InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
The recent deployment of Paragon’s Graphite spyware against human rights defenders and journalists has intensified concerns over Europe’s escalating spyware crisis. This development underscores the vulnerability of civil society actors to invasive surveillance technologies.
In Italy, government authorities sanctioned the use of Graphite spyware on members of the NGO Mediterranea Saving Humans, citing national security concerns. This action has sparked significant controversy and legal scrutiny, highlighting the potential misuse of surveillance tools against humanitarian organizations.
Similarly, in Serbia, reports have emerged that the secret service and police employed spyware to monitor journalists and opposition activists by infiltrating their mobile devices. This practice has raised alarms about the suppression of dissent and the erosion of press freedom within the country.
The proliferation of spyware is not confined to Europe. In the United States, the Department of Homeland Security’s contract with Paragon Solutions for the Graphite spyware has prompted concerns about potential overreach and the implications for civil liberties. This situation underscores the global nature of the spyware dilemma and the challenges in regulating its use.
These incidents collectively highlight the urgent need for comprehensive oversight and regulation of spyware technologies. The targeting of civil society members, journalists, and activists poses a significant threat to human rights and democratic principles. Addressing this crisis requires coordinated international efforts to establish clear legal frameworks that prevent the abuse of surveillance tools.
The founders of Mediterranea Saving Humans, an NGO that tries to protect refugees crossing the Mediterranean, was targeted by the spyware approved by the Italian government. Photograph: Olmo Calvo/AP
The Italian government approved the use of a sophisticated surveillance tool to spy on members of a humanitarian NGO because they were allegedly deemed a possible threat to national security, MPs have heard.
Alfredo Mantovano, a cabinet undersecretary, made the admission during a classified meeting with Copasir, the parliamentary committee for national security, according to a person familiar with the situation.
Copasir is investigating whether the secret services breached the law in using Graphite, military-grade spyware made by the Israel-based Paragon Solutions, to monitor activists and journalists, and is expecting to report on its finding soon.
Giorgia Meloni’s government has been under pressure to address the case since January, when a handful of Italian activists and a journalist received warnings from WhatsApp, the messaging app owned by Meta, that their phones had been targeted by spyware.
A China-linked advanced persistent threat group, dubbed ‘Weaver Ant,’ infiltrated the network of a major Asian telecommunications provider and maintained unauthorized access for over four years. This prolonged intrusion was characterized by sophisticated techniques designed to evade detection and persist within the compromised environment.
Weaver Ant employed an operational relay box (ORB) network, primarily consisting of compromised Zyxel customer-premises equipment (CPE) routers. This strategy allowed them to proxy their malicious traffic, effectively concealing their infrastructure and activities from standard monitoring tools.
Initial access was achieved using an AES-encrypted variant of the China Chopper web shell, a tool that facilitates remote control of servers while bypassing firewall restrictions. This allowed the attackers to establish a foothold within the telecommunications provider’s network.
As their operation progressed, Weaver Ant deployed a more advanced, custom-built web shell known as ‘INMemory.’ This tool leverages a dynamic-link library (DLL) named ‘eval.dll’ to execute code directly in the host’s memory, enhancing stealth and reducing the likelihood of detection.
Despite multiple attempts by the affected telecommunications provider to eradicate the intrusion, Weaver Ant demonstrated resilience, maintaining their covert presence over an extended period. This underscores the group’s sophistication and the challenges organizations face in defending against such advanced threats.
This incident highlights the critical importance for organizations, especially those in the telecommunications sector, to implement robust cybersecurity measures. Regular network monitoring, timely patching of vulnerabilities, and comprehensive incident response strategies are essential to detect and mitigate such sophisticated cyber espionage activities.
Spyware can collect personal information, such as Internet browsing habits and email addresses, and send it to third parties without the user’s permission.
Paragon Solutions, an Israeli cybersecurity firm co-founded in 2019 by former Israeli Defense Forces Unit 8200 commander and ex-Prime Minister Ehud Barak, has developed advanced spyware capable of infiltrating both Android and iOS devices. This spyware can access encrypted messaging apps, posing significant risks to targeted individuals.
Recent investigations by Citizen Lab have uncovered that Paragon’s spyware has been used to target journalists, humanitarian workers, and activists globally. Notably, WhatsApp notified over 90 individuals about potential spyware attacks linked to Paragon. Collaborations with some victims allowed researchers to trace the spyware’s usage across multiple continents, highlighting its extensive reach.
Specific incidents include the Ontario Provincial Police’s alleged use of Paragon’s spyware, raising concerns about surveillance practices within democratic nations. While the police assert compliance with legal standards, the deployment of such tools against civil society actors has sparked debates over privacy and human rights.
In another case, Libyan activist Husam El Gomati, based in Sweden, was alerted by WhatsApp about a spyware attack while he was sharing information on human rights abuses in Libya. This incident underscores the potential misuse of surveillance technologies against individuals documenting governmental misconduct.
The proliferation of sophisticated spyware like Paragon’s raises pressing questions about the balance between national security and individual privacy. The potential for misuse against non-threatening individuals necessitates robust oversight and regulation to prevent abuses.
As spyware technologies become more advanced, the international community must address the ethical implications of their use. Ensuring that such tools are not employed to suppress dissent or violate human rights is crucial in maintaining democratic principles and protecting civil liberties.
Ronan Farrow Exposes Secrets of High-Tech Spyware in New Film “Surveilled”
Pulitzer Prize-winning journalist Ronan Farrow and filmmaker Matthew O’Neill explore the alarming world of high-tech surveillance in their HBO documentary Surveilled. Farrow’s interest began after being tracked by Black Cube, an Israeli private intelligence firm, during his investigation of Harvey Weinstein’s misconduct. This experience led him to uncover more advanced surveillance technologies, including Pegasus spyware.
The documentary highlights Pegasus’s misuse by authoritarian regimes and democratic states like Greece, Poland, and Spain, targeting journalists and dissidents. Farrow interviews a former NSO Group employee, the makers of Pegasus, revealing its widespread abuse.
Farrow also uncovers that U.S. agencies under both the Biden and Trump administrations considered using such spyware. However, the full extent of its deployment remains unclear, raising concerns about unchecked surveillance practices globally.
