Are you being watched? FinFisher government spy tool found hiding as WhatsApp and Skype
Legitimate downloads of popular software including WhatsApp, Skype and VLC Player have allegedly being hacked at an internet service provider (ISP) level to spread a highly-advanced form of surveillance software known as "FinFisher", cybersecurity researchers warn.
FinFisher is sold to global governments and intelligence agencies and can be used to snoop on webcam feeds, keystrokes, microphones and web browsing. Documents, previously published by WikiLeaks, indicate that one tool called "FinFly ISP" may be linked to cases.
The digital surveillance tools are peddled by an international firm called Gamma Group and have in the past been sold to repressive regimes including Bahrain, Egypt and the United Arab Emirates (UAE).
In March this year, the company attended a security conference sponsored by the UK Home Office.
This week (21 September), experts from cybersecurity firm Eset claimed that new FinFisher variants had been discovered in seven countries, two of which were being targeted by "man in the middle" (MitM) attacks at an ISP level – replacing real downloads with spyware.
Companies being hit included WhatsApp, Skype, Avast, VLC Player and WinRAR, it said, adding that "virtually any application could be misused in this way."
When the victim of the surveillance went to download the software they would be silently redirected to a version infected with FinFisher, research found. When downloaded, the software would install as normal – but also come bundled with the surveillance tools.
The stealthy infection process was described as being "invisible to the naked eye."
The seven countries were not named by researchers for security reasons, they said. WhatsApp and VLC Player did not respond to request for comment by the time of publication.
A Microsoft spokesperson, referencing the suspected Skype infections, told IBTimes UK: "We're aware of the vendor blog and are evaluating claims."
An Avast spokesperson said: "Attackers will always focus on the most prominent targets.
"Wrapping official installers of legitimate apps with malware is not a new concept and we aren't surprised to see the PC apps mentioned in this report.
"What's new is that this seems to be happening at a higher level, like the internet service provider (ISP). We don't know if the ISPs are in cooperation with the malware distributors or whether the ISPs' infrastructure has been hijacked."
The latest version of FinFisher was spotted with new customised code which kept it from being discovered, what Eset described as "tactical improvements." Some tricks, they added, were aimed at compromising end-to-end (E2E) encryption software and known privacy tools.
"One of the main implications of the discovery is that they decided to use the most effective infection method and that it actually isn't hard to implement from technical perspective," Filip Kafka, a malware researcher at Eset, told IBTimes UK.
"Since we see have seen more infections than in the past surveillance campaigns, it seems that FinFisher is now more widely utilised in the monitoring of citizens in the affected countries."
Breaking encryption has become a major talking point of governments around the world, many of which conduct bulk communications collection. Politicians argue, often without evidence, that software from companies such as WhatsApp has become a burden on terror probes.
"The geographical dispersion of Eset's detections of latest FinFisher variants suggests the MitM attack is happening at a higher level – an ISP arises as the most probable option," the team said.
One WikiLeaks file on FinFly ISP, as previously noted, touted its ability to conduct surveillance from an ISP level. The software's brochure boasted: "FinFly ISP is able to patch files that are downloaded by the target on-the-fly or send fake software updates for popular software."
It added that it "can be installed on an Internet Service Provider ́s network" and listed one use case when it was previously deployed by an unnamed intelligence agency.
Eset found that all affected targets within one of the countries were using the same ISP.
"Unprecedented"
"The deployment of the ISP-level MitM attack technique mentioned in the leaked documents has never been revealed – until now," the researchers said in their analysis.
"If confirmed, these FinFisher campaigns would represent a sophisticated and stealthy surveillance project unprecedented in its combination of methods and reach," the team added.
It remains unknown who was behind the fresh hacking campaigns, but FinFisher is almost exclusively tailored to government, police or intelligence agency use.
"We cannot say for sure who is behind the campaign but the ISP re-direction could be a service ordered from FinFisher," Kafka said. This question should be addressed to FinFisher.
"We [have] very limited information on this, who specifically was targeted, but generally the targets were catered to what FinFisher is generally used for," he added.
Gamma Group did not immediately respond to a request for comment from IBTimes UK.
This is not the first time that the company, which has offices in Europe, has been linked to questionable business practices.
In 2013, technology firm Mozilla sent it a cease and desist letter after its software was caught posing as a version of its Firefox browser.
"We cannot abide a software company using our name to disguise online surveillance tools that can be – and in several cases actually have been – used by Gamma's customers to violate citizens' human rights and online privacy," it publicly complained in a blog post.
The same year, Reporters without Borders branded Gamma Group as one of the "Corporate Enemies of the Internet" in an annual report. The creepy and invasive spyware can also be spread and transmitted via more traditional means – phishing and spam emails, for example.
