooperation”.

')

“We are interested in buying zero-day vulnerabilities. We are interested in os / cms / app / software / modems / office / browsers. At the moment, IE / modem / Android / iOS are especially interesting. Price depends on the product. At the first transaction, the price threshold does not exceed $ 100 thousand (the price is discussed). Payments in three stages, the first - before receiving the product, the second - after receipt and appropriate verification, and the third - after two or three months to make sure that the exploit was not made public, ”quoted Nevsky in one of the Kommersant correspondences.



As it turned out, this is not the first attempt of this organization to get information about vulnerabilities in various software. In 2015, the association tried to make the same offer to a number of specialists in the field of information security from the UK. Then the screenshots of the correspondence hit Twitter. Letters were sent from the mailbox in the domain of the organization isba@szcua.org.



When requesting explanations about the activities of the association in this direction, SZCUA official representatives stated that they have no relation to the search for exploits and do not engage in similar matters.



Kommersant found Robert Nevsky's profile on LinkedIn . According to the information posted there, he has been working for the company since June 2016, when the first letters to companies specializing in information security began to arrive in August. In the social network Vkontakte and the microblogging service “Twitter” , user accounts appeared, on several grounds similar to those mentioned in the publication by Robert Nevsky, who is represented by the SCZUA sales representative. Link to "Twitter" is listed in the user profile in VK.



The earliest “ascent” of SZCUA was recorded in 2014. Then the Twitter user posted a screenshot of the letter, which also suggested selling information about vulnerabilities to the “largest Chinese computer user association”:





In the same tweet thread a year later (in 2015), another user posted a screenshot of the letter already from another e-mail with a similar offer:





Although SZCUA has been conducting its activities with absolute precision since 2014, in reality many questions arise to this organization.



According to the official domain who.is , the contact of the domain manager is a room in the Science Museum (Address: Room 203, Information Security Assessment Center across the street from Civic Center, Futian District, Shenzhen North Gate (ZIP) Postal Code: 518031). The domain was registered back in 2007 and paid until 2017. In addition, the domain information was last updated on May 26, 2016, and judging by the profile of Nevsky, he has been with the company since June 2016. The mailing address for feedback on who.is specifies the box computer339@126.com. 126.com - free Chinese mail hosting.



Two more profiles ( 1 , 2 ) of SZCUA employees were found on LinkedIn. Any additional information about SZCUA, which allegedly includes large Chinese IT companies, besides their own website and blog , which, at first glance, is filled with real content and is visited by real people, cannot be found on the Web.



All this, coupled with updating information about the domain and the resumption of SZCUA activity a few days later on the part of Robert Nevsky, suggests that the organization is most likely a banal “screen” with a long enough history. But the “screen” for whom: a fraudster or representatives of the Chinese law enforcement agencies is an open question.