According to the latest report published by Google's Threat Analysis Group (TAG), the rise of commercial surveillance vendors is driving zero-day vulnerability discovery, development, and exploitation. This poses significant risks to free speech, the free press, and the open internet.
Commercial surveillance vendors typically provide their clients with access to advanced spyware. One of the best-known examples was using Pegasus to compromise the iOS devices of politicians, journalists, and those deemed persons of interest to various governments.
Regarding the use of spyware by these companies, TAG notes,
Spyware is typically used to monitor and collect data from high-risk users like journalists, human rights defenders, dissidents and opposition party politicians. These capabilities have grown the demand for spyware technology, making way for a lucrative industry used to sell governments and nefarious actors the ability to exploit vulnerabilities in consumer devices. Though the use of spyware typically only affects a small number of human targets at a time, its wider impact ripples across society by contributing to growing threats to free speech, the free press and the integrity of elections worldwide.
In TAG's investigations, 40 Commercial Surveillance Vendors (CSV) had many of their activities investigated. These findings have been published in a separate report related to the abovementioned.
This report goes into far greater depth with regard to CSVs and is an interesting read on its own. However, this article will focus on the zero-day business.
CSVs investigated include Cy4Gate and RCS Lab, known for the "Epeius" and "Hermit" spyware strains; Intellexa, who combine technologies like Cytrox's "Predator" spyware and WiSpear's Wi-Fi interception tools to offer a turn-key espionage suite; NSO Group, famous for the development and deployment of Pegasus; and, Variston, best known for collaborating with other vendors for zero-day exploits.
Core to a CSV's business model is the development and selling of zero-day vulnerabilities. These vulnerabilities are discovered in software and hardware packages by third parties other than the software developer or hardware manufacturer.
If done by those with good intentions, the company is notified so that a patch can be released. If, like in the case of CSVs, malicious actors can exploit the vulnerability to bypass any security measures on a victim's device and install malware, or in this case, spyware.
With regard to CSVs in particular, they offer pay-to-play tools that bundle an exploit chain designed to get past security measures. This also requires CSVs to provide spyware and the necessary infrastructure to collect the desired data from the targeted user.
Division of Spyware Labor
To offer a complete turn-key spyware product to potential clients, be they questionable government agencies or law enforcement, TAG notes four previously separate groups have combined forces to provide a better and more dangerous product.
TAG stated these four groups are:
- Vulnerability researchers and exploit developers: While some vulnerability researchers choose to monetize their work by improving the security of products (e.g., contributing to bug bounty programs or working as defenders), others use their knowledge to develop and sell exploits to brokers or directly to CSVs.
- Exploit brokers and suppliers: Individuals or companies located all over the world specialize in selling exploits to customers, which are often, but not always, governments.
- Commercial Surveillance Vendors (CSVs) or Private Sector Offensive Actors (PSOAs): Businesses focused on developing and selling spyware as a product, including the initial delivery mechanisms, the exploits, the command and control (C2) infrastructure, and the tools for organizing collected data.
- Government customers: Governments who purchase spyware from CSVs and select specific targets, craft campaigns that deliver the spyware, and then monitor the spyware implant to collect and receive data from their target's device.
This has resulted in a spike in CSVs actively discovering and exploiting zero-days. It was stated that 35 of the 72 known in-the-wild zero-day exploits impacting its products over the last ten years can be attributed to spyware vendors.
TAG further went on record stating,
This is a lower-bounds estimate, as it reflects only known 0-day exploits. The actual number of 0-day exploits developed by CSVs targeting Google products is almost certainly higher after accounting for exploits used by CSVs that have not been detected by researchers, exploits where attribution is unknown, and cases where a vulnerability was patched before researchers discovered indications of exploitation in-the-wild.
TAG concluded that CSVs have proliferated hacking and spyware capabilities that weaken the safety of the internet for all. This impacts those living in repressive regimes and those in democratic countries where law enforcement agencies may overreach their mandate and infringe on the rights of individuals and even businesses using spyware to gain an advantage in the competition.
TAG hopes to disrupt CSV activity by sharing intelligence strategies and fixes with their industry peers and publicly releasing information about the operations threatening our rights. Since November 2010, Google has also used a vulnerability rewards program (VRP) to recognize the contributions of security researchers who invest their time and skills in helping secure the digital ecosystem.