What's new

An American Company Fears Its Windows Hacks Helped India Spy On China And Pakistan

INDIAPOSITIVE

ELITE MEMBER
Joined
Sep 20, 2014
Messages
9,318
Reaction score
-28
Country
India
Location
India
A U.S. company's tech was abused by the Indian government, amidst warnings Americans are contributing to a spyware industry already under fire for being out of control.


Earlier this year, researchers at Russian cybersecurity firm Kaspersky witnessed a cyberespionage campaign targeting Microsoft Windows PCs at government and telecoms entities in China and Pakistan. They began in June 2020 and continued through to April 2021. What piqued the researchers’ interest was the hacking software used by the digital spies, whom Kaspersky had dubbed Bitter APT, a pseudonym for an unspecified government agency. Aspects of the code looked like some the Moscow antivirus provider had previously seen and attributed to a company it gave the cryptonym Moses.

Moses, said Kaspersky, was a mysterious provider of hacking tech known as a “zero-day exploit broker.” Such companies operate in a niche market within the $130 billion overall cybersecurity industry, creating software – an “exploit” – that can hack into computers via unpatched vulnerabilities known as “zero days” (the term coming from the fact that developers have “zero days” to fix the problem before it’s publicly known.) They act like super-powered lockpicks, finding loopholes in operating systems or apps to allow a hacker or spy to break into targets’ digital lives. So rare are such exploits, they can fetch upwards of $2 million each. Buyers wielding them have the power to either protect themselves from those who might have knowledge of the relevant zero day, or to inflict massive damage on others. For instance, attackers used at least one zero in an infamous 2020 attack on $2.5 billion market cap software provider SolarWinds and many of its customers - from U.S. government departments to tech giants like Cisco and Microsoft. The attacks cost SolarWinds at least $18 million, with warnings the overall figure, counting the cost for SolarWinds customers who were also compromised, could get into the tens of billions.


Sometimes American companies aren’t the victims, but the ones fueling costly digital espionage. Moses’ real identity, Forbes has learned, is an Austin, Texas, company called Exodus Intelligence, according to two sources with knowledge of the Kaspersky research. And Bitter APT, the Moses customer, is India, added one source.

Little known outside of the cybersecurity and intelligence worlds, over the last ten years, Exodus has made a name for itself with a Time magazine cover story and the leak of a tool that law enforcement used to hack the anonymizing browser Tor to ensnare child predators. It also claims partnerships with the Defense Department’s research agency Darpa and major tech firms like Cisco and Fortinet, a $2.6 billion (2020 sales) cybersecurity outfit. “They're significant because the size of the market is relatively small, and the skill set required [to find zero-days] is in possession of just a few thousand people worldwide at any given time,” says Katie Moussouris, founder of Luta Security and creator of Microsoft’s bug bounty program to reward hackers for vulnerability disclosures.

Exodus, when asked by Five Eyes countries (an alliance of intelligence-sharing countries that includes the U.S., U.K., Canada, Australia, and New Zealand) or their allies, will provide both information on a zero-day vulnerability and the software required to exploit it. But its main product is akin to a Facebook newsfeed of software vulnerabilities, sans exploits, for up to $250,000 a year. It’s marketed primarily as a tool for defenders, but customers can do what they want with the information on those Exodus zero days – ones that typically cover the most popular operating systems, from Windows to Google’s Android and Apple’s iOS.

That feed is what India bought and likely weaponized, says 37-year-old Exodus CEO and cofounder Logan Brown. He tells Forbes that, after an investigation, he believes India handpicked one of the Windows vulnerabilities from the feed – allowing deep access to Microsoft’s operating system - and Indian government personnel or a contractor adapted it for malicious means. India was subsequently cut off from buying new zero-day research from his company in April, says Brown, and it has worked with Microsoft to patch the vulnerabilities. The Indian use of his company’s research was beyond the pale, though Exodus doesn’t limit what customers do with its findings, Brown says, adding, “You can use it offensively if you want, but not if you're going to be… shotgun blasting Pakistan and China. I don't want any part of that.” (The Indian embassy in London hadn’t responded to requests for comment.)

