× Security Privacy Downloads of Popular Apps Were Silently Swapped For Spyware in Turkey: Citizen L

IvoShoen · Mar 9, 2018

https://it.slashdot.org/story/18/03/09/1728209/downloads-of-popular-apps-were-silently-swapped-for-spyware-in-turkey-citizen-lab

itman · Mar 9, 2018

It is SOP in many Middle East countries for the gov. to intercept Internet communications. I know Saudi Arabia does it. This is the first I have heard of Turkey to it. But the guy in charge is getting increasingly dictatorial.

Much much more detail on Middle East deep packet inspection using Sandvine here: https://citizenlab.ca/2018/03/bad-t...vices-deploy-government-spyware-turkey-syria/

Targeted users in Turkey and Syria who downloaded Windows applications from official vendor websites including Avast Antivirus, CCleaner, Opera, and 7-Zip were silently redirected to malicious versions by way of injected HTTP redirects.
Click to expand...

Minimalist · Mar 10, 2018

State-sponsored hacking is one good reason to use the Microsoft Store for your apps

Security has always been one of the main reasons to use the Microsoft Store for your apps, and now the Turkish government has provided another example of how downloading directly from the websites of companies may not be the safest way to get your software.
Click to expand...

https://mspoweruser.com/state-spons...son-to-use-the-microsoft-store-for-your-apps/

itman · Mar 10, 2018

Except in the case where Win 10 S was hacked in 3 hours after its introduction: https://fossbytes.com/windows-10-s-hacked-3-hours-macros/

itman · Mar 12, 2018

Internet Provider Redirects Users in Turkey to Spyware: Report

Hundreds of users in Turkey and Syria have been redirected to nation-state malware at the Internet Service Provider (ISP) level, a recent Citizen Lab report reveals.

Following ESET’s discovery that ISPs might be involved in the FinFisher distribution, Citizen Lab launched its own investigation into the matter, only to discover that Türk Telekom has been using Sandvine/Procera Networks Deep Packet Inspection (DPI) devices for the delivery of FinFisher when users attempted to download certain legitimate Windows applications.

Furthermore, the same DPI middleboxes at a Telecom Egypt demarcation point were used to hijack Egyptian users’ unencrypted Internet connections en masse, to redirect them to affiliate ads and in-browser crypto-currency mining scripts.

Middleboxes on Türk Telekom’s network were redirecting users to spyware-laden versions of legitimate programs such as Avast Antivirus, CCleaner, Opera, and 7-Zip, Citizen Lab reports. This was possible because “official websites for these programs […] directed users to non-HTTPS downloads by default,” the Citizen Lab report reads.

Targeted users in Turkey and Syria attempting to download applications from CBS Interactive’s Download.com were also redirected to versions of the programs containing spyware. The lack of HTTPS once again made the redirection possible.

The malicious versions of the targeted applications were initially packed with the FinFisher lawful intercept spyware, but the actor then switched to the StrongPity spyware.
Click to expand...

https://www.securityweek.com/internet-provider-redirects-users-turkey-spyware-report

reasonablePrivacy · Mar 12, 2018

itman said: ↑

Except in the case where Win 10 S was hacked in 3 hours after its introduction: https://fossbytes.com/windows-10-s-hacked-3-hours-macros/
Click to expand...

But downloading apps from MS Store is probably secure (downloads from MS Store are probably signed, I guess). I hate to say it, but Windows S is probably protected against this particular attack. It would be interesting whether Chocolatey (3rd party package manager for Windows) is also properly protected by signed hashes.
Packages for major Gnu/Linux distributions also check signed by distribution's developer team, so they are also protected against this specific attack, at least if somebody is using only packages from official repository. It is usually not enforced, but users are strongly urged to use only official repository for downloading packages.

Rasheed187 · Mar 17, 2018

I didn't completely understand. Did they get redirected to a fake downloading site, or did they click on legit download links and then got redirected to malware bundled with legit apps? Scary stuff, and it also shows why it's important to even monitor trusted apps during install. Would be interesting to know if the malware did operate as child processes of Avast and CCleaner.

itman · Mar 17, 2018

Rasheed187 said: ↑

Did they get redirected to a fake downloading site, or did they click on legit download links and then got redirected to malware bundled with legit apps?
Click to expand...

Per the article I posted in reply #5, they got redirected at the ISP level i.e. Turk Telecom.

Rasheed187 · Mar 24, 2018

itman said: ↑

Per the article I posted in reply #5, they got redirected at the ISP level i.e. Turk Telecom.
Click to expand...

That's too technical for me. But if I understood correctly, you will invisibly get directed to malware infested versions.

guest · Oct 24, 2018

Burned malware returns, according to Cylance: is Hacking Team responsible?
October 23, 2018
https://www.cso.com.au/article/6486...says-cylance-report-hacking-team-responsible/

Cyber mercenaries sell malware to oppressive regimes in the Middle East, which then use that malware to attack their own citizens, research from the Citizen Lab suggested earlier this year.

For the last six months, Cylance has been studying how the malware, known as Promethium or StrongPity, has changed as a result of the Citizen Lab report.

Cylance declined, as a matter of company policy, to attribute the malware to a particular group of cyber mercenaries, but its report hints that it might be Hacking Team [...]
What happens when you burn a malware group?
Within a short time after the Citizen Lab report, the cyber mercenary group's malware was back at full throttle. "Two months after the Citizen Lab report, Cylance found new Promethium/StrongPity activity, utilising new infrastructure," the report said.

"Our research demonstrates how important it is, how powerful for network defenders and researchers to occasionally look backwards, and see what happened after research was published," Livelli adds.
Click to expand...

Log in or Sign up

× Security Privacy Downloads of Popular Apps Were Silently Swapped For Spyware in Turkey: Citizen L

IvoShoen Registered Member

itman Registered Member

Minimalist Registered Member

itman Registered Member

itman Registered Member

reasonablePrivacy Registered Member

Rasheed187 Registered Member

itman Registered Member

Rasheed187 Registered Member

guest Guest

Log in or Sign up

× Security Privacy Downloads of Popular Apps Were Silently Swapped For Spyware in Turkey: Citizen L

IvoShoen Registered Member

itman Registered Member

Minimalist Registered Member

itman Registered Member

itman Registered Member

reasonablePrivacy Registered Member

Rasheed187 Registered Member

itman Registered Member

Rasheed187 Registered Member

guest Guest

Useful Searches