Spyware Proliferates To 45 Countries

Uploaded on 2018-09-21 in NEWS-Cybersecurity News, INTELLIGENCE--International, GOVERNMENT-National, FREE TO VIEW

The malicious spyware has also been found in use in countries known for targeting human rights. The infamous Pegasus spyware, which targets iPhones and Android devices, has allegedly infiltrated 45 different countries across the globe, and six of those countries have used surveillance malware in the past to abuse human rights, a group of researchers claimed recently.

Researchers from the Universityof Toronto's The Citizen Lab scanned the internet in a massive project that took place between 2016 and 2018, sniffing out servers associated with the Pegasus mobile spyware, attributed to Israel-based company NSO Group as an offering for state-level actors around the world.

“The number of Pegasus servers we detected in our scans ballooned from about 200 in 2016 to almost 600 in 2018.  This may be an indication that NSO Group is scaling up their operations,” Bill Marczak, senior research fellow at The Citizens Lab and one of the researchers on the team, told Threatpost.

The malware has been active since August 2016 when it was discovered that the NSO Group was selling the mobile spyware to governments and third-parties who wanted its surveillance capabilities in order to read texts, track calls, collect passwords, trace phone locations and gather data from apps of victims.

Pegasus is generally spread through a specially crafted exploit link (via phishing techniques) which when clicked delivers a chain of zero-day exploits to penetrate security features on the phone. The Citizen Lab’s latest report shows that Pegasus has grown more widespread, and alleges that it’s being used by certain countries to target human rights.

That includes the expansion of Pegasus usage in Gulf Cooperation Council countries in the Middle East, particularly to track dissidents, such as UAE activist Ahmed Mansoor, who was targeted by the spyware in 2016; and an Amnesty International staffer and Saudi activist in June 2018.

“Our findings paint a bleak picture of the human-rights risks of NSO’s global proliferation,” researchers said in a recent post.

“At least six countries with significant Pegasus operations have previously been linked to abusive use of spyware to target civil society, including Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia and the United Arab Emirates.”

The spyware has been abused in this way in the past, in 2017, it was discovered that dozens of Mexican journalists and lawyers (and even a child) had their devices infected by Pegasus in a campaign believed to be carried out by the nation’s government. Marczak, says that the spyware’s civil rights abuse is a sign of what’s to come: “Civil society will increasingly find itself the target of this type of sophisticated surveillance unless the governments better regulate the spyware industry,” he said.

Overall, between August 2016 and August 2018, the research team detected 1,091 IP addresses and 1,014 domain names matching the behavior of the exploit link and command-and-control (C2) server associated with Pegasus.

To track various Pegasus operators, researchers at The Citizen Lab also developed a novel technique (dubbed Athena) to cluster matches of the spyware’s servers into 36 distinct Pegasus systems, each one which appears to be run by a separate operator.  Then, the team probed tens of thousands of ISP DNS caches around the world, assuming that infected devices would routinely look up the domain names for the operator’s servers using their ISP’s DNS servers.

“We designed and conducted a global DNS cache probing study on the matching domain names in order to identify in which countries each operator was spying,” researchers said. “Our technique identified a total of 45 countries where Pegasus operators may be conducting surveillance operations. At least 10 Pegasus operators appear to be actively engaged in cross-border surveillance.”

The 45 countries found harboring the spyware are: Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen and Zambia.

Interestingly the research team found several infections in United States IP space – but the Pegasus customers were not linked to the United States, indicating cross-border compromise.

When The Citizen Lab presented their findings to NSO Group, the company released a statement:
“There are multiple problems with Citizen Lab’s latest report. Most significantly, the list of countries in which NSO is alleged to operate is simply inaccurate. NSO does not operate in many of the countries listed. The product is only licensed to operate in countries approved under our Business Ethics Framework and the product will not operate outside of approved countries.”

However, The Citizen Lab researchers refuted those claims and stated, “The continued supply of services to countries with problematic human-rights track records and where highly publicized abuses of spyware have occurred raise serious doubts about the effectiveness of this internal mechanism, if it exists at all.”

Threatpost

You Might Also Read:

Iran Targets Kurds With Spyware:

Spyware Firms In Breach Of Export Sanctions:

 

« Has Demand For Cyber Security Skills Hit Crisis Point?
UK Gets Offensive: New Task Force To Deal With Russia & Terrorists »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Fredda Stanza

Fredda Stanza

Fredda Stanza specialize in Information Security and Forensics Consulting.

RSA Insurance Group

RSA Insurance Group

RSA is one of the world’s leading multinational quoted insurance groups. Commercial services include cyber risk insurance.

Thinkst Applied Research

Thinkst Applied Research

Thinkst is an Applied Research company with a deep focus on information security.

Nok Nok Labs

Nok Nok Labs

Nok Nok is a market leader in next generation authentication for cloud, mobile and IoT applications.

Romanian Association for Information Security Assurance (RAISA)

Romanian Association for Information Security Assurance (RAISA)

RAISA promotes and supports information security activities and creates a community for the exchange of knowledge between specialists, academic and corporate environment in Romania.

AllegisCyber Capital

AllegisCyber Capital

AllegisCyber is an investment company with a focus on seed and early stage investing in cybersecurity and its applications in emerging technology markets.

Monegasque Digital Security Agency (AMSN)

Monegasque Digital Security Agency (AMSN)

AMSN is the national authority in charge of the security of information systems in Monaco.

Armorblox

Armorblox

Armorblox stops targeted email attacks such as 0-day credential phishing, payroll fraud, vendor fraud, and other threats that get past legacy security controls.

C5 Capital

C5 Capital

C5 Capital is a specialist investment firm that exclusively invests in the secure data ecosystem including cybersecurity, cloud infrastructure, data analytics and space.

GroupSense

GroupSense

GroupSense helps governments and enterprises take control of digital risk with cyber reconnaissance, counterintelligence and monitoring for breached credentials.

KanREN

KanREN

KanREN is a member based consortium offering custom, world-class network services and support for researchers, educators, and public service institutions in the state of Kansas.

Fusion Risk Management

Fusion Risk Management

Fusion Risk Management focuses on operational resilience encompassing business continuity, risk management, IT risk, and crisis and incident management.

Minorities in Cybersecurity (MiC)

Minorities in Cybersecurity (MiC)

MiC was developed out of a unique passion to help fill the gap that exists in the support and development of women and minority leaders in the cybersecurity field.

Whitaker Brothers

Whitaker Brothers

Whitaker Brothers data destruction equipment can be found in 115 countries and every single continent in the world, from major military organizations to small offices.

FusionAuth

FusionAuth

FusionAuth is the customer authentication and authorization platform that makes developers' lives awesome.

RunReveal

RunReveal

RunReveal's mission is to make sure no breach goes undetected. That means having a product that is accessible and effective for companies of all sizes.