The company also looked at a second vulnerability Kaspersky had attributed to Moses, another flaw that allowed a hacker to get higher privileges on a Windows computer. It was not linked to any particular espionage campaign, but Brown confirms it was one of his company’s, adding that it would “make sense” that India or one of its contractors had weaponized that vulnerability too.

Brown is also now exploring whether or not its code has been leaked or abused by others. Beyond the two zero-days already abused, according to Kaspersky, “at least six vulnerabilities” made by Moses have made it out “into the wild” in the last two years. Also according to Kaspersky, another hacking crew known as DarkHotel - believed by some cybersecurity researchers to be sponsored by South Korea - has used Moses’ zero days. South Korea is not a customer of Exodus. “We are pretty sure India leaked some of our research,” Brown says. “We cut them off and haven’t heard anything since then… so the assumption is that we were correct.”

“I would not be involved in this company at all if we were, for example, working with the Saudis.”
Pedram Amini, founder of the Zero Day Initiative and an advisor to Exodus Intelligence
Any such zero-day spill would be especially concerning coming from a company that tries to keep a lid on around 50 zero days a year, covering the world’s most popular operating systems, from Windows to Android to Apple’s iOS. And Brown isn’t alone in seeing his creation used in ways he didn’t intend. Luca Todesco, an Italian zero-day developer and a Forbes 30 Under 30 alum, tweeted last year about “the worst outcome I could see from doing my line of work” after seeing iPhone hacks used for surveillance of the Uighur community, a minority persecuted by the Chinese government. After Google researchers detailed hacks of iPhones belonging to members of the Uyghur community, Todesco realized that one of the techniques detailed by the tech giant looked a lot like something he had developed and shared with Chinese contacts. In direct messages over Twitter, Todesco denied that he’d ever sold any code that ended up in the attacks, but said he’d been openly sharing his findings with multiple, unnamed individuals. He claimed he didn’t know how or why his code ended up being used in attacks on the Uighur community, but added that “I would have avoided sharing had I known.” He continues to develop exploits as part of a new Italian company he cofounded, Dataflow Security.

Aaron Portnoy, cofounder of Exodus Intelligence and zero day exploit researcher.

Aaron Portnoy, former cofounder of Exodus Intelligence, now works on more defensive technologies. His old company is now investigating whether its hacking tools leaked.

AARON PORTNOY
That kind of abuse is what Aaron Portnoy, a 36-year-old former executive and cofounder of Exodus with Brown, has worried about of late. Portnoy spent a decade making hacking software that could bypass security made by the biggest companies in the world - Apple, Google, Microsoft. When Portnoy left Exodus in 2015 he went on to work for defense giant Raytheon and an “electronic warfare” startup based in San Diego called Boldend. But today, the 36-year-old self-taught hacker, who dropped out of Northwestern to carve his own career in cybersecurity, worries that he never knew who had access to his code or how they used it. He now regrets relinquishing control over his zero days to salespeople. “It's almost like I was being taken advantage of… it felt very much like I was a tool that was being used for a bigger purpose that I really had no insight into,” says Portnoy, now plying his trade at Randori, a Massachusetts-based cybersecurity firm. “I don't know that I would trust any given administration to be making all the choices that I would make.”

But Exodus was right to cut off India, says Moussouris, and more onus should be on the buyers when it comes to preventing abuse. Brown says he’s only ever had to cut off one other customer, a French police agency, after an Exodus hack it used to target dark web child predators was exposed. “Any time our data becomes accessible to the public, especially malicious actors, it is a breach of contract,” Brown adds. Pedram Amini, an Exodus advisor and founder of the Zero Day Initiative where Brown, Portnoy and another Exodus cofounder once worked, says the company’s record of cutting ties with just two customers over a decade is impressive. Amini adds that he’s happy with “the tightrope Exodus was walking” when vetting customers. “I would not be involved in this company at all if we were, for example, working with the Saudis.”

NSO spyware and global surveillance cause alarm.

