A coalition of dozens of countries, including France, the United Kingdom and the United States, along with technology companies such as Google, MDSec, Meta and Microsoft, have signed a joint agreement to curb the use of commercial spyware aimed at committing human rights abuses .
The initiative, nicknamed the Pall Mall trialaims to address the proliferation and irresponsible use of commercial cyber intrusion tools by establishing guiding principles and policy options for states, industry and civil society in relation to the development, facilitation, purchase and use of such instruments.
The statement said the “uncontrolled spread” of spyware offerings contributes to “unintended escalation in cyberspace,” stressing that it poses risks to cyber stability, human rights, national security and digital security.
“Where these tools are used maliciously, attacks can access victims’ devices, listen to calls, obtain photos and remotely operate a camera and microphone via ‘zero-click’ spyware, meaning no interaction is necessary by the user,” the British government said in a statement. Press release.
According to the National Cyber Security Center (NCSC), it is estimated that thousands of people are targeted globally by spyware campaigns every year.
“And as the commercial market for these tools grows, so will the number and severity of cyberattacks that compromise our digital devices and systems, causing increasingly costly damage and making it harder than ever for our cyber defenses to protect institutions and public services,” Deputy Prime Minister Oliver Dowden said at the UK-France Cyber Proliferation Conference.
Notably missing from the list of countries participating in the event is Israel, which is home to numerous private sector offensive actors (PSOAs) or commercial surveillance providers (CSVs) such as Candiru, Intellexa (Cytrox), NSO Group, and QuaDream. .
Recorded Future News reported that Hungary, Mexico, Spain and Thailand, which have been linked to spyware abuse in the past, did not sign the pledge.
The multilateral action coincides with the US State Department’s announcement to deny visas to individuals it believes are involved in the misuse of dangerous spyware technologies.
“Until recently, a lack of accountability has allowed the spyware industry to proliferate dangerous surveillance tools around the world,” Google said in a statement shared with The Hacker News. “Limiting the ability of spyware vendors to operate in the United States helps change the incentive structure that has enabled their continued growth.”
On the one hand, spyware such as Chrysaor and Pegasus are licensed to government customers for use in law enforcement and counterterrorism. On the other hand, oppressive regimes regularly abuse it to target journalists, activists, lawyers, human rights defenders, dissidents, political opponents and other members of civil society.
Such intrusions typically leverage zero-click (or one-click) exploits to surreptitiously deploy surveillance software to targets’ Google Android and Apple iOS devices with the goal of gathering sensitive information.
That said, ongoing efforts to combat and contain the spyware ecosystem have been something of a “whack-a-mole,” underscoring the challenge of fending off recurring, lesser-known players who supply or invent similar cyber weapons.
This also extends to the fact that CSVs continue to engage in the development of new exploit chains as companies like Apple, Google, and others discover and patch zero-day vulnerabilities.
Source: Google Threat Analytics Group (TAG) |
“As long as there is demand for surveillance capabilities, there will be incentives for CSVs to continue to develop and sell tools, perpetuating an industry that harms high-risk users and society at large,” said the Threat Analysis Group (TAG) of Google.
An extensive report published by TAG this week revealed that the company is tracking around 40 commercial spyware companies selling their products to government agencies, including 11 linked to the exploitation of 74 zero-days in Google Chrome (24), Android ( 20), iOS (16), Windows (6), Adobe (2), Mozilla Firefox (1) in the last ten years.
Unknown state-sponsored perpetrators, for example, last year exploited three flaws in iOS (CVE-2023-28205, CVE-2023-28206 and CVE-2023-32409) as zero-days to infect victims with developed spyware from Barcelona- based on Variston. The defects were fixed by Apple in April and May 2023.
The campaign, discovered in March 2023, provided an SMS link and targeted iPhones located in Indonesia running iOS versions 16.3.0 and 16.3.1 with the aim of distributing the BridgeHead spyware implant via the Heliconia exploitation framework. Variston also weaponized Variston over a serious security hole in Qualcomm chips (CVE-2023-33063) that first came to light in October 2023.
The full list of zero-day vulnerabilities in Apple iOS and Google Chrome discovered in 2023 and tied to specific spyware vendors is as follows:
“Private sector companies have been involved in discovering and selling exploits for many years, but the rise of turnkey spying solutions is a more recent phenomenon,” the tech giant said.
“CSVs work with deep technical expertise to deliver ‘pay-to-play’ tools that bundle a chain of exploits designed to overcome a selected device’s defenses, spyware, and necessary infrastructure, all to harvest the desired data from the an individual’s computer.” device.”