Ronan Farrow Exposes Secrets of High-Tech Spyware in New Film “Surveilled”
Mercenary spyware, often employed by authoritarian regimes and criminal groups, poses a significant threat to personal data and device security. These sophisticated tools, such as NSO Group’s Pegasus, exploit zero-click vulnerabilities, enabling complete compromise of devices like smartphones without any user interaction. Victims frequently include journalists, human rights activists, opposition politicians, and other high-risk individuals targeted for their activities or affiliations.
Apple has adopted proactive measures to mitigate these threats, including real-time detection mechanisms within its iOS system. When a potential compromise is identified—often through integrity checks—the company notifies users with targeted alerts. However, the underlying detection methods remain undisclosed to prevent tipping off spyware developers. Apple also encourages affected users to activate “Lockdown Mode,” a feature designed to limit potential attack vectors by disabling specific device functions.
Despite such efforts, the challenge of countering mercenary spyware remains daunting. Companies like NSO invest heavily in discovering zero-day vulnerabilities, creating a continuous cat-and-mouse dynamic between attackers and defenders. The opaque nature of hardware designs, particularly in baseband processors, further complicates defense strategies, as these components can serve as hidden entry points for attackers.
Public awareness and accountability measures are crucial to addressing these threats. Transparency in security practices, ongoing research into vulnerabilities, and the imposition of legal restrictions on spyware developers and clients are essential steps. International cooperation is also critical, given the global nature of spyware deployments.
Ultimately, tackling the menace of mercenary spyware requires a multi-pronged approach involving technology companies, governments, and civil society. Protecting privacy and ensuring digital security for all individuals—not just high-profile targets—must remain a top priority. For more details on recent developments in detecting such spyware, visit sources like HelpNetSecurity, Schneier on Security, and 9to5Mac
Recent research shows that Predator spyware, once believed to be inactive due to U.S. sanctions, has resurfaced with improved evasion tactics. Despite efforts to curtail its usage, Predator is still being used in countries like the Democratic Republic of the Congo (DRC) and Angola, where it targets high-profile individuals. Its updated infrastructure makes it more difficult to track victims, underscoring the need for strong cybersecurity defenses. Risk mitigation strategies include regular software updates, enabling lockdown modes, and deploying mobile device management systems. As spyware becomes more sophisticated, international collaboration is crucial to regulating and limiting its spread.
Predator spyware, once linked to Intellexa, has resurfaced after a period of reduced activity, despite sanctions and exposure. The reactivated spyware infrastructure poses renewed threats to privacy and security, as operators have adopted new techniques to obscure their activities, making it harder to track and attribute attacks. With capabilities like remote device infiltration and data exfiltration, governments can secretly monitor citizens and gather sensitive information. Predator’s operators have strengthened their infrastructure by adding another layer of anonymization to their multi-tiered delivery system, making it more difficult to trace the origin and usage of the spyware. Though the attack methods, including “one-click” and “zero-click” exploits, remain similar, the increased complexity of the infrastructure heightens the threat to high-profile individuals such as politicians, executives, journalists, and activists. The expensive licensing of Predator indicates its use is reserved for strategic targets, raising concerns in the European Union, where investigations have uncovered its misuse against opposition figures and journalists in countries like Greece and Poland. To counter the threat of Predator spyware, individuals and organizations should prioritize security measures like regular software updates, device reboots, and lockdown modes. Mobile device management (MDM) systems and security awareness training are also essential in protecting against social engineering and advanced spyware attacks. As the demand for surveillance tools grows, the spyware market continues to expand, with new companies developing increasingly sophisticated tools. While there are ongoing discussions around stricter regulations, particularly following investigations by Insikt Group, the threat of spyware will persist until meaningful international action is taken.
For more detailed insights, check the full article here.
In an era where digital connectivity has become ubiquitous, the line between privacy and surveillance has blurred. Nowhere is this more evident than in the proliferation of spy apps – discreet, powerful tools that grant unprecedented access to the lives of unsuspecting individuals. From tracking location and monitoring communications to covertly capturing audio and video, these applications represent a double-edged sword in the realm of technology.
Cybersecurity journalist Joseph Cox, author of the new book Dark Wire, tells us the wild, true story behind secure phone startup Anom.
On today’s episode of Decoder, I sat down with Joseph Cox, one of the best cybersecurity reporters around. Joseph spent a long time working at Vice’s tech vertical Motherboard, but last year, after Vice imploded, he and three other journalists co-founded a new site, called 404 Media, where they’re doing some really great work.
Criminals like drug traffickers represent a market for encrypted, secure communications away from the eyes of law enforcement. In the early mobile era, that gave rise to a niche industry of specialized, secured phones criminals used to conduct their business.
Joseph’s done a ton of reporting on this over the years, and the book ends up telling a truly extraordinary story: After breaking into a few of these encrypted smartphone companies, the FBI ended up running one of these secure phone services itself so it could spy on criminals around the world. And that means the FBI had to actually run a company, with all the problems of any other tech startup: cloud services, manufacturing and shipping issues, customer service, expansion, and scale.
The company was called Anom, and for about three years, it gave law enforcement agencies around the world a crystal-clear window into the criminal underworld. In the end, the feds shut it down in large part because it was too successful — again, a truly wild story. Now, with the rise of apps like Signal, most criminals no longer need specialized hardware, but that, of course, raises a whole new set of issues.
The book is a great read, but it also touches on a lot of things we talk about a lot here on Decoder. There really are bad people out there using tech to help them do bad things, but the same tools that keep their communications private help give everyone else their privacy, too — whistleblowers, dissenters, ordinary people like you and me.
There’s a deep tension between privacy and security that constantly runs through tech, and you’ll hear us really dig into the way tech companies and governments are forever going back and forth on it. There’s a lot here, and it’s a fun one.
A consumer-grade spyware app named pcTattletale has been discovered running on the check-in systems of at least three Wyndham hotels across the United States.
This alarming discovery was made by TechCrunch, which reported that the app stealthily captured screenshots of hotel booking systems, exposing sensitive guest details and customer information.
Due to a security flaw in the spyware, these screenshots were accessible to anyone on the internet, not just the intended users of the spyware.