Allegations that NSO Group software was exploiting iPhones of activists, journalists and politicians across the world has led to heightened awareness and alarm about cross-border phone and PC surveillance. (Photo by JOEL SAGET / AFP) (Photo by JOEL SAGET/AFP via Getty Images)

AFP VIA GETTY IMAGES
Knowing that its zero days can be used offensively, Brown’s company could have chosen not to sell to India, a country that’s been accused of abuse of spyware in recent revelations about global use of tools made by Israel’s $1 billion-valued NSO Group. Earlier this year, a coalition of newspapers and nonprofits called the Pegasus Project alleged that phones of the leader of opposition Congress party, Rahul Gandhi, and some of his close associates had been targeted, leading to claims of treason against Prime Minister Narendra Modi’s government. (The government denied any unauthorized use of spyware had occurred.) In 2019, Facebook-owned WhatsApp said Indian journalists and activists had been targeted with NSO’s iPhone surveillance software. “Selling technology that can be used for offensive purposes to the Indian government, you're going to get into a situation where you may be fueling that kind of abuse,” says John Scott-Railton, senior researcher at Citizen Lab at the University of Toronto’s Munk School. Similarly, Todesco could’ve opted to keep his findings secret rather than share them with Chinese contacts.

Earlier this year, Microsoft president Brad Smith warned about the dangers posed by the global spyware industry, calling out NSO by name. He said industry vendors were handing “even more capability to the leading nation-state attackers” and exacerbating “cyberattack proliferation to other governments that have the money but not the people to create their own weapons.” With Exodus in India, there are concerns Americans are making things even worse. Forbes revealed earlier this year that Battery, a Boston-based venture capital firm, had quietly helped launch an NSO competitor, Paragon. Earlier this month, the Justice Department revealed two American companies sold iPhone hacking software – each tool costing $1.3 million - to a contractor in the U.A.E. that was carrying out spy operations for the Emirates. According to Reuters, those iOS exploits were used on hundreds of targets, including the Emir of Qatar and a Nobel Peace laureate human-rights activist in Yemen “We need to understand what role the U.S. private offensive market is playing in fueling … problematic things around the world,” adds Scott-Railton.

With the supply there, American government is hungry for hacks of all kinds of technologies. Earlier this year, two FBI agents were shot and killed by a pedophile suspect in Florida earlier this year - murders facilitated by a doorbell camera that alerted the shooter to the presence of law enforcement. Brown says that after those murders, the FBI reached out to the likes of Exodus saying it wanted better “monitoring capabilities” for devices like home cameras. Since many agency workers have returned to the office this summer with the post-Covid reopening, Brown adds, demand has spiked, especially for smartphone surveillance tools. “Everybody is just mobile, mobile, mobile.”




@Imran Khan @Reichsmarschall
 
A U.S. company's tech was abused by the Indian government, amidst warnings Americans are contributing to a spyware industry already under fire for being out of control.


Earlier this year, researchers at Russian cybersecurity firm Kaspersky witnessed a cyberespionage campaign targeting Microsoft Windows PCs at government and telecoms entities in China and Pakistan. They began in June 2020 and continued through to April 2021. What piqued the researchers’ interest was the hacking software used by the digital spies, whom Kaspersky had dubbed Bitter APT, a pseudonym for an unspecified government agency. Aspects of the code looked like some the Moscow antivirus provider had previously seen and attributed to a company it gave the cryptonym Moses.

Moses, said Kaspersky, was a mysterious provider of hacking tech known as a “zero-day exploit broker.” Such companies operate in a niche market within the $130 billion overall cybersecurity industry, creating software – an “exploit” – that can hack into computers via unpatched vulnerabilities known as “zero days” (the term coming from the fact that developers have “zero days” to fix the problem before it’s publicly known.) They act like super-powered lockpicks, finding loopholes in operating systems or apps to allow a hacker or spy to break into targets’ digital lives. So rare are such exploits, they can fetch upwards of $2 million each. Buyers wielding them have the power to either protect themselves from those who might have knowledge of the relevant zero day, or to inflict massive damage on others. For instance, attackers used at least one zero in an infamous 2020 attack on $2.5 billion market cap software provider SolarWinds and many of its customers - from U.S. government departments to tech giants like Cisco and Microsoft. The attacks cost SolarWinds at least $18 million, with warnings the overall figure, counting the cost for SolarWinds customers who were also compromised, could get into the tens of billions.


Sometimes American companies aren’t the victims, but the ones fueling costly digital espionage. Moses’ real identity, Forbes has learned, is an Austin, Texas, company called Exodus Intelligence, according to two sources with knowledge of the Kaspersky research. And Bitter APT, the Moses customer, is India, added one source.

