Nex

Phishing and Malware Attacks against Activists in Uzbekistan

Thu, 12 Mar 2020 00:00:00 +0100

Today Amnesty Tech’s Security Lab is publishing a new short report about targeted malware and phishing attacks against activists and journalists in Uzbekistan:

https://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/

In this report we detail some renewed tactics by a threat actor that we had been monitoring for a while. This actor appears to be based in Uzbekistan and targets primarily domestic activists and academics, as well as governmental and diplomatic figures from neighbouring countries. It is worth noting that Kaspersky already disclosed last year the existence of a threat actor labelled “SandCat” which they attribute to Uzbekistan’s State Security Service[1].

Today we disclose some details and the accompanying technical indicators of attacks we’ve observed throughout 2019 consisting of phishing, as well as custom developed spyware for Windows and Android.

Of particular interest is the fact that this campaign represents the first time we observed the use of “reverse proxies” in targeted phishing against activists and journalists. This technique, sometimes referred to as “session riding” or “session hijacking”, relies on the deployment of a malicious server that simply relays the requests between the targeted individual and the original service, such as Google. The attackers will then register a credible domain (in this case, for example, mail-auth[.]online, acccountsgoog1e[.]com, account-mail[.]info, among others) and lure the target to visit the malicious server.

This reverse proxy sits in the middle of the communication and monitors everything, and when the target has successfully authenticated with the Google service it is relaying, the attackers have automatically grabbed cookies and session keys that allow them to authenticate to the compromised account.

This technique has been demonstrated before, and various open source security tools have made it available to the information security community. Attackers have adopted reverse proxies too because they are very effective, they do not require crafting any off-looking HTML templates mimicking the original service, and also they allow to bypass most forms of two-factor authentication.

Hardware security keys, such as Yubikeys or Solo keys, are the only effective mitigation users can adopt against these forms of phishing attacks. Looking back at all the campaigns our team has investigated and responded to in the last year, there hasn’t been one which wasn’t equipped with the capability to bypass at least some forms of two-factor authentication. Because of this, we need to advocate targeted communities to equip with security keys, and demand service providers which do not yet support it, to implement WebAuthn/U2F soon.

What To Do For Users At Risk

Sun, 05 Jan 2020 00:00:00 +0100

If your company offers a product or a service with a sufficiently large user base, chances are you also have users at risk. Journalists, dissidents, and human rights defenders classify as regular consumers to the technology market, despite their peculiar needs. Security firms, software vendors and social media companies, or other service providers, interested in paying particular care to those users might face challenges. Paying attention to their needs, however, is already a great first step, even more so considering they most likely constitute a very small percentage of the whole. Kudos.

From the occasional conversations I have had with such companies, and from cases I experienced over the years, I decided to offer here some initial thoughts on how to think about security for users at risk. However, this is a complex topic, that should be unpacked according to the characteristics of your product. This is a starting point.

Product design makes a difference, negative or positive

I believe design to be an integral part of digital security, particularly in this context. While in the enterprise sector, security professionals are tasked to protect the company’s infrastructure and employees, individuals at risk are on their own. They carry a heavier burden on their own shoulders, and a lot of their security education, self-taught or trained, relies on being on the lookout for anomalies in their daily use of products and services. Be it in the webmail or the document processor they use, users count on visual clues of unusual behavior. As a matter of fact, the majority of campaigns of targeted attacks we discover originate from the own suspicion of a “patient zero”.

Users’ suspicion tends to be provoked by disparate factors. Often the most misguided originates from news coverage of a prominent hack. I have lost count of the number of people who contacted us alarmed by missed WhatsApp calls, after the infamous NSO Group exploit from April 2019. The more savvy will instead be trained to look for a “green tick”, a “green padlock”, a “domain in the browser’s address bar”, an “Enable this content” button on Microsoft Office, and infinite more clues. Users will also identify their own visual elements and develop patterns, for example: how email notifications are worded by Internet companies, or how login pages typically look.

Some of these visual clues become obsolete (great example is the “green padlock” now, with the popularity of Cloudflare and Let’s Encrypt among phishing sites), some others instead are occasionally changed by developers. Because of this, I am reluctant to recommend them in trainings, but I know they are relied upon. When you develop a platform, every little detail counts.

When you introduce a new action, try to make it as explicit as possible, and use it as an opportunity to reinforce safe behavior. An example: you need to send an email notification to the user, soliciting some action. Under the glossy HTML button, offer in text the explicit destination they can manually reach. Structure your site so that critical links you expect users to be often directed to are concise and memorable, such as “account.service.com/security”, or “security.service.com”, not “https://account-management.customers-portal.service.com/internal/users/qwertyuiop/review.php?id=1234589&z=asdfghjkl&q=zxcvbnm#0987654321”. In this way you offer an alternative from blindly clicking buttons, and you will add a visual clue users can spontaneously identify.

At the point you roll out a design change, for as small as it might be, you should be committed to it. You might conclude, for example, that the “green tick” you added a while ago to authenticate an identity wasn’t that useful after all. However, its sudden removal might provoke unwarranted suspicion, or worse a false reassurance to catastrophic effect for a user at risk. Be conscious of potential negative effects of your design choices.

Occasionally I notice design changes quietly appear in the services I use. Sometimes new visual elements appear that might prove useful to enhance users’ safety, but seem to be taken for granted and their meaning is not explained. Security education resources are invaluable, and most platform providers offer some, but you need to keep in mind that users do not spontaneously, let alone regularly, visit them. Try to embed as much education as possible directly within your product’s interface, and direct people to your long-form guides. Bolden and promote the positive effects of your design choices.

Prevention is not enough, information is key

Besides the obvious technical and structural differences, one fundamental aspect separates enterprise security from consumer security products: for the former, security products and services tend to be designed to provide (or simplify collecting) as much contextual information as possible about an attack, the attacker, and its motivations, in order to help prioritize incidents to respond to; for the latter instead, products and services are usually designed to block or prevent attacks with as little involvement of the end user as possible.