Sensitive Guest Information Exposed
The spyware, pcTattletale, allows remote viewing of the target’s Android or Windows device and its data from anywhere in the world.
The app runs invisibly in the background, making it undetectable to the user.
However, a significant bug in the app means that anyone who understands the security flaw can download the screenshots directly from pcTattletale’s servers.
Security researcher Eric Daigle, who discovered the compromised hotel check-in systems, attempted to warn pcTattletale of the issue, but the company has not responded, and the flaw remains unfixed.
Screenshots from two Wyndham hotels revealed the names and reservation details of guests on a web portal provided by travel tech giant Sabre.
Additionally, the screenshots displayed guests’ partial payment card numbers.
Another screenshot showed access to a third Wyndham hotel’s check-in system, logged into Booking.com’s administration portal used to manage guest reservations.
Hotel And Corporate Responses
The discovery has raised serious concerns about the security measures in place at these hotels.
The manager of one affected hotel expressed surprise, stating they were unaware that the spyware was taking screenshots of their check-in computer.
The managers of the other two hotels did not respond to TechCrunch’s calls or emails.
Wyndham spokesperson Rob Myers clarified that Wyndham is a franchise organization, meaning all its U.S. hotels are independently owned and operated.
However, Wyndham did not confirm whether it was aware of pcTattletale’s use on the front-desk computers of its branded hotels or if such use was approved by Wyndham’s policies.Booking.com, whose administration portal was accessed by the spyware, stated that its systems were not compromised.
Angela Cavis, a spokesperson for Booking.com, highlighted that this incident seemed to be an example of how cybercriminals target hotel systems through sophisticated phishing tactics.
These tactics often lead to unauthorized access to hotel accounts and attempts to impersonate the hotel or Booking.com to request customer payments.
This incident is the latest example of consumer-grade spyware exposing sensitive information due to security flaws. pcTattletale, marketed for child and employee monitoring, has also been promoted for use against spouses suspected of infidelity.
The app requires physical access to the target’s device for installation and offers a service to help customers install the spyware on the target’s computer.
Despite the serious implications of this security breach, Bryan Fleming, the founder of pcTattletale, did not respond to TechCrunch’s request for comment.
The exposure of sensitive guest information at these hotels underscores the urgent need for more robust cybersecurity measures and regulatory oversight to protect personal data from unauthorized access and misuse.
As investigations continue, the hospitality industry must reassess its security protocols to prevent such breaches in the future.
Apple has updated its documentation related to its warning system for mercenary spyware threats, now specifying that it alerts users when they may have been individually targeted by such attacks.
The revision points out companies like NSO Group, known for developing surveillance tools like Pegasus, which state actors often use for targeted attacks on individuals such as journalists, activists, politicians and diplomats.
In a blog post published on Wednesday, Apple highlighted the global and sophisticated nature of these attacks, which are costly and complex.
The update marks a shift in the wording from informing and assisting users targeted by state-sponsored attackers to specifically addressing mercenary spyware threats.
“It’s really important to recognize that mercenary spyware, unlike others, is deliberately designed with advanced capabilities, including zero-day exploits, complex obfuscation techniques, and self-destruct mechanisms, making it highly effective and hard to detect,” explained Krishna Vishnubhotla, vice president of product strategy at Zimperium.
According to recent reports, Apple sent threat notifications to iPhone users in 92 countries, coinciding with the support page revision.
While Apple began sending threat notifications in November 2021, it refrained from attributing the attacks or notifications to any particular threat actor or region.
This development now aligns with global efforts to counter the misuse of commercial spyware, as evidenced by a coalition of countries, including the US, working to develop safeguards against invasive surveillance technology.
Moreover, a recent report by Google’s Threat Analysis Group (TAG) and Mandiant shed light on the exploitation of zero-day vulnerabilities in 2023, with commercial surveillance vendors being responsible for a significant portion of these exploits.
These vulnerabilities targeted web browsers and mobile devices, underscoring the increasing reliance of threat actors on zero days for evasion and persistence.
In 2023, 50% of malware detections for SMBs were keyloggers, spyware and stealers, malware that attackers use to steal data and credentials, according to Sophos.
Attackers subsequently use this stolen information to gain unauthorized remote access, extort victims, deploy ransomware, and more.
Ransomware remains primary cyberthreat for SMBs
The Sophos report also analyses initial access brokers (IABs)—criminals who specialize in breaking into computer networks. As seen in the report, IABs are using the dark web to advertise their ability and services to break specifically into SMB networks or sell ready-to-go-access to SMBs they’ve already cracked.
“The value of ‘data,’ as currency has increased exponentially among cybercriminals, and this is particularly true for SMBs, which tend to use one service or software application, per function, for their entire operation. For example, let’s say attackers deploy an infostealer on their target’s network to steal credentials and then get hold of the password for the company’s accounting software. Attackers could then gain access to the targeted company’s financials and have the ability to funnel funds into their own accounts,” said Christopher Budd, director of Sophos X-Ops research at Sophos.
“There’s a reason that more than 90% of all cyberattacks reported to Sophos in 2023 involved data or credential theft, whether through ransomware attacks, data extortion, unauthorized remote access, or simply data theft,” added Budd.
While the number of ransomware attacks against SMBs has stabilized, it continues to be the biggest cyberthreat to SMBs. Out of the SMB cases handled by Sophos Incident Response (IR), which helps organizations under active attack, LockBit was the top ransomware gang wreaking havoc. Akira and BlackCat were second and third, respectively. SMBs studied in the report also faced attacks by lingering older and lesser-known ransomware, such as BitLocker and Crytox.
BEC attacks grow in sophistication
Ransomware operators continue to change ransomware tactics, according to the report. This includes leveraging remote encryption and targeting managed service providers (MSPs). Between 2022 and 2023, the number of ransomware attacks that involved remote encryption—when attackers use an unmanaged device on organizations’ networks to encrypt files on other systems in the network—increased by 62%.
In addition, this past year, Sophos’s Managed Detection and Response (MDR) team responded to five cases involving small businesses that were attacked through an exploit in their MSPs’ remote monitoring and management (RMM) software.
Following ransomware, business email compromise (BEC) attacks were the second highest type of attacks that Sophos IR handled in 2023, according to the report.
