LuckyStep - stock.adobe.com
Google issued a call to action on the rising threat spywares vendors pose to its users, warning that such companies are a driving force in the exploitation of zero-day vulnerabilities.
Google's Threat Analysis Group (TAG) published a new report Tuesday, titled "Buying Spying: Insights into Commercial Surveillance Vendors," which highlighted the persistent and ongoing abuse of spyware. TAG researchers showed the threat is perpetuated by commercial surveillance vendors' (CSVs) ability to develop exploit chains that leverage both zero-day and known vulnerabilities.
CSV's role in zero-day exploitation was a focal point of the TAG report, which included some alarming data. For example, Google attributed half of the known zero-day exploits used against its products to CSVs.
In an accompanying blog post on Tuesday, Shane Huntley, senior director of TAG, warned that CSVs offer "pay-to-play tools" that bundle surveillance software with exploit chains that are designed to circumvent security measures on targeted devices. "Private sector firms have been involved in discovering and selling exploits for many years, but there is a rise in turnkey espionage solutions."
The report also detailed the real-life harm spyware has caused for journalists, human rights activists and government opposers or what TAG refers to as "high-risk users." In March, TAG detailed campaigns it investigated that showed CSVs were increasingly exploiting zero days against Android, iOS and Chrome. But now the problem has warranted more than a warning. TAG's new report said government, industry and civil action are required to fight the spyware threat.
"TAG continues to see CSV tools used in ways that harm not only targeted individuals, but society at large," the report said.
While global government initiatives implemented over the past two years have been effective, TAG said more efforts are required to produce sustained action. The sentiment was echoed last week during a SANS Cyber Threat Intelligence Summit keynote by Citizen Lab senior researcher Bill Marczak.
Citizen Lab investigates and aids in disrupting the abuse of commercial spyware. However, Marczak emphasized CSV's ability to adapt quickly to any opposition and, like TAG, urged the threat requires additional government and industry action.
On top of CSVs adapting quickly to any bad publicity by changing names multiple times, TAG's report noted new companies emerge each year. Google researchers said the number of CSVs globally is "impossible to count."
Currently, TAG tracks around 40 CSVs that develop and sell exploits, and spyware to government customers. Examples include high-profile CSVs such as NSO Group, which has been hit with multiple lawsuits, and Italy-based Cy4Gate and Intellexa.
TAG found Cy4Gate's Epeius software targeted Android by exploiting five zero-day vulnerabilities. Intellexa, based in Greece, exploited 15 zero days against Google and other products.
"We assess with high confidence that the CSV Intellexa packaged these vulnerabilities and sold the hacking software to at least eight governments, including Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain and Indonesia," the report read.
Packaged exploits, services
The report emphasized the infrastructure CSVs provide to customers in addition to just selling spyware. CSVs offer technical expertise, develop exploit chains to deliver malware and help maintain persistence on the target's device. In addition to the CSVs themselves, the spyware market is composed of vulnerability researchers who find and sell zero-day flaws, exploit developers and brokers who weaponize those flaws, and government customers that purchase the finished spyware products.
TAG said CSVs pose a risk to users like any threat actor. Researchers attribute most of the zero-days they discover to CSVs. Unlike cybercriminals, though, they operate openly.
"Third, if governments ever had a monopoly on the most sophisticated capabilities, that era is certainly over. The private sector is now responsible for a significant portion of the most sophisticated tools we detect," the report read. "In 2023, TAG discovered 25 0-days being actively exploited in-the-wild, 20 of which were exploited by CSVs."
TAG researchers discovered 72 in-the-wild zero-day exploits between mid-2014 and 2023; they attributed 35 of them to CSVs. TAG estimates the number is likely even higher and noted how CSVs have accelerated efforts to develop their own zero-day exploits. For example, researchers uncovered 53 zero-day exploits between 2019 and 2023, and 33 were developed by CSVs.
While the fight often favors CSVs, vulnerability researchers are fighting back.
"Exploit chains are expensive and hard to develop. Each time Google and fellow security researchers discover and disclose new bugs, it causes friction for CSVs and costs them development cycles," the report read.
The exploits typically affect Google's Android OS and Chrome web browser. TAG noted the spyware industry is particularly focused on targeting mobile devices, and customers can spy on multiple devices simultaneously for a hefty price. The report highlighted a pricing model for Intellexa's Nova system.
"For €8 million the customer receives the capability to use a remote 1-click exploit chain to install spyware implants on Android and iOS devices, with the ability to run 10 concurrent spyware implants at any one time," the report said.
It's clear CSVs are adept at hacking mobile devices. But TAG said new mitigations developed by vendors like Apple have stopped some exploits, if only temporarily. The report also emphasized CSVs' ability to adapt to such defenses and develop new exploits.
Can CSVs be stopped?
Though TAG said combatting spyware abuse requires sustained government regulation and policies, recent sanctions have yet to shut CSVs down. One prime example is NSO, which was sanctioned by the U.S. and EU in 2021 but continues to operate.
While investigating the device of a civil service organization in Washington, D.C. in September, Citizen Lab discovered a zero-click, zero-day exploit it dubbed "BlastPass." he exploit chain involved two Apple vulnerabilities and was used to deliver NSO Group's Pegasus spyware.
TAG discovered NSO activity even more recently. On Dec. 20, Google disclosed a heap-based buffer overflow vulnerability, tracked as CVE-2023-7204, that was being exploited in the wild against web browsers.
In Tuesday's report, TAG revealed the vulnerability's connection to spyware, though the target is unknown.
"In December 2023, TAG discovered a Chrome 0-day, CVE-2023-7204, used by an NSO customer," the report read.
Despite NSO Group's persistence, TAG applauded the U.S. sanctions imposed against the vendor as well as against Intellexa and another Israel-based CSV, Candira. However, TAG called for more sanctions that limit CSVs ability to operate or make money in the U.S.
The TAG report followed a new U.S. State Department policy announced on Monday to further address the threat of spyware. The policy imposes visa restrictions on individuals "involved in the misuse of commercial spyware."
Transparency was another important factor TAG petitioned for to hinder CSVs. Google researchers called on the government to "foster greater transparency" by setting requirements for the domestic surveillance industry and being more forthcoming regarding spyware it uses.
"The harms from this industry are amply evident by this point, and we believe they outweigh any benefit to continued use."
Arielle Waldman is a Boston-based reporter covering enterprise security news.