Little known outside of the cybersecurity and intelligence worlds, over the last ten years, Exodus has made a name for itself with a Time magazine cover story and the leak of a tool that law enforcement used to hack the anonymizing browser Tor to ensnare child predators. It also claims partnerships with the Defense Department’s research agency Darpa and major tech firms like Cisco and Fortinet, a $2.6 billion (2020 sales) cybersecurity outfit. “They're significant because the size of the market is relatively small, and the skill set required [to find zero-days] is in possession of just a few thousand people worldwide at any given time,” says Katie Moussouris, founder of Luta Security and creator of Microsoft’s bug bounty program to reward hackers for vulnerability disclosures.

Exodus, when asked by Five Eyes countries (an alliance of intelligence-sharing countries that includes the U.S., U.K., Canada, Australia, and New Zealand) or their allies, will provide both information on a zero-day vulnerability and the software required to exploit it. But its main product is akin to a Facebook newsfeed of software vulnerabilities, sans exploits, for up to $250,000 a year. It’s marketed primarily as a tool for defenders, but customers can do what they want with the information on those Exodus zero days – ones that typically cover the most popular operating systems, from Windows to Google’s Android and Apple’s iOS.

That feed is what India bought and likely weaponized, says 37-year-old Exodus CEO and cofounder Logan Brown. He tells Forbes that, after an investigation, he believes India handpicked one of the Windows vulnerabilities from the feed – allowing deep access to Microsoft’s operating system - and Indian government personnel or a contractor adapted it for malicious means. India was subsequently cut off from buying new zero-day research from his company in April, says Brown, and it has worked with Microsoft to patch the vulnerabilities. The Indian use of his company’s research was beyond the pale, though Exodus doesn’t limit what customers do with its findings, Brown says, adding, “You can use it offensively if you want, but not if you're going to be… shotgun blasting Pakistan and China. I don't want any part of that.” (The Indian embassy in London hadn’t responded to requests for comment.)

The company also looked at a second vulnerability Kaspersky had attributed to Moses, another flaw that allowed a hacker to get higher privileges on a Windows computer. It was not linked to any particular espionage campaign, but Brown confirms it was one of his company’s, adding that it would “make sense” that India or one of its contractors had weaponized that vulnerability too.

Brown is also now exploring whether or not its code has been leaked or abused by others. Beyond the two zero-days already abused, according to Kaspersky, “at least six vulnerabilities” made by Moses have made it out “into the wild” in the last two years. Also according to Kaspersky, another hacking crew known as DarkHotel - believed by some cybersecurity researchers to be sponsored by South Korea - has used Moses’ zero days. South Korea is not a customer of Exodus. “We are pretty sure India leaked some of our research,” Brown says. “We cut them off and haven’t heard anything since then… so the assumption is that we were correct.”


Any such zero-day spill would be especially concerning coming from a company that tries to keep a lid on around 50 zero days a year, covering the world’s most popular operating systems, from Windows to Android to Apple’s iOS. And Brown isn’t alone in seeing his creation used in ways he didn’t intend. Luca Todesco, an Italian zero-day developer and a Forbes 30 Under 30 alum, tweeted last year about “the worst outcome I could see from doing my line of work” after seeing iPhone hacks used for surveillance of the Uighur community, a minority persecuted by the Chinese government. After Google researchers detailed hacks of iPhones belonging to members of the Uyghur community, Todesco realized that one of the techniques detailed by the tech giant looked a lot like something he had developed and shared with Chinese contacts. In direct messages over Twitter, Todesco denied that he’d ever sold any code that ended up in the attacks, but said he’d been openly sharing his findings with multiple, unnamed individuals. He claimed he didn’t know how or why his code ended up being used in attacks on the Uighur community, but added that “I would have avoided sharing had I known.” He continues to develop exploits as part of a new Italian company he cofounded, Dataflow Security.

Aaron Portnoy, cofounder of Exodus Intelligence and zero day exploit researcher.

Aaron Portnoy, former cofounder of Exodus Intelligence, now works on more defensive technologies. His old company is now investigating whether its hacking tools leaked.