These BEC attacks and other social engineering campaigns contain an increasing level of sophistication. Rather than simply sending an email with a malicious attachment, attackers are now more likely to engage with their targets by sending a series of conversational emails back and forth or even calling them.
In an attempt to evade detection by traditional spam prevention tools, attackers are now experimenting with new formats for their malicious content, embedding images that contain the malicious code or sending malicious attachments in OneNote or archive formats. In one case Sophos investigated, the attackers sent a PDF document with a blurry, unreadable thumbnail of an “invoice.” The download button contained a link to a malicious website.
Google says spyware vendors behind most zero-days it discovers…
Commercial spyware vendors (CSV) were behind 80% of the zero-day vulnerabilities Google’s Threat Analysis Group (TAG) discovered in 2023 and used to spy on devices worldwide.
Zero-day vulnerabilities are security flaws the vendors of impacted software do not know about or for which there are no available fixes.
Google’s TAG has been following the activities of 40 commercial spyware vendors to detect exploitation attempts, protect users of its products, and help safeguard the broader community by reporting key findings to the appropriate parties.
Based on this monitoring, Google has found that 35 of the 72 known in-the-wild zero-day exploits impacting its products over the last ten years can be attributed to spyware vendors.
“This is a lower-bounds estimate, as it reflects only known 0-day exploits. The actual number of 0-day exploits developed by CSVs targeting Google products is almost certainly higher after accounting for exploits used by CSVs that have not been detected by researchers, exploits where attribution is unknown, and cases where a vulnerability was patched before researchers discovered indications of exploitation in-the-wild.” – Google
Those spyware vendors use the zero-day flaws to target journalists, activists, and political figures as directed by their customers, including governments and private organizations.
Some notable CSVs highlighted in Google’s report are:
Cy4Gate and RCS Lab: Italian firms known for the “Epeius” and “Hermit” spyware for Android and iOS. The former acquired the latter in 2022, but operate independently.
Intellexa: Alliance of spyware firms led by Tal Dilian since 2019. It combines technologies like Cytrox’s “Predator” spyware and WiSpear’s WiFi interception tools, offering integrated espionage solutions.
Negg Group: Italian CSV with international reach established in 2013. It is known for “Skygofree” malware and “VBiss” spyware, targeting mobile devices through exploit chains.
NSO Group: Israeli firm famous for Pegasus spyware and other sophisticated espionage tools. It continues operations despite sanctions and legal issues.
Variston: Spanish CSV providing tailored security solutions. It collaborates with other vendors for zero-day exploits and is linked to the Heliconia framework, expanding in the UAE.
These vendors sell licenses to use their products for millions of dollars, allowing customers to infect Android or iOS devices using undocumented 1-click or zero-click exploits.
Some of the exploit chains utilize n-days, which are known flaws for which fixes are available, yet patching delays still make them exploitable for malicious purposes, often for extended periods.
Google says that CSVs have grown very aggressive in their hunt for zero-days, developing at least 33 exploits for unknown vulnerabilities between 2019 and 2023.
In the appendix of Google’s detailed report, one can find a list of 74 zero-days used by 11 CSVs. Of those, the majority are zero-days impacting Google Chrome (24) and Android (20), followed by Apple iOS (16) and Windows (6).
When white-hat researchers discover and fix the exploited flaws, CSVs often incur significant operational and financial damage as they struggle to reconstruct a working alternative infection pathway.
“Each time Google and fellow security researchers discover and disclose new bugs, it causes friction for CSVs and costs them development cycles,” says Google.
“When we discover and patch vulnerabilities used in exploit chains, it not only protects users, but prevents CSVs from meeting their agreements to customers, preventing them from being paid, and increasing their costs to continue operating.”
However, this is not enough to stop the proliferation of spyware, as the demand for these tools is strong, and the contracts are too lucrative for CSVs to give up.
Google calls for more action to be taken against the spyware industry, including higher levels of collaboration among governments, the introduction of strict guidelines that govern the use of surveillance technology, and diplomatic efforts with countries hosting non-compliant vendors.
Google is proactively countering spyware threats through solutions like Safe Browsing, Gmail security, the Advanced Protection Program (APP), and Google Play Protect, as well as by maintaining transparency and openly sharing threat information with the tech community.
A US court has rejected spyware vendor NSO Group’s motion to dismiss a lawsuit filed by Apple that alleges the developer violated computer fraud and other laws by infecting customers’ iDevices with its surveillance software.
Apple sued NSO, developer of the notorious Pegasus spyware, back in November 2021 and asked the court to permanently ban NSO from using any Apple software, services, or devices. The lawsuit alleges that company violated the US Computer Fraud and Abuse Act (CFAA), California’s Unfair Competition Law, and the terms of use for Apple’s own iCloud when its spyware was installed on victims’ devices without their knowledge or consent. NSO now must answer Apple’s complaint by February 14.
Pegasus infected Apple customers’ devices via a zero-click exploit called FORCEDENTRY, according to Cupertino. Once it lands on phones, the spyware allows users to snoop on phone calls, messages, and access the phone’s camera and microphone without permission.
Despite the surveillance-software maker’s claims that it only sells to government agencies, and even then, only to investigate terrorism or other serious crimes, the software has repeatedly been used to spy on journalists, activists, political dissidents, diplomats and government officials. This has led to US sanctions against the company and several lawsuits.
Last March, NSO asked the court to toss Apple’s lawsuit, arguing that Cupertino should be required to sue the developer in Israel, its home jurisdiction. It also claimed that Apple can’t sue over CFAA violations because the iGiant itself didn’t suffer any damages or loss [PDF].
The court, in its ruling on Monday, dismissed these arguments, noting that “the anti-hacking purpose of the CFAA fits Apple’s allegations to a T, and NSO has not shown otherwise.”
“A ‘loss’ is ‘any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service’ … That is precisely the loss Apple has alleged here,” the judge continued [PDF].
When asked about the judge’s ruling, an NSO Group spokesperson said the software maker will fight on.
“The motion to dismiss is part of the legal process in this case,” the NSO spokesperson told The Register. “The technology in question is critical to law enforcement and intelligence agencies in their efforts to maintain public safety. We are confident that once the arguments are presented, the Court will rule in our favor.”
