Commercial spyware: The stealthy threat

It can be difficult to over-estimate the benefits that we accrue from the use of technology in our day to day lives. But these benefits have come at a price which has redefined what we expect in terms of privacy. As a member of Generation X, which came of age at the dawn of the Internet era and witnessed the rise of an entire industry built on consumer information analytics, I have on occasion struck my own Faustian bargains, offering up my personal data in exchange for convenience. As have we all. In doing so we are implicitly trusting the organization that runs the website or app in question to safeguard our information effectively.

Spyware, as the name suggests, is software designed to covertly gather data about a victim without their consent. Spyware can infect both computers and mobile devices, infiltrating them through malicious or hacked websites, phishing emails, and software downloads. Unlike other forms of malware that may seek to disrupt or damage systems, spyware operates discreetly, often evading detection while silently siphoning off sensitive information. When deployed against individuals this data can range from browsing habits and keystrokes to login credentials and financial information. Spyware can access microphones and cameras for purposes of gathering intelligence or evidence when deployed by government agencies, or capturing content for purposes of sale, blackmail, or other monetization schemes if deployed by threat actors. The effects of which can be devastating.

The proliferation of commercial spyware poses significant risks to companies as well. Commercial spyware is a niche industry which develops and markets software for the purpose of data collection. Their products use many of the same methods as other kinds of malware. Often, commercial spyware leverages zero-day exploits that were either developed by the vendor in question or purchased from independent researchers. For example, in a recent report, Google researchers concluded that approximately half of the zero-day vulnerabilities targeting their products over the past decade were the work of “Commercial Surveillance Vendors” (https://www.scmagazine.com/news/spyware-behind-nearly-50-of-zeros-days-targeting-google-products).

These zero-days are the commercial spyware vendors intellectual property and enable their products success in the market. As such, they do not disclose these zero-day threats to the vendors responsible for remediation. The longer such zero-day issues are unreported and unpatched, the greater the risk of additional threat actor groups discovering and weaponizing them. In addition, there is the ongoing threat that such tools could be disclosed to unintended, and unscrupulous, audiences. Look no further than the tools that were auctioned off to threat actors by The Shadow Brokers (The Shadow Brokers - Wikipedia). Those exploits were reputed to have been the property of an intelligence agency. In some cases the vulnerabilities exercised by the exploits had been present in systems for several years and previously undisclosed. This led to wide-spread ransomware infections resulting from “EternalBlue”, later known as MS17-010.

While these events were not that long ago, times have changed. There is an ever-increasing focus on privacy of personally identifiable information and more legislation has been enacted to protect it since 2017. Attackers have also shifted tactics to include stealing data prior to encrypting it (“double extortion”). As a result, commercial spyware creates significant risk exposure for companies on two fronts. Firstly, by putting organizations at risk from known zero-days that could be remediated by vendors had they been responsibly disclosed. Secondly, by creating increased risk of fines, penalties, and litigation under all privacy laws applicable to the data impacted.

Protecting against spyware requires a multi-pronged approach, not limited to, the following:

1. Install endpoint security software, such as SentinelOne, with real-time scanning capabilities can help detect and remove spyware infections based on behavioral analytics before they cause significant harm.
2. Keep your operating system, software, and security patches up to date to minimize known vulnerabilities that spyware could exploit.
3. Be wary of unsolicited emails, suspicious links, and unknown or “free” software downloads. Practice safe browsing habits and only download apps from trusted sources.
4. Conduct regular threat hunting within the environment, looking for signs of potential infection and data exfiltration.
5. Reboot devices regularly to combat memory resident malware that has not yet established a persistence mechanism.
6. Evaluate your data retention policies. Keep only the data you require for business purposes and ensure that it is well protected with strong encryption and least-privilege access.

Vigilance, awareness, and proactive defense are essential in safeguarding our systems and data, and by extension, our privacy. Whether as shareholders or consumers, it is we who ultimately bear the costs associated with malicious software. And this may result in inconvenience at times. But if it does, try to remember that the privacy you are preserving, could be your own.