New FinFisher surveillance campaigns: Are internet providers involved?

Minimalist · Sep 21, 2017

New surveillance campaigns utilizing FinFisher, infamous spyware known also as FinSpy and sold to governments and their agencies worldwide, are in the wild. Besides featuring technical improvements, some of these variants have been using a cunning, previously-unseen infection vector with strong indicators of major internet service provider (ISP) involvement.
FinFisher has extensive spying capabilities, such as live surveillance through webcams and microphones, keylogging, and exfiltration of files. What sets FinFisher apart from other surveillance tools, however, are the controversies around its deployments. FinFisher is marketed as a law enforcement tool and is believed to have been used also by oppressive regimes.
We discovered these latest FinFisher variants in seven countries; unfortunately, we cannot name them so as not to put anyone in danger.
Click to expand...

https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/

Rasheed187 · Sep 23, 2017

This is quite scary stuff and a bit shocking. That's why I will always stick with my "trust no app" motto. Even trusted software shouldn't be fully trusted.

itman · Sep 23, 2017

FinFisher also exposes the need for two-factor authorization in app software downloading. This can be done manually by comparing the hash of the download file to the hash of the download present on the legit vendors web site.

There is also the question of whether the bogus downloads were validity signed which was not addressed in the Eset article. I assume they weren't and is also a manual validation everyone should perform prior to installing any app software from a vendor known to sign their software.

Who is the “man” in the middle?

It would be technically possible for the “man” in these man-in-the-middle attacks to be situated at various positions along the route from the target’s computer to the legitimate server (e.g. compromised Wi-Fi hotspots). However, the geographical dispersion of ESET’s detections of latest FinFisher variants suggests the MitM attack is happening at a higher level – an ISP arises as the most probable option.

This assumption is supported by a number of facts: First, according to leaked internal materials that have been published by WikiLeaks, the FinFisher maker offered a solution called “FinFly ISP” to be deployed on ISP networks with capabilities matching those necessary for performing such a MitM attack. Second, the infection technique (using the HTTP 307 redirect) is implemented in the very same way in both of the affected countries, which is very unlikely unless it was developed and/or provided by the same source. Third, all affected targets within a country are using the same ISP. Finally, the very same redirection method and format have been used for internet content filtering by internet service providers in at least one of the affected countries.

The deployment of the ISP-level MitM attack technique mentioned in the leaked documents has never been revealed – until now. If confirmed, these FinFisher campaigns would represent a sophisticated and stealthy surveillance project unprecedented in its combination of methods and reach.
Click to expand...

Log in or Sign up

New FinFisher surveillance campaigns: Are internet providers involved?

Minimalist Registered Member

Rasheed187 Registered Member

itman Registered Member

Log in or Sign up

New FinFisher surveillance campaigns: Are internet providers involved?

Minimalist Registered Member

Rasheed187 Registered Member

itman Registered Member

Useful Searches