Apple, meanwhile, took the win, and a spokesperson told The Register that this lawsuit is just one of the ways the iGiant is fighting back against spyware vendors.
These include the new Lockdown Mode security feature, the threat notifications it sends to users who may be targets in nation-state attacks, and a $10 million grant to support civil society organizations that research spyware threats and conduct advocacy on the topic through the Ford Foundation.
Spying and surveillance are different but related things. If I hired a private detective to spy on you, that detective could hide a bug in your home or car, tap your phone, and listen to what you said. At the end, I would get a report of all the conversations you had and the contents of those conversations. If I hired that same private detective to put you under surveillance, I would get a different report: where you went, whom you talked to, what you purchased, what you did.
Before the internet, putting someone under surveillance was expensive and time-consuming. You had to manually follow someone around, noting where they went, whom they talked to, what they purchased, what they did, and what they read. That world is forever gone. Our phones track our locations. Credit cards track our purchases. Apps track whom we talk to, and e-readers know what we read. Computers collect data about what we’re doing on them, and as both storage and processing have become cheaper, that data is increasingly saved and used. What was manual and individual has become bulk and mass. Surveillance has become the business model of the internet, and there’s no reasonable way for us to opt out of it.
Spying is another matter. It has long been possible to tap someone’s phone or put a bug in their home and/or car, but those things still require someone to listen to and make sense of the conversations. Yes, spyware companies like NSO Group help the government hack into people’s phones, but someone still has to sort through all the conversations. And governments like China could censor social media posts based on particular words or phrases, but that was coarse and easy to bypass. Spying is limited by the need for human labor.
AI is about to change that. Summarization is something a modern generative AI system does well. Give it an hourlong meeting, and it will return a one-page summary of what was said. Ask it to search through millions of conversations and organize them by topic, and it’ll do that. Want to know who is talking about what? It’ll tell you.
The technologies aren’t perfect; some of them are pretty primitive. They miss things that are important. They get other things wrong. But so do humans. And, unlike humans, AI tools can be replicated by the millions and are improving at astonishing rates. They’ll get better next year, and even better the year after that. We are about to enter the era of mass spying.
Mass surveillance fundamentally changed the nature of surveillance. Because all the data is saved, mass surveillance allows people to conduct surveillance backward in time, and without even knowing whom specifically you want to target. Tell me where this person was last year. List all the red sedans that drove down this road in the past month. List all of the people who purchased all the ingredients for a pressure cooker bomb in the past year. Find me all the pairs of phones that were moving toward each other, turned themselves off, then turned themselves on again an hour later while moving away from each other (a sign of a secret meeting).
Similarly, mass spying will change the nature of spying. All the data will be saved. It will all be searchable, and understandable, in bulk. Tell me who has talked about a particular topic in the past month, and how discussions about that topic have evolved. Person A did something; check if someone told them to do it. Find everyone who is plotting a crime, or spreading a rumor, or planning to attend a political protest.
There’s so much more. To uncover an organizational structure, look for someone who gives similar instructions to a group of people, then all the people they have relayed those instructions to. To find people’s confidants, look at whom they tell secrets to. You can track friendships and alliances as they form and break, in minute detail. In short, you can know everything about what everybody is talking about.
This spying is not limited to conversations on our phones or computers. Just as cameras everywhere fueled mass surveillance, microphones everywhere will fuel mass spying. Siri and Alexa and “Hey Google” are already always listening; the conversations just aren’t being saved yet.
Knowing that they are under constant surveillance changes how people behave. They conform. They self-censor, with the chilling effects that brings. Surveillance facilitates social control, and spying will only make this worse. Governments around the world already use mass surveillance; they will engage in mass spying as well.
Corporations will spy on people. Mass surveillance ushered in the era of personalized advertisements; mass spying will supercharge that industry. Information about what people are talking about, their moods, their secrets—it’s all catnip for marketers looking for an edge. The tech monopolies that are currently keeping us all under constant surveillance won’t be able to resist collecting and using all of that data.
In the early days of Gmail, Google talked about using people’s Gmail content to serve them personalized ads. The company stopped doing it, almost certainly because the keyword data it collected was so poor—and therefore not useful for marketing purposes. That will soon change. Maybe Google won’t be the first to spy on its users’ conversations, but once others start, they won’t be able to resist. Their true customers—their advertisers—will demand it.
We could limit this capability. We could prohibit mass spying. We could pass strong data-privacy rules. But we haven’t done anything to limit mass surveillance. Why would spying be any different?
In the first half of 2023, Mandiant Managed Defense has observed a threefold increase in the number of attacks using infected USB drives to steal secrets. Mandiant tracked all of the cases and found that the majority of the incidents could be attributed to several active USB-based operation campaigns affecting both the public and private sectors globally.
Previously, we covered one of the campaigns that leverages USB flash drives as an initial infection vector and concentrates on the Philippines. In this blog post, we are covering two additional USB-based cyber espionage campaigns that have been observed by Managed Defense:
SOGU Malware Infection via USB Flash Drives Across Industries and Geographies
This is the most prevalent USB-based cyber espionage attack using USB flash drives and one of the most aggressive cyber espionage campaigns targeting both public and private sector organizations globally across industry verticals. It uses USB flash drives to load the SOGU malware to steal sensitive information from a host.
Mandiant attributes this campaign to TEMP.Hex, a China-linked cyber espionage actor. TEMP.Hex likely conducted these attacks to collect information in support of Chinese national security and economic interests. These operations pose a risk to a variety of industries, including construction and engineering, business services, government, health, transportation, and retail in Europe, Asia, and the United States.
SNOWYDRIVE Malware Infection via USB Flash Drives, Targets Oil and Gas Organizations in Asia
This campaign uses USB flash drives to deliver the SNOWYDRIVE malware. Once SNOWYDRIVE is loaded, it creates a backdoor on the host system, giving attackers the ability to remotely issue system commands. It also spreads to other USB flash drives and propagates throughout the network.
Mandiant attributes this campaign to UNC4698, a threat actor that has targeted oil and gas organizations in Asia. Once the actor has gained access to the system, they execute arbitrary payloads using the Windows Command Prompt, use removable media devices, create local staging directories, and modify the Windows registry.