AARON PORTNOY
That kind of abuse is what Aaron Portnoy, a 36-year-old former executive and cofounder of Exodus with Brown, has worried about of late. Portnoy spent a decade making hacking software that could bypass security made by the biggest companies in the world - Apple, Google, Microsoft. When Portnoy left Exodus in 2015 he went on to work for defense giant Raytheon and an “electronic warfare” startup based in San Diego called Boldend. But today, the 36-year-old self-taught hacker, who dropped out of Northwestern to carve his own career in cybersecurity, worries that he never knew who had access to his code or how they used it. He now regrets relinquishing control over his zero days to salespeople. “It's almost like I was being taken advantage of… it felt very much like I was a tool that was being used for a bigger purpose that I really had no insight into,” says Portnoy, now plying his trade at Randori, a Massachusetts-based cybersecurity firm. “I don't know that I would trust any given administration to be making all the choices that I would make.”

But Exodus was right to cut off India, says Moussouris, and more onus should be on the buyers when it comes to preventing abuse. Brown says he’s only ever had to cut off one other customer, a French police agency, after an Exodus hack it used to target dark web child predators was exposed. “Any time our data becomes accessible to the public, especially malicious actors, it is a breach of contract,” Brown adds. Pedram Amini, an Exodus advisor and founder of the Zero Day Initiative where Brown, Portnoy and another Exodus cofounder once worked, says the company’s record of cutting ties with just two customers over a decade is impressive. Amini adds that he’s happy with “the tightrope Exodus was walking” when vetting customers. “I would not be involved in this company at all if we were, for example, working with the Saudis.”

NSO spyware and global surveillance cause alarm.

Allegations that NSO Group software was exploiting iPhones of activists, journalists and politicians across the world has led to heightened awareness and alarm about cross-border phone and PC surveillance. (Photo by JOEL SAGET / AFP) (Photo by JOEL SAGET/AFP via Getty Images)

AFP VIA GETTY IMAGES
Knowing that its zero days can be used offensively, Brown’s company could have chosen not to sell to India, a country that’s been accused of abuse of spyware in recent revelations about global use of tools made by Israel’s $1 billion-valued NSO Group. Earlier this year, a coalition of newspapers and nonprofits called the Pegasus Project alleged that phones of the leader of opposition Congress party, Rahul Gandhi, and some of his close associates had been targeted, leading to claims of treason against Prime Minister Narendra Modi’s government. (The government denied any unauthorized use of spyware had occurred.) In 2019, Facebook-owned WhatsApp said Indian journalists and activists had been targeted with NSO’s iPhone surveillance software. “Selling technology that can be used for offensive purposes to the Indian government, you're going to get into a situation where you may be fueling that kind of abuse,” says John Scott-Railton, senior researcher at Citizen Lab at the University of Toronto’s Munk School. Similarly, Todesco could’ve opted to keep his findings secret rather than share them with Chinese contacts.

Earlier this year, Microsoft president Brad Smith warned about the dangers posed by the global spyware industry, calling out NSO by name. He said industry vendors were handing “even more capability to the leading nation-state attackers” and exacerbating “cyberattack proliferation to other governments that have the money but not the people to create their own weapons.” With Exodus in India, there are concerns Americans are making things even worse. Forbes revealed earlier this year that Battery, a Boston-based venture capital firm, had quietly helped launch an NSO competitor, Paragon. Earlier this month, the Justice Department revealed two American companies sold iPhone hacking software – each tool costing $1.3 million - to a contractor in the U.A.E. that was carrying out spy operations for the Emirates. According to Reuters, those iOS exploits were used on hundreds of targets, including the Emir of Qatar and a Nobel Peace laureate human-rights activist in Yemen “We need to understand what role the U.S. private offensive market is playing in fueling … problematic things around the world,” adds Scott-Railton.

With the supply there, American government is hungry for hacks of all kinds of technologies. Earlier this year, two FBI agents were shot and killed by a pedophile suspect in Florida earlier this year - murders facilitated by a doorbell camera that alerted the shooter to the presence of law enforcement. Brown says that after those murders, the FBI reached out to the likes of Exodus saying it wanted better “monitoring capabilities” for devices like home cameras. Since many agency workers have returned to the office this summer with the post-Covid reopening, Brown adds, demand has spiked, especially for smartphone surveillance tools. “Everybody is just mobile, mobile, mobile.”