This design choice quickly becomes inadequate for individuals at risk, such as journalists, dissidents or activists, who are indeed consumers but that face threats comparable to those faced by enterprises. This asymmetry creates a tension which vendors should creatively address by re-adapting principles typical for corporate security to this new context.

Above all, I believe, information is key. Under the assumption that the broader consumer base faces threats that are untargeted and probably financially motivated, providing details of a common attack might be unnecessary. At-risk individuals instead deal with personalized attacks that come with deeper personal implications. Being alerted that a state-sponsored group is attempting to compromise their devices and online accounts could be an early warning to increased scrutiny and pressure. By experience, in fact, cyber attacks tend to anticipate or complement other forms of repression.

With these cosideration in mind, a malicious email being silently moved to the “Spam” folder, or a malware infection getting quietly quarantined, or an account login being blocked, might prevent crucial opportunities for re-calculating personal risk.

Some of the big tech companies, such as Google, Facebook, Yahoo, and Microsoft, started warnings their end-users of state-sponsored attacks they might have suffered. This is an important first step, which more companies should embrace. Yet, there is always room for improvement: these warnings tend to be context-free and offer little advice. Instead, aim to share enough details on the type of attack detected, its timeframe, and appropriate mitigations and resources for support (more on this later). I understand that sharing the suspected origin of an attack isn’t easy, but I would suggest offering some clarifying elements in case there’s a good chance that the targets would, on their own, come to the wrong conclusions (for example: in cases you have clear evidence that suggests the attacker is not domestic, but a foreign actor).

What to do when you identify targeted individuals at risk

Occasionally threat intelligence companies stumble in campaigns of targeted attacks extending beyond the corporate space and into civil society. As it goes with such investigations, researchers at times discover the identity of individual targets, usually because the attackers committed some mistakes and left operational details exposed. Obtaining such deep visibility into the activities of state-sponsored threat actors can be precious. When those targeted are individuals or groups at risk, I believe researchers need to carefully consider how to act responsibly.

First thing first: don’t withold that information, it could be critical to inform targets. Secondly: don’t just directly publish their identities, especially if they are of individuals or small groups. At the very least, you need to obtain their consent. Such disclosures might force their adversaries’ hands and accelerate existing pressures. While you might feel you have a clear understanding of a campaign you discovered and the capabilities of the adversary, you most likely can’t say the same for targets’ condition. You need to exercise more care than you normally would even in corporate space.

I have seen security companies address this issue by disclosing the targets’ identities to journalists (while securing coverage for their own research) and essentially dropping the ball. This might not be the right approach either. I must say that, hoping my journalists friends will not resent me, reporters are not best equipped to deal with at-risk individuals under these circumstances. They will most likely establish contact with those affected, inform them about the company’s discoveries, and seek to collect a testimony for their own articles. Nothing wrong with that. However, someone who is already on the lookout because of their exposure will be alarmed by the news and will need support. It might be technical support, but also legal, logistical or psychological. For example: because of the risk we calculated with targeted individuals we identified during cases we worked at Amnesty, we determined necessary to provide legal counsel, or resources to install security cameras, or even plan to evacuate a person from their country. Cyber attacks do not happen in a vacuum for human rights defenders, and support needs to be holistic.

Therefore, I recommend to reach out to organizations known to provide support to the targeted community, such as Amnesty International, Frontline Defenders, or Committee to Protect Journalists, explain the circumstances and seek their collaboration (and I underline “collaboration” here, because they’re not your clearing house either) in making sure the situation is addressed appropriately and any potential damange is mitigated. Some might be more connected than others in certain communities or geographical regions, in that case you will likely be pointed to more appropriate partners.

The Year of the Phish

Sun, 15 Dec 2019 00:00:00 +0100

Throughout 2019 we have seen phishing tactics evolve and mutate. We have seen a resurgence of traditional forms as well as new variations of OAuth Phishing; we have seen bypasses of two-factor authentication becoming mainstream; and we have finally come across a campaign of targeted phishing attacks against human rights defenders using reverse proxies and session hijacking, which we will disclose in an upcoming report. As the end of the year approaches, security vendors release statistics and analyses from the data they have collected over 2019, with the likes of Google and Microsot also having seen phishing making a come back. A few days ago Microsoft’s Office 365 Threat Research Team published a blog post titled “The quiet evolution of phishing”, where they detail the more innovative techniques adopted by phishers in 2019. While the tricks Microsoft identified do not align with those we observed throughout Amnesty’s work in the last year, we seem to arrive to some of the same conclusions:

“In 2019, we saw phishing attacks reach new levels of creativity and sophistication.”

Microsoft also launched an interactive site complementing their annual Security Intelligence Report, where you can visualize Redmond’s visibility into attacks from the previous 12 months. I recommend taking a look. I enjoy analyzing these statistics to identify patterns and verify discrepancies or similarities to my own observations. According to their data, Microsoft saw a decrease in malware encounters on Windows computers since 2018, which they attribute to the “growth in adoption of Windows 10, and increased use of Windows Defender for protection”.

On the other hand, they document an ever growing popularity of DDoS attacks, as well as an increase in phishing email detections, which peaked at around 0.85% of all emails Microsoft analyzed in July 2019.

Similarly, according to telemetry from Google Safe Browsing’s Transparency Report, malware sites have rapidly become a rare occurrence while phishing sites have skyrocketed.

I do not know how to best interpret these graphs, but they seem indicative of a radical change occurring over the last two years. Browsers have certainly made leaps when it comes to security, and perhaps changes over the last couple of years have rendered malware delivery unfeasible. Phishing, instead, is either much more effectively detected or on a worrying rise. Are DDoS and phishing becoming the tactics of choice in response to a greater difficulty in infecting devices? Is malware becoming economically disadvantageous? Or simply the vectors have changed? I am interested to hear your take on what these statistics might tell us.