SOGU Malware Infection via USB Flash Drives Across Industries and Geographies
The White House National Security Council cautioned on Wednesday that it will review any attempted takeover of foreign commercial surveillance software by an American company to determine whether the acquisition poses a “counterintelligence threat” to the U.S. government.
The statement came in response to reporting from the Guardian revealing that a chewing gum heir and producer of several Adam Sandler movies is considering a bid for the NSO Group, including its powerful Pegasus spyware.
The Biden administration is concerned about the spread of foreign commercial surveillance tools like Pegasus and believes they “pose a serious counterintelligence and security risk to U.S. personnel and systems,” the statement said.
The Hollywood producer, Robert Simonds, was responsible for more than 30 movies that made in excess of $6 billion earlier in his career and more recently had worked as the chairman of STX Entertainment, which Variety calls a “fully integrated entertainment outlet” focused on expanding into emerging global markets on a variety of platforms. Simonds’ credits with Sandler include “Happy Gilmore,” “The Wedding Singer” and “Billy Madison.”
According to the Guardian, Simonds was recently picked to run the Luxembourg-based holding company controlling NSO. Sources told the Guardian that Simonds is considering ways to take over some of the spyware firm’s assets in an effort to give the Five Eyes intelligence partnership of the US, the UK, Canada, Australia and New Zealand exclusive access to the potent technology.
Pegasus and similar tools are being “misused around the world to enable human rights abuses and target journalists, human rights activists, political opposition members, or others perceived as dissidents and critics,” the White House statement said, noting that the Biden administration has launched a government-wide effort to stop Pegasus and other foreign commercial surveillance software from spreading. In March, the administration issued an executive order barring all U.S. government agencies from using the spyware, among other measures.
In its statement the White House also warned that U.S. companies should “be aware that a transaction with a foreign entity on the Entity List will not automatically remove the designated entity from the Entity List.” The list, published by the United States Department of Commerce’s Bureau of Industry and Security (BIS), restricts trade with specified foreigners, foreign entities, or governments. Companies included on the Entity List must meet strict licensing requirements for exports.
NSO has been on the Entity List since 2021. Despite the controversy swirling around the firm, its unprecedented technology has long attracted the attention of investors. Pegasus can hack into users’ phones remotely, activating the camera and microphone without a user knowing, as well as intercept all communications, including over encrypted apps like Signal.
Last July, the American defense firm L3Harris decided not to pursue a bid for NSO after initial explorations led to a backlash from the Biden administration
Security researchers have uncovered fresh malware with hacking capabilities comparable to those of Pegasus, which was developed by NSO Group. The software, which is sold by an Israeli firm named QuaDream, has previously been used by customers to target journalists, political opposition leaders, and an employee of an NGO. The company that makes and sells the spyware is called QuaDream.
NEW REPORT: SWEET QUADREAMS: A first look at #spyware vendor QuaDream’s spy tools, victims and customers. We identified traces of suspected exploit deployed against iOS versions 14.4 and 14.4.2 and possibly other versions as zero-day vulnerability. https://t.co/u7jcxJpu9H
The malware was spread to the victims’ phones when the operators of the spyware, who are thought to be government customers, sent them an invitation to an iCloud calendar. The cyberattacks took place between the years 2019 and 2021, and the term “Reign” is given to the hacking program that was used.
A phone that has been infected with Reign can, similar to a phone that has been infected with Pegasus, record conversations that are taking place near the phone, read messages that are stored on encrypted apps, listen to phone conversations, track the location of a user, and generate two-factor authentication codes on an iPhone in order to break into a user’s iCloud account.
Apple, which has been marketing its security measures as being among the finest in the world, has taken yet another hit as a result of the recent disclosures. It would seem that Reign poses an unprecedented and significant danger to the security of the company’s mobile phones.
The spyware that was built by QuaDream attacks iPhones by having the operators of the malware, who are believed to be government customers, issue an invitation to an iCloud calendar to the mobile users of the iPhones. Since the calendar invites were issued for events that had been recorded in the past, the targets of the hacking were not made aware of them because they were sent for activities that had already occurred.
Since users of the mobile phone are not required to click on any malicious link or do any action in order to get infected, these kind of attacks are referred to as “zero-click” attacks.
When a device is infected with spyware, it is able to record conversations that are taking place nearby by taking control of the recorder on the device, reading messages sent via encrypted applications, listening in on phone calls, and monitoring the position of the user.
The malware may also produce two-factor authentication tokens on an iPhone in order to enter a user’s iCloud account. This enables the spyware operator to exfiltrate data straight from the user’s iCloud, which is a significant advantage. In contrast to NSO Group, QuaDream maintains a modest profile among the general population. The firm does not have a website and does not provide any additional contact information on its page. The email address of Israeli attorney Vibeke Dank was included on the QuaDream business registration form; however, she did not respond to a letter asking for her opinion.
Citizen Lab did not name the individuals who were discovered to have been targeted by clients while they were using Reign. However, the organization did say that more than five victims were located in North America, Central Asia, south-east Asia, Europe, and the Middle East. These victims were described as journalists, political opposition figures, and an employee of an NGO. In addition, Citizen Lab said that it was able to identify operator sites for the malware in the countries of Bulgaria, the Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, the United Arab Emirates, and Uzbekistan.
In a security report that was published in December 2022 by Meta, the corporation that owns Facebook, the name of the firm was mentioned briefly. The report defined QuaDream as being an Israeli-based startup that was created by former NSO personnel.
At the time, Meta stated that it had removed 250 accounts on Facebook and Instagram that were linked to QuaDream. The company believed that the accounts were being used to test the capabilities of the spyware maker using fake accounts. These capabilities included exfiltrating data such as text messages, images, video files, and audio files.
The discovery of Reign underscores the continuous spread of very powerful hacking tools, even as NSO Group, the developer of one of the world’s most sophisticated cyberweapons, has received intensive investigation and been banned by the Biden administration, likely limiting its access to new clients. NSO Group is the maker of one of the most advanced cyberweapons in the world.