@Imran Khan @Reichsmarschall
beta main itni lambi lambi cheezy nhi pardhta
 
Apni windows aur doors bana lo pakistanio. Use my 25 yeas of software industry experience. Ya phir hitey raho hack
 
Pakistan has no cyber warfare or defense capabilities, PERIOD ! Fooking morons use pirated and unprotected software even in critical domains.
Every Tom, Dick and Harry is welcome to **** info.
 
Yeh Aaron Portnoy Yahud aadmi hai.

99% of hack tools made for use by Indian Govt. (and Bangladesh, and Saudi) is by Yahud-wala desh ka vendor.

Last week-ka Apple zero day exploit Yahud-wala vendor se aya, NSO Group. Used by Saudi Govt. against a Saudi dissident's iPhone...


Google kar-ke dekh lijiye please....

Never thought I'd see the day when Apple security can be breached - this idiot faggot Tim Cook should step down....I bet Steve Jobs would have fired this idiot if he was alive...he is probably turning in his grave...

One day these tools will be used against the USA itself....
 
Last edited:
Pakistan has no cyber warfare or defense capabilities, PERIOD ! Fooking morons use pirated and unprotected software even in critical domains.
Every Tom, Dick and Harry is welcome to **** info.

There is a way to get around this, use Linux.

Some Linux skins are friendlier than Windows 10 (to use) and they are very hard to breach exploit-wise. Architecture is different compared to Windows - OS Kernel is separate from UI. I am no expert though. @jamahir Bhai your comments...

It needs a govt. vision and mission to change these things. But also - a budget and most importantly, discipline. Almost North Korea Type discipline.

By the way - Kaspersky (which is touted as a malware prevention software) uses backdoors when installed, they are banned for use in US govt. systems. The company has very close ties with Putin and his compatriots who control KGB successor agencies (collected data is mined and refined for statistical purposes),
  • Inter-Republican Security Service (MSB) (1991),
  • Central Intelligence Service (TsSR) (1991),
  • Committee for the Protection of the State Border (KOGG) (1991) .
 
Last edited:
Some Linux skins are friendlier than Windows 10 (to use)

I use the Slax Linux distro which loads off a USB stick and has a generally easy-to-use GUI.

and they are very hard to breach exploit-wise. Architecture is different compared to Windows - OS Kernel is separate from UI. I am no expert though. @jamahir Bhai your comments...

In my Slax Linux :

1. I did a "ps -el" command and saw that the Chromium browser runs under a non-root user id which makes attack on the OS through the browser difficult.

2. I am not a Linux architecture expert but the "ps -el" commands shows that the "startx" program which starts the X Windows UI runs under root user id but you are right that it is not part of the kernel. It is an application-level program.

Further, Linux doesn't seem to have auto-run scripts like the Visual Basic scripts in Windows. Many times when I have gone to the local print shop and given then my USB stick with the document, back home when I attach the USB stick to my Linux machine I see in the root directory some VB scripts which have the same name as the files and directories in the root directory but with a .vbs extension. These VB scripts are viruses. Presumably if I had attached the USB drive to a Windows machine the "Explorer" program which is the main GUI in Windows would have interpreted the directory-named VB scripts loaded these VB scripts as directories and shown those scripts with a yellow folder icon which when clicked would have loaded the VB script virus.So earlier when I had a Windows installation I would kill the "Explorer" program using the "Task manager" program and would then start the "WinRAR" program which allows safe navigation through the folders and show clearly which is actually a folder and which is not even if a non-folder file has a folder-like appearance. And then from "WinRAR" I would then delete that folder-looking virus and thus make the USB drive safe. Other than of course deleting even non-folder-looking VB scripts. And only then start the "Explorer" UI program by invoking the task manager. But yes, in Linux too if you accidentally run a malicious shell script under root user id the system will become damaged.

By the way - Kaspersky (which is touted as a malware prevention software) uses backdoors when installed, they are banned for use in US govt. systems. The company has very close ties with Putin and his compatriots who control KGB successor agencies (collected data is mined and refined for statistical purposes),
  • Inter-Republican Security Service (MSB) (1991),
  • Central Intelligence Service (TsSR) (1991),
  • Committee for the Protection of the State Border (KOGG) (1991) .

I didn't know that.
 
Last edited:

Country Latest Posts

Back
Top Bottom