Roaring trade in zero-days means more vulns are falling into the hands of state spies, warn security researchers

Flaw variety hipper with snoops than cash-hungry crooks right now


Zero-day vulns are increasingly likely to be bought and sold by malware vendors targeting the Middle East with their dodgy wares, according to FireEye.

"While not every instance of zero-day exploitation can be attributed to a tracked group, we noted that a wider range of tracked actors appear to have gained access to these capabilities," said the threat intel group in a blog post published today.

Israeli spyware company NSO Group is a name that keeps cropping up again and again in FireEye's analysis, which found that over the past three years, the number of zero-days in observed circulation has been increasing.

"Furthermore, we noted a significant increase over time in the number of zero-days leveraged by groups suspected to be customers of companies that supply offensive cyber capabilities," said FireEye, which went on to refer to a group of malicious persons variously named by researchers as Stealth Falcon and FruityArmor [sic].

This group "used malware sold by NSO Group", said FireEye, which speculated that it might also be linked to Uzbekistani state spying operations: "The zero-days used in SandCat operations [another online threat activity group] were also used in Stealth Falcon operations, and it is unlikely that these distinct activity sets independently discovered the same three zero-days."

Aside from NSO Group's sales, FireEye also looked at what it called "financially motivated actors", meaning criminals who want to make a quick buck from exploiting zero-days to steal and sell data. These, it said, were doing their thing "with less frequency than espionage groups", suggesting that you're at greater risk from state spies abusing zero-day vulns to pwn your network than you are from common-or-garden crims trying to ransom your stolen data back to you.

Stealth Falcon was identified by eastern European infosec bods Eset last year as using an obscure Windows background service for its command-'n'-control comms with compromised machines in the group's botnet. Before that, Kaspersky found them abusing a vuln in Windows TrueType fonts to remotely execute code on targeted devices.

Kaspersky also recently found an uptick in malicious activity targeting the Middle East as a whole, something that appears to be a rising trend from threat intel companies' findings.

A zero-day is a software vulnerability that has zero days between the time it is discovered and the time that someone is found to be using it for criminal purposes. Responsible infosec researchers find vulns and then privately tell vendors about them so they can be patched before everyone knows; zero days, in contrast, are highly prized by malware vendors and state spies alike. ®

Similar topics


Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021