Keeping track of your most vital belongings, such as your keys, wallet, remote controls, and even motorcycles, may be made easier with the assistance of an Apple AirTag. Yet, allegations that they were utilized to monitor individuals without first obtaining their permission threw an unfavorable light on the utilization and implementation of these technologies. It’s possible that your iPhone will warn you before you have to take any action if you have reason to believe that someone is monitoring your whereabouts via an AirTag. If you believe that you may be in danger because someone is following you without your permission and you feel that you should call law authorities, Apple may provide further information about the owner of the AirTag.
You will be notified of this
If you have an iPhone and you are being tracked by an AirTag, your phone may send you a notification that says “AirTag discovered moving with you.” This will occur if all of the following conditions are met:
The AirTag has been detached from its rightful owner. iPhone of yours is awake. When you move the AirTag, it will make a sound. This may also occur with other accessories that are compatible with Find My Network, such as AirPods, AirPods Pro, or AirPods Max. When you move any of these goods when they are not being handled by their owners, each of them will make a sound.
Verify that the Tracking Notifications feature is turned on. In the event that you do not get an alert, it is possible that you will need to complete the following procedures in order to guarantee that your tracking alerts are activated:
Go to the Settings menu, and then pick Privacy. To activate Location Services, choose Location Services from the menu. Go to the System Services menu. Put your iPhone in find mode and activate the Notable Places feature. Return to the Settings menu, and then choose Bluetooth. Bluetooth must be on. Last but not least, open the Locate My app and choose yourself. Activate the Tracking Alerts on your browser.
Try out the app called “Find My.” When AirTags get separated from their owners, they will produce a sound whenever they are moved in order to assist others in locating them. After confirming that Step 2 has finished, you may open the Locate My app and check to see if the AirTag is located if you think you may have heard an AirTag or another sound that you are unable to identify and suspect it may be an AirTag.
Make AirTag produce a sound. If you have been notified that an AirTag was traveling with you and are checking the Find My app, you have the option to play a sound on the device in order to locate it more quickly. You can monitor other people’s AirTags by using the Find My app, which you may access by touching on the alert, selecting continue, and then tapping Locate Nearby.
Check all the details about AirTag When you have the AirTag in your line of sight, you may access the information it contains on your iPhone or any other smartphone that supports NFC. You will need to bring the top of your iPhone close to the white side of the AirTag that you have located and wait for it to identify it. A notice displays beside a webpage that contains the owner’s last four digits of their phone number in addition to the AirTag’s serial number. If this is a lost AirTag, the owner may have included their contact information so that the person who found it may get in touch with them.
Inactivate the AirTag. If the owner of an AirTag disables it, they will no longer be able to see its current position or get updates about it. Just removing the battery is all that is required to deactivate the AirTag. You may do this by first opening the AirTag by depressing the button on top and then removing the battery by turning the lid counterclockwise.
You will be able to determine the position of another person’s iPhone so long as your AirTag is in close proximity to that device. And with Apple’s recent release of an official app for monitoring AirTags on Android devices, you don’t even need an iDevice to accomplish that anymore! Yet, there is one very significant exception to this rule.
With Apple Music, the Beats app, and an application for transitioning to iOS, Tracker Detect is one of the few Apple applications that can be downloaded and used on Android devices. If you wish to zero in on a specific rogue AirTag, you can use the app to play a sound on it, and you can also use the app to monitor neighboring rogue AirTags using it. From that point on, you have the option of scanning the AirTag using an NFC reader or turning it off by removing its battery. The functionality is really fundamental, despite the fact that it is rather cool looking. Since it does not have an auto-scan feature, you will not get alerts about nearby missing AirTags as you would on an iPhone. This means that in order to look for a tag, you will need to manually launch the application first. One may argue that this renders the Tracker Detect app rather worthless since a large number of individuals in the reviews part of the app believe that it ought to be able to auto-scan. Spending your day manually searching your immediate environment for AirTags every five minutes is not the most effective use of your time.
It’s not even like there are roadblocks in the way of making that happen on Android phones; all you need is Bluetooth Low Energy (BLE). And enabling auto-scanning for AirTags on non-Apple devices and having those devices participate to Apple’s Find My network would also considerably increase the success of finding AirTags in general. Download the application from the Google Play Store right now if you have an Android device and want to be able to scan AirTags with it.
A Barcelona-based company, a spyware vendor named Variston IT, is exploiting flaws under the guise of a custom cybersecurity solutions provider.
On 30th November, Google’s Threat Analysis Group (TAG) reported that a Barcelona-based company, actually a spyware vendor, named Variston IT has been exploiting n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender under the guise of a custom cybersecurity solutions provider.
In their detailed technical report, TAG explained that Variston IT had been using their exploitation framework called Heliconia to install spyware on the targeted devices. The researchers at Google received an anonymous submission to Chrome’s bug reporting program which brought to their attention the exploitation framework.
Heliconia actually contains three separate exploitation frameworks. One of them is used to compromise the Chrome renderer bug so that it can escape the walls of the app’s sandbox and run malware on the operating system.
Another one is used to deploy malicious PDF documents containing an exploit for Windows Defender (a built-in antivirus engine in the newer versions of Windows). The last framework is for compromising Windows and Linux machines by using a set of Firefox exploits.
A manifest file in the source code provides a product description (Image: Google)
In its report, the tech giant observed that the Heliconia exploit is successful against Firefox versions 64 to 68, which suggests that it was created and used as early as December 2018 when Firefox 64 first came out.
Google, Microsoft, and Mozilla fixed the vulnerabilities in 2021 and early 2022. They further stated that, although they had not detected active exploitation, it is likely that the vulnerabilities had been exploited before they could be fixed.
Pegasus is listening: Q&A with Paul Rusesabagina’s daughter Carine Kanimba
You may not recognize the name Carine Kanimba, but you have probably heard of her dad: Paul Rusesabagina. He was the manager of Hôtel des Milles Collines and rather famously decided to shelter some 1,200 mostly Tutsi Rwandans in his hotel during the 1994 genocide in Rwanda. Don Cheadle played him in the movie Hotel Rwanda.
After, Rusesabagina became a superstar ambassador of human rights. He wrote an autobiography about his work during the genocide; President George W. Bush awarded him the Medal of Freedom; and he went on the speakers’ circuit not just talking about 1994 – but criticizing the current government of President Paul Kagame for trampling on human rights.
