Despite government and big tech's efforts, the commercial espionage economy appears to be booming. In addition to the major players like NSO Group, and Intellexa, the Threat Analysis Group (TAG) has found "dozens of smaller" commercial surveillance vendors and tracks around 40 such organizations. Other exploitation supply chain orgs make money from the initial exploit developers and suppliers on through to the spyware vendors that charge varying amounts depending on what capabilities the customer requests. 20 zero-days were abused by commercial surveillance vendors, and 25 were uncovered under active exploitation. According to a report published on Tuesday, the proliferation of dangerous tools and capabilities used by governments against individuals threatens the safety of the internet and the trust on which a vibrant and inclusive digital society depends. Human rights advocates and journalists were among those who were affected by the dangers of the internet as a result of the efforts of the vendors. The tools have also been used to detain dissidents. This, despite assurances from some of the vendors that their products can only be used to fight terrorism and other serious crimes. Nick Biasini, head of outreach for the Talos division, lamented in an interview with The Register that he hadn't seen any reporting on legitimate use of the software. It could be used in highly classified environments so that information never sees the light of day, but the majority of the activity is around dissidents, activists, reporters, lawyers and those types of victims. The US announced Monday that it would impose visa restrictions on anyone involved in the abuse of commercial spyware. This extends from the makers and suppliers to the end- users. The Register pointed out at the time that the order included big loopholes for Uncle Sam's snoops and American-made products. The US government placed export restrictions on NSO Group in 2021. The UK and France led a group of 35 nations that signed an agreement to "tackle proliferation and irresponsible use of commercial cyber intrusion tools and services." The business appears to be booming despite these and other efforts. There are a lot of vendors in this space, especially in Europe, where offensive conferences have been going on.
The vulnerability and exploit vendors arecoupling, which is one of the bigger trends that Talos is tracking. According to the report, three or four zero days are the average number of days where a single point of entry is used to remotely drop spyware to the target. There isn't any pricing info for zero days, which tend to allow remote code execution. The base price of 8 million ($8.6 million) is enough to buy the user a remote, one-click exploit chain and the ability to run ten concurrent implants. The second offer is for NOVA, an Intellexa Alliance combined spyware and data analysis system that was leaked on the internet. In addition to the base price, users can buy persistence on victim devices for an additional 3 million, and an additional five-country package for another 1.2 million. The only two data points Biasini is aware of are the NYT story and the XXS leak. "That's all we have." Biasini was worried about the lack of data sharing across the industry on the threat. If we really want to fix this, we need more eyes on this, and that should not be the case. The sources The Register contacted for this story were unable to provide any examples of or information about the models that are used to price spyware. There is a lack of visibility that allows the criminals to operate with ease while their victims live in fear.
Added to the list.
Elina Castillo Jiménez told The Register that the recent UK Pall Mall Process highlights a growing international alarm over the global spyware crisis. The declaration is a step in the right direction, but is not enough to rein in the commercial surveillance industry. The focus should shift to protecting individuals from being spied on instead of debating the definition of legitimate software. There is a lot that governments can do individually, such as ceasing to purchase products from commercial surveillance vendors, enforcing export regulations, and providing accountability for already documented victims of spyware.