Because phishing is such a dominant threat for the targeted groups I normally work with, I have been working over the last years on a number of tools and services to mitigate and respond to such attacks. While I will hopefully share more details about some of those in the future, I decided to release now a 25GB archive of data on the latest 100’000 phishing sites one of my systems processed. This archive contains a SQLite database with a list of original URLs retrieved from various feeds (such as OpenPhish, PhishTank, PhishStats and others), the final URL it eventually redirected to, as well as the DOM HTML and a screenshot of the page.

You can download it using this Torrent magnet link:

magnet:?xt=urn:btih:28f02613928c2666f7a8f70be4079c1084012cbb&dn=phishing.zip&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80

If you are a security trainer looking for a large collection of phishing screenshots to use in educational material, or if you are an academic studying phishing, or a security analyst looking to test your organization’s defenses, you might find this dataset useful. If you do, please let me know, as I am interested to learn of any derived insight or clever use.

iVerify App Launched To Provide Security Oversight and Recommendations to iPhone Users

Sun, 17 Nov 2019 00:00:00 +0100

2019 was a brutal year for mobile security already¹, and hopefully no more surprises linger around the corner in the remaining weeks of this year. I recognize now this topic dominated even this same newsletter and, in the best tradition of my ranty content, it featured mostly my own frustrations.

This week US security firm Trail of Bits released iVerify², a tool to verify the integrity of an iPhone and harden it by guiding users through various configuration steps.

The app costs about 6 euros, and if you can afford it you might find worth trying it out. I am enjoying it. Regardless, its release provides me with a good opportunity to discuss some of its functionality and security recommendations for iPhone users, and explain their rationale.

iVerify leverages Trail of Bits’ commercial “iverify-core” library normally sold to app developers interested to check whether the phone is jailbroken or not. Banking apps, for example, often leverage such frameworks in order to prevent execution on potentially compromised devices. While the fine folks at Trail of Bits are widely respected experts in the field of cyber security, I can not attest to the comprehensiveness of its detection engine without some longer experimentation on the field. It is quite possible iVerify won’t catch the likes of NSO Group in all circumstances, but any clue of a potential compromise helps. Therefore, while you should not blindly trust a green tick labelling your phone as “Secure”, any warning message might be a good reason to worry.

What I found more interesting to discuss instead are the configuration options iVerify suggests in a collection of short step-by-step guides. There are many of them, some about privacy or device theft, and some about iOS security. I am going to concentrate on the latter.

Limit Software Exploits

The recommendations in this category are aimed at offering the best available configuration for your iPhone to reduce as much as possible the attack surface.

1. Enable Automatic Updates

This might seem the most obvious, falling behind on iOS releases can happen. Staying up-to-date with latest software updates turns you immediately into a slighlty harder target to attack. Make sure to have Automatic Updates enabled.

2. Disable AirDrop / Bluetooth / Personal Hotspot

With the aim to reduce my own attack surface, I tend to never use services such as AirDrop. Trail of Bits suggests to disable AirDrop too, particularly in light of past vulnerabilities³. Similarly, Bluetooth and Personal Hotspot are proximity network services that might offer potential entry points for attackers in the vicinities, if the exposed network stacks contain vulnerabilities.

3. Disable JavaScript in Safari

Attacks that leverage exploits in the browser have reduced significantly on desktops in recent years, but appear again and again in targeted attacks on mobile⁴. They most commonly manifest through malicious links sent via SMS or instant messengers or, as my team at Amnesty documented in a recent report, through network injection attacks hijacking insecure website visits⁵. In order to instrument and deliver the exploit, JavaScript is almost always involved. Interestingly, Safari allows to disable JavaScript entirely, which should drastically disable browser exploits from functioning correctly.

I have been experimenting for a while with this configuration myself, and I can confirm it breaks most of the websites I end up visiting. You could decide to disable JavaScript in Safari and use it to visit unsolicited or suspicious links, and have a dedicated separate browser (such as Chrome or Firefox) for your own browsing. However, this requires some diligence on your part, and it sacrifices some additional mitigations we’ll discuss later. If the security of your smartphone concerns you particularly, perhaps you might want to consider accepting some sloppy JavaScript-free browsing.

4. Upgrade to A12 CPU or higher

As iVerify rightfully points out, newer iPhone generations come with some important exploit mitigations. Above all Pointer Authentication Codes (PAC), which is only available from the iPhone X series. In the previous newsletter I already addressed⁶ my concerns around the problematic unavailability of decently secure mobile devices in the lower/mid price range. Mitigations such as PAC, and the more to come in the future, can make a significant difference, but if you want to take advantage of this improvement you would need the financial resources to make a pricey upgrade.

5. Periodically reboot your device

Security measures in iOS increase the difficulty for attackers to maintain persistence over a compromised iPhone, even after a successful exploitation. Rumors I heard, and recent reports⁷, suggest that some threat groups are turning to opportunistic smash-and-grab attacks precisely to avoid dealing with obtaining a permanent installation of their malware. Periodically rebooting your device can help cleaning up leftovers and perhaps disabling an existing infection that is not able to survive it.

Review for signs of compromise

Recommendations in this section are rather basic, but unfortunately as much that is possible to a user. I discussed the difficulty of inspecting mobile devices for signs of a compromise in a previous newsletter.

8. Remove unknown devices from iCloud

You might have some older devices you no longer use connected to your iCloud account, or you might find devices you do not recognize at all. If your iCloud account was compromised, perhaps through phishing, attackers might connect a separate device to it in order to synchronize data and files you create. Removing⁸ your own unused devices from your account is also a good practice to exercise.