In August 2020, Rusesabagina boarded a private jet for what he thought would be a trip to Burundi, but instead he was rendered to Rwanda. He’s since been sentenced to 25-years in prison.
Carine Kanimba was on Capitol Hill last week to talk not just about her dad (who adopted sisters Carine and Anaïse shortly after the genocide), but also her recent discovery that she’s been targeted by a commercial spyware program called Pegasus. And she believes the Rwandan government was behind it.
Pegasus spyware is the brainchild of an Israeli company called NSO Group and it has been found on the phones of so many activists around the world it has become a kind of cautionary tale about the commercial spyware industry. It has been linked to the murder of journalist Jamal Khashoggi, discovered on the phones of Mexican opposition leaders, Catalonian politicians, and journalists and lawyers around the world. (In a statement, NSO Group told Click Here that it “thoroughly investigates any claim for illegal use of its technology by customers, and terminates contracts when illegal use is found.”)
The Click Here podcast sat down with Kanimba shortly after her Congressional testimony to talk to her about her role as a human rights advocate, what it is like finding oneself on the receiving end of a spyware campaign, and why she is confident she will win her father’s release. The interview has been edited and shortened for clarity.
CLICK HERE: We wanted to start by saying we’re very sorry about what you’re going through with your father…
NSO Group, notorious makers of the notorious Pegasus spyware, has been in acquisition talks with a huge U.S. government defense contractor you’ve never heard of: L3Harris Technologies, Inc. Doesn’t that give you a warm, tingly feeling inside?
Pictured is Christopher E. “Call Me Chris” Kubasik, L3Harris’s chairman and CEO. He’s no doubt disappointed that the White House put the kibosh on the deal—especially as other bits of the government gave tacit approval (or so we’re told).
But is everything quite as it seems? In today’s SB Blogwatch, we pay attention to the man behind the curtain.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: WINBOOT.AVI
“L3Harris and NSO declined to comment” A team of executives from an American military contractor quietly … in recent months [attempted] a bold but risky plan: purchasing NSO Group, the cyber hacking firm that is as notorious as it is technologically accomplished. … They started with the uncomfortable fact that the United States government had put NSO on a blacklist just months earlier [because it] had acted “contrary to the national security or foreign policy interests of the United States,” the Biden administration said. … But five people familiar with the negotiations said that the L3Harris team had brought with them a surprising message: … American intelligence officials, they said, quietly supported its plans to purchase NSO, whose technology over the years has been of intense interest to … the F.B.I. and the C.I.A. [But news of the] talks to purchase NSO seemed to blindside White House officials, [who] said they were outraged … and that any attempt by American defense firms to purchase [NSO Group] would be met by serious resistance. … While not a household defense industry name … L3Harris earns billions each year from American government contracts. … The company once produced a surveillance system called Stingray. … L3Harris and NSO declined to comment. … A spokeswoman for Avril Haines, the director of national intelligence, declined to comment. … The Commerce Department declined to give specifics about any discussions.
One arm of the government doesn’t know what another is doing? Say it ain’t so! Stephanie Kirchgaessner says it’s so—“US defence firm ends talks to buy NSO”:
“Definitive pushback” A person familiar with the talks said L3 Harris had vetted any potential deal for NSO’s technology with its customers in the US government and had received some signals of support from the American intelligence community. [But,] sources said, L3Harris had been caught off guard when a senior White House official expressed strong reservations about any potential deal. … Once L3Harris understood the level of “definitive pushback”, a person familiar with the talks said, “there was a view … that there was no way L3 was moving forward with this. … If the government is not aligned, there is no way for L3 to be aligned,” the person said.
“Could have resulted in the blacklisting being lifted” A deal for all or part of NSO would not be as simple as the two companies agreeing to terms, requiring permission from both the U.S. and Israeli governments. … NSO Group, with its Pegasus spyware, has been one of the most controversial cybersecurity companies of recent times. Pegasus is a form of software that uses zero-day or unpatched exploits to infect mobile devices. … The deal falling apart may also leave NSO in a difficult situation: With the blacklisting in place, the company is limited in whom it can sell Pegasus to and what technology it can purchase. In contrast, an acquisition by an American company could have resulted in the blacklisting being lifted.
“NSO spent years pretending they changed” WHOA: Deal … tanked. … [It] helps explain recent signs of desperation from the spyware company. [An] American defense contractor acquiring a demonstrably-uncontrollable purveyor of insecurity would be … atrocious for human rights [and] bad for … counterintelligence. … This is not a company that prioritizes America’s national security. And it doesn’t play well with our tech sector. … NSO spent years pretending they changed … while using all available tricks to hide the fact that they kept doing … risky biz and dictator deals.
ELI5? Look on u/Ozymandias606’s words, ye mighty, and despair:
“Biden visits Israel tomorrow” Pegasus is a hacking tool [that] can turn anyone’s phone into a tracking and recording device without the owner clicking a link. [It] has been sold to governments over the past several years [who] used Pegasus to spy on journalists and activists. … The Commerce Department added Pegasus’ creator to a blacklist that has been slowly choking the company. … A US defense contractor later offered to buy Pegasus – and claims they had explicit permission from US intelligence agencies to do so under a number of conditions, [which] include turning over the software’s source code to the “Five Eyes” cybersecurity alliance. … So, a handful of Western nations … were trying to control access to a cyber weapon that appears to take control of any phone in the world. … Biden visits Israel tomorrow – his first visit to the country.
Are you hinting what I think you’re hinting? This Anonymous Coward rents the curtain (but is behind on the payments): [You’re fired—Ed.]
Unfortunately, many Americans are still in denial about what the US govt routinely do. … This is simply Tiktok 2.0 (or Alstrom 3.0). … Anyone who looked at history will recognise the same pattern had happened many times already, including Alstrom in France. US will buy out any company, by force or by trickery, that took lead in any area the US deemed important.
Lockdown mode is nothing. It can’t work. If the software is compromised, letting software be the security can’t work. Every cell phone really needs to have 3 mechanical switches and a removable battery. 1 switch for power, 1 for the mic and 1 for the camera.
What next? The Combat Desert Penguin—@wolverine_salty—ponders alternative buyers:
Is Thiel interested?
Meanwhile, with a similarly snarky stance, here’s kmoser:
