#zero_days

Google says spyware vendors behind most zero-days it discovers
▻https://www.bleepingcomputer.com/news/security/google-says-spyware-vendors-behind-most-zero-days-it-discovers

https://www.bleepstatic.com/content/hl-images/2023/12/29/Google_headpic.jpg

Intéressant sur le processus de fabrication du capitalisme de la menace (un pas de plus dans le capitalisme de surveillance).
Mais quand c’est google qui veut s’en prendre aux entreprises qui vendent des logiciels espions, on ne peut s’empêcher de penser qu’ainsi, ce serait Google qui serait le seul à savoir des choses sur ses utilisateurs. De là à en profiter ? Certainement pas, voyons, un monopole comme ça est plus grand qu’un service public, n’est-ce pas ?

Commercial spyware vendors (CSV) were behind 80% of the zero-day vulnerabilities Google’s Threat Analysis Group (TAG) discovered in 2023 and used to spy on devices worldwide.

Zero-day vulnerabilities are security flaws the vendors of impacted software do not know about or for which there are no available fixes.

Google’s TAG has been following the activities of 40 commercial spyware vendors to detect exploitation attempts, protect users of its products, and help safeguard the broader community by reporting key findings to the appropriate parties.

Based on this monitoring, Google has found that 35 of the 72 known in-the-wild zero-day exploits impacting its products over the last ten years can be attributed to spyware vendors.

“This is a lower-bounds estimate, as it reflects only known 0-day exploits. The actual number of 0-day exploits developed by CSVs targeting Google products is almost certainly higher after accounting for exploits used by CSVs that have not been detected by researchers, exploits where attribution is unknown, and cases where a vulnerability was patched before researchers discovered indications of exploitation in-the-wild.” - Google

Those spyware vendors use the zero-day flaws to target journalists, activists, and political figures as directed by their customers, including governments and private organizations.

Some notable CSVs highlighted in Google’s report are:

Cy4Gate and RCS Lab: Italian firms known for the “Epeius” and “Hermit” spyware for Android and iOS. The former acquired the latter in 2022, but operate independently.
Intellexa: Alliance of spyware firms led by Tal Dilian since 2019. It combines technologies like Cytrox’s “Predator” spyware and WiSpear’s WiFi interception tools, offering integrated espionage solutions.
Negg Group: Italian CSV with international reach established in 2013. It is known for “Skygofree” malware and “VBiss” spyware, targeting mobile devices through exploit chains.
NSO Group: Israeli firm famous for Pegasus spyware and other sophisticated espionage tools. It continues operations despite sanctions and legal issues.
Variston: Spanish CSV providing tailored security solutions. It collaborates with other vendors for zero-day exploits and is linked to the Heliconia framework, expanding in the UAE.

These vendors sell licenses to use their products for millions of dollars, allowing customers to infect Android or iOS devices using undocumented 1-click or zero-click exploits.

Some of the exploit chains utilize n-days, which are known flaws for which fixes are available, yet patching delays still make them exploitable for malicious purposes, often for extended periods.

Google says that CSVs have grown very aggressive in their hunt for zero-days, developing at least 33 exploits for unknown vulnerabilities between 2019 and 2023.

In the appendix of Google’s detailed report, one can find a list of 74 zero-days used by 11 CSVs. Of those, the majority are zero-days impacting Google Chrome (24) and Android (20), followed by Apple iOS (16) and Windows (6).

When white-hat researchers discover and fix the exploited flaws, CSVs often incur significant operational and financial damage as they struggle to reconstruct a working alternative infection pathway.

“Each time Google and fellow security researchers discover and disclose new bugs, it causes friction for CSVs and costs them development cycles,” says Google.

“When we discover and patch vulnerabilities used in exploit chains, it not only protects users, but prevents CSVs from meeting their agreements to customers, preventing them from being paid, and increasing their costs to continue operating.”

However, this is not enough to stop the proliferation of spyware, as the demand for these tools is strong, and the contracts are too lucrative for CSVs to give up.

Google calls for more action to be taken against the spyware industry, including higher levels of collaboration among governments, the introduction of strict guidelines that govern the use of surveillance technology, and diplomatic efforts with countries hosting non-compliant vendors.

Google is proactively countering spyware threats through solutions like Safe Browsing, Gmail security, the Advanced Protection Program (APP), and Google Play Protect, as well as by maintaining transparency and openly sharing threat information with the tech community.

#Google #Logiciels_espions #Cybersécurité #Zero_days

Nations Buying as Hackers Sell Flaws in Computer Code - NYTimes.com
▻http://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html

Article sur l’activité très lucrative (et très organisée) qu’est devenu le #piratage_informatique, grâce... aux Etats (avec les Etats-Unis comme initiateurs et en tête du peloton) prêts à débourser des sommes faramineuses (tellement faramineuses que les Microsoft et consorts ont du mal à suivre suggère l’article) pour découvrir les vulnérabilités du système informatique des autres Etats afin de le pénétrer, avec comme corollaire l’ouverture de la #boite_de_Pandore.

All over the world, from South Africa to South Korea, business is booming in what hackers call “zero days,” the coding flaws in software like Microsoft Windows that can give a buyer unfettered access to a computer and any business, agency or individual dependent on one.

Just a few years ago, #hackers (..) would have sold the knowledge of coding flaws to companies like Microsoft and Apple, which would fix them. Last month, Microsoft sharply increased the amount it was willing to pay for such flaws, raising its top offer to $150,000.

But increasingly the businesses are being outbid by countries with the goal of exploiting the flaws in pursuit of the kind of success, albeit temporary, that the United States and Israel achieved three summers ago when they attacked Iran’s nuclear enrichment program with a computer worm that became known as “#Stuxnet.”

The flaws get their name from the fact that once discovered, “#zero_days” exist for the user of the computer system to fix them before hackers can take advantage of the vulnerability. A “#zero-day_exploit” occurs when hackers or governments strike by using the flaw before anyone else knows it exists, like a burglar who finds, after months of probing, that there is a previously undiscovered way to break into a house without sounding an alarm.

“Governments are starting to say, ‘In order to best protect my country, I need to find vulnerabilities in other countries,’ ” said Howard Schmidt, a former White House cybersecurity coordinator. “The problem is that we all fundamentally become less secure.”

A zero-day bug could be as simple as a hacker’s discovering an online account that asks for a password but does not actually require typing one to get in. Bypassing the system by hitting the “Enter” key becomes a zero-day exploit. The average attack persists for almost a year — 312 days — before it is detected, according to Symantec, the maker of antivirus software. Until then it can be exploited or “weaponized” by both criminals and governments to spy on, steal from or attack their target.

Ten years ago, hackers would hand knowledge of such flaws to Microsoft and Google free, in exchange for a T-shirt or perhaps for an honorable mention on a company’s Web site. Even today, so-called patriotic hackers in China regularly hand over the information to the government.

Now, the market for information about computer vulnerabilities has turned into a gold rush. (...)

Many technology companies have started “bug bounty” programs in which they pay hackers to tell them about bugs in their systems rather than have the hackers keep the flaws to themselves .(..)

(...)

In one case, a zero-day exploit in Apple’s iOS operating system sold for $500,000, according to two people briefed on the sale.

Still, said Mr. Soghoian of the A.C.L.U., “The bounties pale in comparison to what the government pays.” The military establishment, he said, “created Frankenstein by feeding the market.”

In many ways, the United States government created the market. When the United States and Israel used a series of flaws — including one in a Windows font program — to unleash what became known as the Stuxnet worm, a sophisticated cyberweapon used to temporarily cripple Iran’s ability to enrich uranium, it showed the world what was possible. It also became a catalyst for a cyberarms race.

(...)

“I think it is fair to say that no one anticipated where this was going,” said one person who was involved in the early American and Israeli strategy. “And today, no one is sure where it is going to end up.”

In a prescient paper in 2007, Charlie Miller, a former N.S.A. employee, (...) described how one American government agency offered him $10,000 for a Linux bug. He asked another for $80,000, which agreed “too quickly,” Mr. Miller wrote. “I had probably not asked for enough.”

(...) the take-away for him and his fellow hackers was clear: There was serious money to be made selling the flaws.

At their conventions, hackers started flashing signs that read, “No more free bugs.”

Hackers like Mr. Auriemma, who once gave away their bugs to software vendors and antivirus makers, now sound like union organizers declaring their rights.

“Providing professional work for free to a vendor is unethical,” Mr. Auriemma said. “Providing professional work almost for free to security companies that make their business with your research is even more unethical.”

Experts say there is limited incentive to regulate a market in which government agencies are some of the biggest participants.

“If you try to limit who you do business with, there’s the possibility you will get shut out,” Mr. Schmidt said. “If someone comes to you with a bug that could affect millions of devices and says, ‘You would be the only one to have this if you pay my fee,’ there will always be someone inclined to pay it.”

“Unfortunately,” he said, “dancing with the devil in cyberspace has been pretty common.”