9. Look for suspicious Apple Profiles

In order to manage fleet of phones, enterprises often deploy Mobile Device Management (MDM) platforms. Through MDM, administrators are able to, among other things, monitor the location of the enrolled phones, enforce specific configurations, or install apps. Some threat groups have been found using social engineering to enroll targeted phones with malicious MDM servers under their control and use them, for example, to deploy malicious apps⁹. If an iPhone is enrolled with an MDM server, a profile should appear in the Settings. Checking those profiles, as suggested by iVerify, might reveal some you don’t recognize which you are able to remove.

Network security

The Network Security section only provides one recommendation to enable a particularly interesting feature iVerify has.

10. Safari Content Blocker

Safari allows developers to create Content Blocker extensions. Apps such as AdGuard leverages this to block advertisement networks and other unwanted web resources. iVerify uses this too, but to automatically redirect unencrypted HTTP visits to HTTPS, if supported by the website. If it doesn’t, iVerify’s Content Block will stop the insecure request and display a warning. You can test this by visiting www.neverssl.com with Safari.

While the general intent is to prevent accidental data leakage, especially over insecure networks (such as open Wi-Fis), this feature will also help mitigating network injection attacks such as those described in Amnesty’s “Morocco: Human Rights Defenders Targeted with NSO Group’s Spyware”⁵ report. Network injection allows attackers to programmatically hijack insecure HTTP connections to any website and redirect the target to an exploitation server which will attempt to compromise the iPhone through, for example, vulnerabilities in the Safari browser.

By blocking visits to HTTP sites, iVerify should (I’m using caution here, because I have not actually tested this yet) help you prevent these attacks, so long as you use Safari for all your web browsing. Content Blockers have no effect over other browsers you might have installed, such as Firefox or Chrome.

1: https://www.vice.com/en_us/article/bjwne5/malicious-websites-hacked-iphones-for-years
2: https://blog.trailofbits.com/2019/11/14/introducing-iverify-the-security-toolkit-for-iphone-users/
3: https://www.zdnet.com/article/apple-airdrop-flaw-leaves-users-vulnerable-to-exploit/
4: https://arstechnica.com/information-technology/2019/09/webkit-zeroday-exploit-besieges-mac-and-ios-users-with-malvertising-redirects/
5: https://www.amnesty.org/en/latest/research/2019/10/Morocco-Human-Rights-Defenders-Targeted-with-NSO-Groups-Spyware/
6: https://nex.sx/blog/2019/11/11/the-economic-inequality-of-mobile-security.html
7: https://blog.malwarebytes.com/mac/2019/08/unprecedented-new-iphone-malware-discovered/
8: https://support.apple.com/en-us/HT205064
9: https://blog.talosintelligence.com/2018/09/ios-mdm-hide-the-app.html

The Economic Inequality of Mobile Security

Mon, 11 Nov 2019 00:00:00 +0100

If talking about digital security and best practices wasn’t hard enough already, it is a few notches harder talking about mobile security. With smartphones increasingly becoming the platform of choice for most people to communicate and work over the Internet, journalists, activists, and human rights defenders embraced them too. Especially in certain regions where DSL lines, and laptops, are not available or are unaffordable. With this change, security concerns of individuals at risk have shifted as well over the years.

However, recommendations coming from the cyber security community tend to come across confusing and conflictual. This is partly because the mobile world is in constant evolution, and partly because recommendations explode in reaction to latest news of attacks and exploitation in the wild, which 2019 was in no shortage of. While for those working in tech the moment the latest iOS or WhatsApp hack hits the news is an opportunity for Twitter banter, targeted communities instead enter panic mode and look for immediate guidance. Unfortunately, news tend to outpace the ability of the receiving ends of those recommendations to change their behavior over and over.

To give a banal example: is Android or iPhone more secure? The eternal question. Activists hear and rely on the perceived consensus from cyber security experts, the more vocal on social media and press above all. I can assure that the observable commentary seeds confusion.

To some degree this is inevitable because, as said, digital security always mutates, and because, when recommending best practices, capturing the nuances takes experience. At the same time, folks just want to hear an answer, not more questions.

Wherever the needle points at the moment, whether to Apple or Google, today the answer generally boils down to digging into the wallet for serious money to spend on a new phone. And this is the essence of the problem I want to address here.

Apple, who for long enjoyed cyber security experts’ blessing, regularly releases new price-record-breaking models. Today, with a fresh iPhone 11, you look at separating yourselves from at least 850 euros, give or take. A decent configuration carries you over the 1000 euros in no time. Google has been catching up in recent years with their Pixel line, now hitting the 4th generation, also sporting a 800 euros base pricetag. None of them offer any mid-range model.

Almost each new iPhone or Pixel generation comes with important new exploit mitigations or security improvements, increasingly dependant on the hardware and the chipset. They are not what dictates the exhorbitant prices though. You could instead attribute that to capitalism, shining through the lenses of brand new Triple Cameras or a Super Retina XDR display with a gazillion colors. Gadgetry is what sells.

Mobile security has become a luxury for the rich, because smartphones were turned into luxury items, while at the same time having become necessary survival accessories for daily life. What a great hack. And while this is a larger consumerism problem for society, it grows into an unbearable barrier for those in need of affordable, modern and secure devices.

Indeed there is a mid-range market of third-party Android phone manufacturers, but those have traditionally been disappointing from a privacy and security perspective. They often come with intrusive additional software, and lag lightyears behind Android patches. And although Android One devices now might be better options, they are still not comparable to their higher-end cousins.

I don’t doubt many would happily renounce the Triple Cameras for a modern and secure mid-range phone, but I am equally sure the economic incentives are not there for companies like Google and Apple to even consider producing it. Older models still receiving software updates are not the answer either, as they still lack important hardware hardening. This presentation breaks down very well the progression of exploit mitigations (such as PAC, PPL, etc.) over recent generations of iPhones.

And while some would like you to think that cyber security is primarily a concern for the rich, because “they have the most to lose” (LOL), the real sorry state of the existing mobile ecosystem is that it disadvantages consumers from the lower class and from developing countries, who are the same who would most benefit from the latest security features we all like to geek on. Privacy and security might as well be trumpeted as these corporations’ core values (LOL), but really they don’t matter much if they are made unaffordable.

Moroccan Human Rights Defenders Targeted with NSO Group's Spyware

Thu, 10 Oct 2019 00:00:00 +0200

At this point, this is almost not surprising. Pegasus, the spyware product from the infamous Israeli company NSO Group, has by now been found used against human rights defenders (including a colleague of mine at Amnesty), journalists and dissidents from UAE, Mexico, Saudi Arabia, and now Morocco, as we tell in our latest report:

English: https://www.amnesty.org/en/latest/research/2019/10/Morocco-Human-Rights-Defenders-Targeted-with-NSO-Groups-Spyware
French: https://www.amnesty.org/fr/latest/research/2019/10/Morocco-Human-Rights-Defenders-Targeted-with-NSO-Groups-Spyware
Arabic: https://www.amnesty.org/ar/latest/research/2019/10/Morocco-Human-Rights-Defenders-Targeted-with-NSO-Groups-Spyware

It seems to me that NSO Group is racking up maybe even more documented cases of abuse of their products than other companies, such as FinFisher or HackingTeam, did in the past. Although companies’ conduct and lack of due diligence contributes to this worrying trend, it is rather symptomatic of the ecosystem of industrialized government hacking which has been flowrishing in recent years.

In this latest report we detail how Maati Monjib and Abdessadak El Bouchattaoui, respectively a prominent activist and academic and a well-known human rights lawyer, have been targeted using NSO Group’s Pegasus spyware from 2017 onwards. In both cases we collected several malicious SMS messages carrying links to known NSO infrastructure.

Similarly to previous cases, the messages attempt to lure victims through social engineering. At times the messages are political. For example, one message sent to Maati translates like following:

“Jerusalem will remain the capital of Palestine! Save the holy city by signing this petition: [exploit link]”

More often, messages are designed to appear just like any other spam SMS victims might be used to receive. For example, the following text pretends to be a special offer from a large gym chain in Morocco:

“BlackFriday continues exceptionally today at CityClub! Last chance to get 15 months of fitness at 1633!
Tomorrow it will be too late
STOPSMS: [exploit link]”

Interestingly, in multiple occasions the attackers sent the same text in repetition to purposefully simulate spam, irritate targets and, as shown above, offer the malicious link as an option to stop receiving such SMS messages. Nice trick.

Finding SMS messages such as this is a rare opportunity. Researchers seem to have so far only gathered evidence of such messages sent until about a year ago. It is possible NSO Group has since shifted tactics and realized SMS messages are too noisy and leave too many traces, and have instead invested in alternative attack vectors. Without knowing precisely what or how many 0day vulnerabilities can NSO rely on, determining a pattern of tactics is hard. For example, in 2019 NSO customers might have made large use of particular exploits (for example for WhatsApp or iMessage) as they became available. However, in 2020 the attack surface and the available capabilities might already look very different.

Through the course of this investigation, we found evidence that might indeed suggest NSO Group has some more cards up its sleeve.

Network Injection Attacks

While analyzing Monjib’s phone, we noticed a few suspicious web visits in his Safari browsing history that originated from clear-text initial connections to, for example, http://yahoo.fr and in less than 3ms redirected to URLs like this:

hxxps://bun54l2b67.get1tn0w.free247downloads[.]com:30495/szev4hz

(Note: the URL is edited with hxxps:// and [.] to avoid accidental clicks.)

In one occasion, few seconds after this visit, a suspicious process spawned and all the folders containing app crash logs appear to have been wiped. Crash logs (which you can view directly from the phone navigating to Settings > Privacy > Analytics > Analytics Data) contain details about application crashes, and in the case of exploitation would proove useful to identify the abused vulnerability. An attacker would definitely have an interest in making sure such logs wouldn’t be available to security researchers or to Apple, in order to prevent the bug from being patched. These logs are normally stored indefinitely unless the iPhone is synced with iTunes, and we believe that the deletion from Monjib’s phone right after what appears to be a malicious web redirect is evidence of what might be a network injection attack.

What exactly happened?

If our theory is correct, Monjib tried to visit yahoo.fr in order to access his mailbox from the phone, but his Internet connection was being monitored and automatically hijacked whenever he would visit an unencrypted web page (in this case http://yahoo.fr, but it could be any website without TLS) in order to inject a redirect and force Monjib’s Safari to visit an exploitation server. If successful, the exploitation server would leverage a vulnerability in Safari and ultimately install the spyware.

The exploitation process would be the same as by sending malicious links via SMS, but through these automatic network redirects the attackers do not have to rely on successfully luring the victim into clicking on the links, but it happens programmatically.

Therefore, this attack vector is way more reliable and leaves virtually no traces visible to the victims. Because of this, network injections are also very hard to identify, document and, especially, reproduce.

This form of attack is not new. FinFisher and HackingTeam, for example, also offered similar capabilities to their customers (with FinFly ISP¹ and Infection Proxy respectively²). A leaked brochure from NSO Group also details this capability in what they call a “Tactical Network Element”³.

Conclusions

These cases of abuse are not isolated incidents, but they are establishing a, by now, very well documented pattern. Although less sophisticated attack platforms, such as phishing and commodity malware, represent a quantitavely larger threat to civil society, more sophisticated options such as Pegasus are a product of choice of more resourceful and determined attackers.

I worry it will become increasingly harder to detect and defend from these attacks. In this cat and mouse game, consumer technology vendors have to invest in hardening their products particularly in light of the reality that they are equally used by regular users as well as at-risk individuals. Ultimately, as these attacks become harder to develop, increasing their economic cost is critical to reduce instances of abuse. In the meantime, even UN officials are demanding a moratorium on the sale of surveillance technology in order to contrast these human rights violations⁴.

1: https://wikileaks.org/spyfiles4/documents/FinFly-ISP-Catalog.pdf
2: https://wikileaks.org/hackingteam/emails/fileid/595666/274112
3: https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html 4: https://news.un.org/en/story/2019/06/1041231

What am I doing at Amnesty International?

Sun, 22 Sep 2019 00:00:00 +0200

Several years ago I joined Amnesty International as the very first technologist in a nearly new born Technology & Human Rights team. Today, our team has evolved into a dedicated program called Amnesty Tech, nearly 20 people strong, almost half of which are technologists.

Especially at the beginning, I would be frequently asked what a security researcher such as myself does at Amnesty International. Years later, I realized I never really explained that in details, and I never took the opportunity to tell what we collectively do now. Despite having thus far mostly operated out of the spotlights, I believe our work is remarkable and unique, so I figured I would use this newsletter to explain it.

At the moment, our program primarily splits between a team tackling emerging technologies (such as machine learning, facial recognition, as well as social media economics) and a team that instead focuses on digital security of Human Rights Defenders (HRDs). I will speak to the latter, as I primarily contribute to that.

This team consists of technologists currently based in Berlin, Tunis, Beirut, Dakar and Nairobi. Along with other researchers and advisors in our team, we try to tackle the growing threat of digital surveillance against HRDs through various means, primarily:

Investigate, Expose and Disrupt Illegitimate Surveillance
Build Networks and Mentor Human Rights Defenders
Create Tools and Services to Support Individuals at Risk

Why Amnesty?

While a large human rights organization can be an heavy and slow machinery to work with, doing this work at Amnesty comes with some precious benefits. Firstly, we operate free from any governmental influences (oddly, an uncommon privilege). Secondly, we get to work outside of the schemes of “Digital Rights” or “Internet Freedom”, which I find by definition to be extremely insulating, and fundamentally Western. We work through the lense of “Human Rights”, in law and in principle, which is a lot more empowering, and speaks to a much wider audience. Lastly, and most importantly, we can count on many colleagues from all over the world who are connected and trusted by those communities we often find targeted with digital attacks. My colleagues’ such diverse set of skills, backgrounds, and locations, is a rare asset.

Now, let’s get into some more details.

Investigate, Expose and Disrupt Illegitimate Surveillance

The Berlin office hosts our Security Lab, of which I’m the Head. It’s a small team that conducts most of our technical investigation on digital surveillance against civil society. Here, we work closely with our colleagues from the offices around the world in order to support them in cases of emergency, and together discover and investigate threats affecting their respective regions. The majority of our technologists are talented trainers, community organizers, and researchers from the Global South.

Having technologists familiar with the language, the culture, as well as the relevant threats in their regions is instrumental for us to identify global trends, as well as to collectively develop proper technology and security education material pertinent for the local HRDs at risk. Many of the tools and guides available today tend to be very Western-centric, and are not necessarily as applicable in other regions. As a truly global team, we learn from each other and invest more effectively our time and resources.

Sometimes we publish details on the campaigns of targeted attacks we come across, especially when we believe we can share useful insights and perhaps raise awareness of particular attacks that might not be commonly understood. (I included at the bottom of this newsletter a list of some of the research we published.) However, publishing is not our primary objective: we don’t want our research to be exclusively an opportunity for media attention, but to result in tangible benefit to the HRDs and NGOs we work with. Therefore, the knowledge we build on global digital threats against civil society directly feeds into other activities and projects.

Build Networks and Mentor Human Rights Defenders

In some of the places we operate, networks of technologists are still lacking. Building a resilient civil society requires connecting people, creating networks, and have communities talk to each other. As technologists working for a large Human Rights organisation like Amnesty, we are very uniquely well placed to facilitate these connections and foster their development. Some of my colleagues do incredible work on this aspect: my colleague Sadibou, for example, dedicates a lot of his time to the creation of a network of techies in West Africa (https://www.amnesty.org/en/latest/research/2019/04/amnesty-tech-secure-squad/).

Security trainings represented a common practice in civil society for a long time. However, because of logistical constraints, trainings often tend to be occasional, standardized, and hardly locally contextualized. We decided to take on a new approach, and mentor rather than train. Some of our technologists nurture long-term mentorships of individuals and organisations in their respective regions, and help them learn not just how to use this or that tool, but how to think and practice digital security. Our hope is to obtain a long lasting impact, rather than an immediate excitement that generally fades away quick.

Create Tools and Services to Support Individuals at Risk

Over the many years working in this space I observed (and personally contributed to) an almost exclusive attention to research & publishing, and very little to building security. Although the media started paying attention to it, the difficult state of civil society’s digital security capacity barely improved.

I don’t intend to talk here about the technological ecosystem of this space, as it would require a much longer newsletter of its own (and if there is an interest, I’d be happy to write one - let me know!), but to boil it down to the core issue: Human Rights Defenders face threats similar to large corporates and governments, and at a much higher personal cost, but are only equipped with consumer-grade technology. There is a fundamental asymmetry that significantly disadvantages civil society, which tends to be relegated at the margins of conversations on cybersecurity.

Unfortunately, tackling this asymmetry is tricky because civil society is not a target market for the information security industry, and because of lacking financial resources. Additionally, the particular traits of typical civil society groups don’t lend well to appropriate security modeling. There is no provisioning of hardware, software or services, therefore the norm is BYO* (Bring Your Own Everything, as I call it), opening little possibilities for centralized control and monitoring. It is hard to detect attacks in these conditions, and so far we mostly managed through conversations rather than with technology.

For how inadequate this situation is, I believe it creates interesting opportunities for thinking about security differently, re-adapting concepts that might seem trivial in corporate space, but that could make a significant difference in civil society. We need to be creative and bold in re-inventing some wheels.

Here are some of the reports we have published so far:

Evolving Phishing Attacks Targeting Human Rights Defenders in Middle-East and North Africa

Fri, 23 Aug 2019 00:00:00 +0200

As you might have noticed, I’ve recently gone quiet on social media, as well as on this newsletter. Life and its challenges took the most of me in the last few months. And while stepping away from social media was a great quality-of-life improvement I recommend to everyone, I apologize for the lack of regular content here.

Many of my previous newsletters have dealt with phishing. This is representative to the current state of digital threats faced by Human Rights Defenders (HRDs). As infecting devices becomes harder, we’ve been observing attackers develop and evolve their tactics at both the “low-tier” as well as the “higher-tier” of attack sophistication. At Amnesty International we track these campaigns of attacks and we are in the process of publishing reports about some of our most recent findings. In the lower tier, phishing remains dominant and as service providers implement mitigations, and security educators promote them, attackers work around them.

Last December we disclosed a campaign of large-scale targeted phishing attacks capable of systematically bypassing traditional forms of Two-Factor Authentication¹. In March we disclosed a separate campaign of targeted phishing attacks using malicious third-party OAuth applications². Two days ago we disclosed a renewed campaign, operated by the same attackers as the first, yet again with some evolved tactics:

https://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/

OAuth Phishing³ seems to be an increasingly popular tactic, most likely because of its simplicity as well as because, by nature, it enables attackers to avoid worrying about Two-Factor Authentication. Normally OAuth Phishing is conducted by creating malicious third-party apps that, once authorized to a victim account (for example, a Google or Outlook account), would siphon off all emails and other data. Consequently platform providers have started heavily cracking down on malicious third-party apps, and introducing stricter verification and authorization procedures for third-party apps developers.

Most likely in response to this, in this latest campaign the attackers have developed a new OAuth Phishing variant technique we had not observed before. Instead of creating malicious third-party apps, they found a way to abuse legitimate Google third-party apps in order to phish for victims accounts. Truthfully, we were quite impressed with the attackers’ craft and ingenuity. I invite you to read the blog post for all the details (and pictures!).

Some additional resources

Over the last year I have been working on a set of tools to facilitate the identification and reporting of phishing and spearphishing attacks. Currently it is in a closed-beta phase, but if you are a journalist, HRD or part of an NGO, and you are interested in hearing more, please do get in contact with me.

Lastly, over the last months I have produced a (still under development) Guide to Phishing that is published by Security Without Borders here: https://guides.securitywithoutborders.org/guide-to-phishing/ It goes in to details on how phishing attacks work and what are the available mitigations. I hope you will find it useful. Any contributions are welcome!

1: When Best Practice Isn’t Good Enough: Large Campaigns of Phishing Attacks in Middle East and North Africa Target Privacy-Conscious Users
2: Phishing attacks using third-party applications against Egyptian civil society organizations
3: Guide to Phishing - Security Without Borders

More on Mobile Security and Device Integrity

Wed, 15 May 2019 00:00:00 +0200

In my previous newsletter¹ I comment on the recent news regarding the WhatsApp exploits discovered used by NSO Group and I marginally touch on the difficulties we encounter in confirming infections of mobile devices, particularly because of the tight security mitigations implemented by manufacturers such as Google and Apple.

Some additional debate and commentary appeared on social media, particularly after an article published by Motherboard¹ expanding on this particular issue, and quoting various security researchers as well as my newsletter. Because it is an interesting and contentious topic, I figured I could expand on my point. Forgive the higher frequency of my writing, but it’s dicated by timeliness.

In my previous newsletter, I wrote:

“… these security controls have made mobile devices extremely difficult to inspect, especially remotely, and particularly for those of us working in human rights organizations lacking access to adequate forensics technology.”

And continued:

“Quite frankly, we are on the losing side of a disheartening asymmetry of capabilities that favors attackers over us, defenders.”

What do I mean by that?

What perhaps many don’t realize is how resourceless we are, as technologists, when asked to respond to a suspected attack or to inspect a mobile device of an individual at risk who might have been targeted. For example, if a human rights defender suspects they are being surveilled and they bring their iPhone for inspection, all we can mostly do is search for suspicious messages and perhaps monitor the outgoing network traffic for the amount of time available to us (generally not a lot) hoping to get lucky enough to spot some suspicious traces at the right time. Obviously, when there is a significant distance or travel restrictions, our ability to intervene reduces drastically.

Under some circumstances there are exceptions and we might be able to do more. More commonly, however, technical, logistical and time constraints do not allow for a meaningful analysis.

Although the tight security controls baked into modern mobile devices are a net positive and significantly raise the costs for attackers, when the threat model of an individual at risk includes a nation state or even a law enforcement agency among their adversaries, these limitations play into the losing asymmetry of capabilities I mentioned in my previous newsletter.

Why? Because various companies out there are resourceful enough to acquire the necessary talent and the necessary technology (sometimes illegally³) and research and develop bypasses to smartphones’ security mitigations. Companies such as NSO Group, or even Cellebrite⁴ and GrayShift⁵, provide expensive products and services to States, which can essentially exercise an hegemonic power over the subversion of modern mobile devices for offensive purposes. In other words, there are tools available to law enforcement and intelligence agencies to break into an iPhone unknowingly to its owner, while there is very little available to us to inspect a smartphone even when the owner is willing to unlock it in front of us. I am sure it is superflous to explain why exclusively relying on law enforcement agencies or manufacturers is often not scalable or simply not possible.

Regardless of the legitimacy or illegitimacy of this imbalance, I believe it is an objective reality.

The resulting question then is: what can be done to enable people (especially individuals at risk and their support networks) to obtain more agency over their own mobile devices? Modern smartphones are very closed system, and perhaps for the owners’ own good. Balancing a product’s default security hardening with more access for its owner is not trivial. Some on social media rightfully argued⁶ that opening up access for third-party security vendors to more closely inspect mobile devices will most likely result in that same access abused by malicious actors for offensive purposes. I agree. However, I also believe that more needs to be done (or at least explored) to provide at least some ability for consumers to independently verify the integrity of their devices. Even only within boundaries and with tools designed by the manufacturers.

