Facebook Bans 7 ‘Cyber Mercenary’ Companies for Spying on 50,000 Users

Dec 17, 2021

Meta Platforms on Thursday revealed it took steps to deplatform
seven cyber mercenaries that it said carried out “indiscriminate”
targeting of journalists, dissidents, critics of authoritarian
regimes, families of opposition, and human rights activists located
in over 100 countries, amid mounting scrutiny of surveillance
technologies.

To that end, the company said ^[1]
it alerted 50,000 users of Facebook and Instagram that their
accounts were spied on by the companies, who offer a variety of
services that run the spyware gamut from hacking tools for
infiltrating mobile phones to creating fake social media accounts
to monitor targets. It also removed 1,500 Facebook and Instagram
accounts linked to these firms.

Four of the cyber mercenary enterprises — Cobwebs Technologies,
Cognyte, Black Cube, and Bluehawk CI — are based in Israel. Also
included in the list is an Indian company known as BellTroX ^[2], a North Macedonian
named Cytrox, and an unknown entity operating out of China that’s
believed to have conducted surveillance campaigns focused on
minority groups in the Asia-Pacific region.

The social media giant said it observed these commercial players
engaging in reconnaissance, engagement, and exploitation activities
to further their surveillance objectives. The companies operated a
vast network of tools and fictitious personas to profile their
targets, establish contact using social engineering tactics and,
ultimately, deliver malicious software through phishing campaigns
and other techniques that allowed them to access or take control of
the devices.

Citizen Lab, in an independent report ^[3], disclosed that two
Egyptians living in exile had their iPhones compromised in June
2021 using Predator spyware built by Cytrox. In both instances, the
hacks were facilitated by sending single-click links to the targets
via WhatsApp, with the links sent as images containing URLs.

While the iOS variant of Predator worked by running a malicious
shortcut automation ^[4]
retrieved from the spyware server, the Android samples unearthed by
Citizen Lab features capabilities to record audio conversations and
fetch additional payloads from a remote attacker-controlled
domain.

“The global surveillance-for-hire industry targets people across
the internet to collect intelligence, manipulate them into
revealing information and compromise their devices and accounts,”
Meta’s David Agranovich and Mike Dvilyanski said. “These companies
are part of a sprawling industry that provides intrusive software
tools and surveillance services indiscriminately to any
customer.”

In a related development, the U.S. Treasury Department added ^[5]
eight more Chinese companies — drone maker DJI Technology, Megvii,
and Yitu Limited, among others — to an investment blacklist for
“actively cooperating with the [Chinese] government’s efforts to
repress members of ethnic and religious minority groups,” including
Muslim minorities ^[6]
in the Xinjiang province.

Meta’s sweeping crackdown also comes close on the heels of a
detailed technical analysis of FORCEDENTRY ^[7], the now-patched ^[8]
zero-click iMessage exploit ^[9]
put to use by the embattled Israeli company NSO Group to surveil
journalists, activists and dissidents around the world.

Google Project Zero (GPZ) researchers Ian Beer and Samuel Groß
called ^[10] it “one of the most
technically sophisticated exploits” that uses a number of clever
tactics to get around BlastDoor protections ^[11] added to make such
attacks more difficult, and take over the devices to install the
Pegasus implant.

Specifically, the findings from GPZ point out how FORCEDENTRY
leveraged a quirk in iMessage’s handling of GIF images — a
vulnerability in the JBIG2 image compression standard that’s used
to scan text documents from a multifunction printer — to trick the
targets into opening and loading a malicious PDF without requiring
any action on their part.

“NSO is only one piece of a much broader global cyber mercenary
industry,” Agranovich and Dvilyanski added.

Following the revelations ^[12], the U.S. government
subjected the spyware vendor to economic sanctions ^[13], a decision that has
since prompted the company to mull a shutdown of its Pegasus unit
and a possible sale. “Talks have been held with several investment
funds about moves that include a refinancing or outright sale,”
Bloomberg said ^[14] in a report published
last week.

References

^{^}
said
(about.fb.com)
^{^}
BellTroX
(thehackernews.com)
^{^}
independent report
(citizenlab.ca)
^{^}
shortcut
automation (support.apple.com)
^{^}
added
(home.treasury.gov)
^{^}
Muslim
minorities (thehackernews.com)
^{^}
FORCEDENTRY
(thehackernews.com)
^{^}
now-patched
(thehackernews.com)
^{^}
iMessage
exploit (thehackernews.com)
^{^}
called
(googleprojectzero.blogspot.com)
^{^}
BlastDoor protections
(thehackernews.com)
^{^}
revelations
(thehackernews.com)
^{^}
economic sanctions
(thehackernews.com)
^{^}
said
(www.bloomberg.com)

The Hacker News Headlines

NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security

Aug 18, 2023

The Hacker News Headlines

Google Chrome’s New Feature Alerts Users About Auto-Removal of Malicious Extensions

Aug 18, 2023

The Hacker News Headlines

New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode

Aug 18, 2023

OWASP TOP !0

Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. XML External Entities (XXE). Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. Broken Access Control. Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc. Security Misconfiguration. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion. Cross-Site Scripting XSS. XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Insecure Deserialization. Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. Using Components with Known Vulnerabilities. Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. Insufficient Logging & Monitoring. Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

Facebook Bans 7 ‘Cyber Mercenary’ Companies for Spying on 50,000 Users

References

Related Post

NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security

Google Chrome’s New Feature Alerts Users About Auto-Removal of Malicious Extensions

New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode

You missed

Protected: Rotary VI EAST

Protected: BetterCyberCareer Group

Protected: Benin Club 1931 – Official

Protected: Whatsapp AI Automation Group