Back in 2011, it emerged that Gamma International, a UK subsidiary, was selling a malware Trojan disguised as an update for Apple's iTunes media player. Before being patched, the vulnerability had been exploited for approximately three years, found security journalist Brian Krebs.
FinFisher is sold to global governments and intelligence agencies and can be used to snoop on webcam feeds, keystrokes, microphones and web browsing. Documents, previously published by WikiLeaks, indicate that one tool called "FinFly ISP" may be linked to cases.
The digital surveillance tools are peddled by an international firm called Gamma Group and have in the past been sold to repressive regimes including Bahrain, Egypt and the United Arab Emirates (UAE).
In March this year, the company attended a security conference sponsored by the UK Home Office.
This week (21 September), experts from cybersecurity firm Eset claimed that new FinFisher variants had been discovered in seven countries, two of which were being targeted by "man in the middle" (MitM) attacks at an ISP level – replacing real downloads with spyware.
Companies being hit included WhatsApp, Skype, Avast, VLC Player and WinRAR, it said, adding that "virtually any application could be misused in this way."
When the victim of the surveillance went to download the software they would be silently redirected to a version infected with FinFisher, research found. When downloaded, the software would install as normal – but also come bundled with the surveillance tools.
The stealthy infection process was described as being "invisible to the naked eye."
The seven countries were not named by researchers for security reasons, they said. WhatsApp and VLC Player did not respond to request for comment by the time of publication.
A Microsoft spokesperson, referencing the suspected Skype infections, told IBTimes UK: "We're aware of the vendor blog and are evaluating claims."
An Avast spokesperson said: "Attackers will always focus on the most prominent targets.
"Wrapping official installers of legitimate apps with malware is not a new concept and we aren't surprised to see the PC apps mentioned in this report.
"What's new is that this seems to be happening at a higher level, like the internet service provider (ISP). We don't know if the ISPs are in cooperation with the malware distributors or whether the ISPs' infrastructure has been hijacked."
The latest version of FinFisher was spotted with new customised code which kept it from being discovered, what Eset described as "tactical improvements." Some tricks, they added, were aimed at compromising end-to-end (E2E) encryption software and known privacy tools.
"One of the main implications of the discovery is that they decided to use the most effective infection method and that it actually isn't hard to implement from technical perspective," Filip Kafka, a malware researcher at Eset, told IBTimes UK.
"Since we see have seen more infections than in the past surveillance campaigns, it seems that FinFisher is now more widely utilised in the monitoring of citizens in the affected countries."
Breaking encryption has become a major talking point of governments around the world, many of which conduct bulk communications collection. Politicians argue, often without evidence, that software from companies such as WhatsApp has become a burden on terror probes.
"The geographical dispersion of Eset's detections of latest FinFisher variants suggests the MitM attack is happening at a higher level – an ISP arises as the most probable option," the team said.
One WikiLeaks file on FinFly ISP, as previously noted, touted its ability to conduct surveillance from an ISP level. The software's brochure boasted: "FinFly ISP is able to patch files that are downloaded by the target on-the-fly or send fake software updates for popular software."
It added that it "can be installed on an Internet Service Provider ́s network" and listed one use case when it was previously deployed by an unnamed intelligence agency.
Eset found that all affected targets within one of the countries were using the same ISP.
"Unprecedented"
"The deployment of the ISP-level MitM attack technique mentioned in the leaked documents has never been revealed – until now," the researchers said in their analysis.
"If confirmed, these FinFisher campaigns would represent a sophisticated and stealthy surveillance project unprecedented in its combination of methods and reach," the team added.
It remains unknown who was behind the fresh hacking campaigns, but FinFisher is almost exclusively tailored to government, police or intelligence agency use.
"We cannot say for sure who is behind the campaign but the ISP re-direction could be a service ordered from FinFisher," Kafka said. This question should be addressed to FinFisher.
"We [have] very limited information on this, who specifically was targeted, but generally the targets were catered to what FinFisher is generally used for," he added.
Gamma Group did not immediately respond to a request for comment from IBTimes UK.
This is not the first time that the company, which has offices in Europe, has been linked to questionable business practices.
In 2013, technology firm Mozilla sent it a cease and desist letter after its software was caught posing as a version of its Firefox browser.
"We cannot abide a software company using our name to disguise online surveillance tools that can be – and in several cases actually have been – used by Gamma's customers to violate citizens' human rights and online privacy," it publicly complained in a blog post.
The same year, Reporters without Borders branded Gamma Group as one of the "Corporate Enemies of the Internet" in an annual report. The creepy and invasive spyware can also be spread and transmitted via more traditional means – phishing and spam emails, for example.
Back in 2011, it emerged that Gamma International, a UK subsidiary, was selling a malware Trojan disguised as an update for Apple's iTunes media player. Before being patched, the vulnerability had been exploited for approximately three years, found security journalist Brian Krebs.
Comments
Post a Comment