Other than the obvious technical value of being able to determine whether a device is being tampered with (at any time, and under the owner’s own security and personal safety requirements) and adapt one’s secure communications strategy, enabling individuals at risk to learn whether their smartphones are being used to surveil them can also be an extremely important canary in the coalmine to alert them, and to contextualize their current exposure to personal risk.

What I’m left to wonder is whether some of these changes would be technically and economically justifiable for manufacturers, in contrast to the needs of a larger consumer base and the interests of shareholders. I don’t know. I suppose that is the unfortunate result of the largely monolithic technological ecosystem in which we live.

1: On the WhatsApp 0day and legal action against NSO Group - Nex
2: It’s Almost Impossible to Tell if Your iPhone Has Been Hacked - VICE
3: The Prototype iPhones That Hackers Use to Research Apple’s Most Sensitive Code - VICE
4: Security-tech companies once flocked to Myanmar. One firm’s tools were used against two journalists
5: Mysterious $15,000 ‘GrayKey’ Promises To Unlock iPhone X For The Feds
6: Twitter

On the WhatsApp 0day and legal action against NSO Group

Tue, 14 May 2019 00:00:00 +0200

The Israeli spyware firm NSO Group is in the news again today. Facebook discovered a critical vulnerability in the WhatsApp messenger apparently being leveraged in attacks set to install NSO Group’s Pegasus spyware on the targets’ phones¹. Facebook (who owns WhatsApp) announced today the discovery, released an emergency update for WhatsApp and disclosed some details². The vulnerability seems to lie in WhatsApp’s VoIP implementation, and would allow the attackers to remotely infect a mobile device just by instantiating some video calls through the app. Because no interaction on the victim’s part is needed, this exploit is being referred to on the press as “0-click” (zero-click).

There are some considerations I would like to share in reaction to this story.

Firstly, while it is a significant story and the exploit discovered by Facebook and likely developed by NSO Group is potent and worrying, we should not consider this an isolated or unprecedented case. Unfortunately, so called “0-click” exploits are more common than it appears on the press, and blaming WhatsApp for this security flaw is shortsighted, as we can surely expect competitor apps to be equally targeted and most likely already exploited. As a matter of fact, only few months ago Reuters reported that the UAE exploited similar vulnerabilities in iMessage as part of “Project Raven”³. Essentially, because an exploit in WhatsApp was now discovered, it does not mean other apps are inherently more secure. If anything, it speaks to the difficulty to uncover these attacks even by large and resourceful security teams such as that of Facebook, let alone by smaller organisations.

The amount of documented cases of targeting of journalists and human rights defenders using NSO Group’s products and services is evergrowing. And although we expect more to come to light in the future, all that we know so far is most likely a small fraction of the whole. Attacking and infecting mobile devices is a difficult, but not impossible, task because of the many security mitigations and lockdowns baked into mobile platforms, such as Android and even more so iOS. However, these security controls have made mobile devices extremely difficult to inspect, especially remotely, and particularly for those of us working in human rights organizations lacking access to adequate forensics technology. Because of this, we are rarely able to confirm infections of those who we even already suspect being targeted. Last August, for example, we discovered one of our Amnesty staff members was targeted with Pegasus⁴ but whether others were too is not possible for us to confirm. Quite frankly, we are on the losing side of a disheartening asymmetry of capabilities that favors attackers over us, defenders.

The darker reality is that NSO Group is just one of many, many more surveillance firms operating in the same space. NSO is getting caught in public more regularly probably because of their larger market share, but also because there is existing documentation for security researchers out there, such as those at Facebook who discovered this WhatsApp exploit, who can at least marginally follow NSO Group’s breadcrumbs. For this we can thank Ahmed Mansoor, who first came forward with messages that led to the discovery of Pegasus, and who is now enduring a hunger strike in the jail where he’s serving an unjust 10 years sentence⁵. Additionally, I believe the technical limitations I described earlier also contribute to the reason why not more similar exploits and spyware are discovered.

Ultimately, human rights defenders are losing the most. The widespread use of exploits and spyware, the seemingly unaccountable business of the firms producing them, and a worrying lack of forensics and intrusion detection technologies available to members of civil society, all contribute to a sense of dooming inevitability. That is why we, at Amnesty International, are taking action. On Monday, we have filed a legal complaint to the Israeli Minister of Defense requesting the withdrawal of the export license for NSO Group⁶. Amnesty along with many other organisations have also demanded transparency and accountability to Novalpina Capital and the other financial institutions invested in the company⁷. These legal battles are new tactics that will be put to test over the next years in courts.

In the meantime, our Digital Security Lab at Amnesty International and all our technologists around the world have been working hard to build capacity to properly support individuals at risk. While publications are important for advocacy and awareness, I believe they are not enough alone. We need to seriously invest in providing human rights defenders with the practical means and the tools to prevent and respond to cyber attacks effectively. We are working towards this goal, and I am looking forward to share more about this in the future.

As always, if you have information to share that can help us discover and stop campaigns of illegitimate hacking of members of civil society, don’t hesitate to get in contact with me⁸.

1: Israeli Firm Tied to Tool That Uses WhatsApp Flaw to Spy on Activists - The New York Times
2: Facebook
3: Exclusive: Ex-NSA cyberspies reveal how they helped hack foes of UAE
4: Amnesty International Among Targets of NSO-powered Campaign | Amnesty International
5: UAE: Ahmed Mansoor enters fourth week of hunger strike to protest unfair 10-year sentence | Amnesty International
6: Israel: Amnesty International engages in legal action to stop NSO Group’s web of surveillance | Amnesty International
7: Open letter to Novalpina Capital, CC: NSO Group, Francisco Partners
8: Contacts - Nex

Nex