Court Filings Show NSO Group Ran Malware Attacks Through Servers Located In California
Things are getting even more interesting in Facebook's lawsuit against Israeli malware merchant, NSO Group. Facebook was getting pretty tired of NSO using WhatsApp as an attack vector for malware delivery, which resulted in the company having to do a lot more upkeep to ensure users were protected when utilizing the app.Unfortunately, Facebook wants a court to find that violating an app's terms of service also violates the CFAA -- something most of us really don't want, even if it would keep NSO and its customers from exploiting messaging services to target criminals, terrorists… and, for some reason, lots of journalists, dissidents, and activists.NSO finally responded to Facebook's lawsuit by saying it could not be sued over the actions of its customers. Its customer base is mainly government agencies -- including some especially sketchy governments. NSO claims all it does is sell the stuff. What the end users do with it is between the end users and their surveillance targets. Since its customers are governments, sovereign immunity applies… which would dead-end this lawsuit (wrong defendant) and any future lawsuits against governments by Facebook (the sovereign immunity).NSO's claims it can't be touched by this lawsuit are falling apart. Citizen Lab researcher John Scott-Railton pointed out on Twitter that Facebook's latest filings point to NSO operating its malware servers from inside the United States -- apparently doing far more than simply selling malware to government customers and letting them handle the deployment details.Facebook's answer to NSO's attempt to dismiss the lawsuit concedes NSO's point: it is not its customers. But that's precisely why it can be sued. From Facebook's response [PDF]:
A flawed premise runs through the motion to dismiss (“MTD”). Defendants contend that they cannot be held responsible for designing and marketing spyware and then deploying it using WhatsApp’s U.S.-based servers, including in California, to hack into WhatsApp users’ devices. Instead, Defendants pin blame on unidentified foreign sovereigns. That argument fails at every turn: Defendants cannot cloak themselves in their putative clients’ immunity; they are accountable for suit in a California court; and the Complaint states valid claims for relief based on Defendants’ unauthorized access to and hijacking of WhatsApp’s servers.[...]The statute confers immunity only on foreign states—not private companies who develop and operate their own technology and then claim to act on a foreign state’s behalf.The claim that NSO Group operates from California (making this venue appropriate for the lawsuit) isn't some distended stretch where malware briefly passed through WhatsApp servers in the US on its way to its targets. Declarations [PDF] by Facebook's expert witnesses show NSO is routing malware deliveries through California data centers. This is only a small part of the list of IP addresses linked to NSO deployments Facebook has uncovered.
Attached as Exhibit 1 is a true and accurate screenshot from IP2Location.com obtained on April 22, 2020, for IP address 220.127.116.11. Exhibit 1 shows that IP address 18.104.22.168 is currently located in Los Angeles, California, and is owned by QuadraNet Enterprises LLC.According to historical IP address location information from Maxmind.com for IP address 22.214.171.124 obtained through the website archive.org, IP address 126.96.36.199 was located in Los Angeles, California, and owned by QuadraNet Enterprises LLC as of May 28, 2019. Attached as Exhibit 2 is a true and accurate screenshot of the Maxmind.com csv.zip file available for download at archive.org that contains historical IP location information. Attached as Exhibit 3 is a true and accurate screenshot of the unzipped Maxmind.com csv.zip file showing the date of the files as May 28, 2019. Attached as Exhibits 4a, 4b, and 4c are true and accurate screenshots of the netblock for IP address 188.8.131.52 showing the location and ownership of IP address 184.108.40.206 as of May 28, 2019.This is the upshot of Facebook's investigation of NSO's WhatApp-based efforts:
NSO used QuadraNet’s California-based server more than 700 times during the attack to direct NSO’s malware to WhatsApp user devices in April and May 2019.These filings appear to show something very different than what NSO Group has claimed. It is not a blind provider of malware to government agencies. This indicates NSO is purchasing and operating servers stateside that its customers use to deploy malware. And if it runs these servers, then it quite possibly knows who its customers are targeting. This is far more involved than its sworn statements have said. The plausible deniability it's trying to project just isn't that plausible.Facebook's response points out the logical leap NSO is demanding from the court.
The Complaint alleges targeting of 1,400 separate devices, Compl. ¶ 42, and NSO does not specify who it was working for in each attack. Instead, NSO relies on a conclusory declaration from its CEO Shalev Hulio stating that “NSO markets and licenses its Pegasus technology exclusively to sovereign governments and authorized agencies,” and those sovereigns—not NSO—“operate [the] Pegasus technology.” Hulio Decl. ¶¶ 9, 14-15. But Hulio fails to identify any specific foreign sovereign for whom NSO worked—let alone cite a single contract or any evidence establishing NSO’s purportedly limited operational role.NSO's options are all unappealing at the moment. It can't hope to settle since its customers aren't going to be willing to give up exploitation of an encrypted messaging app used by millions of people around the world. It also can't be looking forward to continued litigation since that's only going to mean more exposure of its actions and inner workings as the lawsuit drags on. But these are the risks you take when your favored attack vector is another company's service and your payload deliveries route themselves through rented/purchased servers located in the United States.NSO turned itself into a villain by selling its products to governments wanting to target dissidents, journalists, activists, and attorneys. A little more judiciousness would have gone a long way. Running attacks through services owned by one of the most powerful tech companies in the world may have provided NSO's customers with a broad user base to attack, but it also ensured it would find itself in court facing a well-funded and well-equipped adversary.
Read more here
posted at: 12:00am on 02-May-2020
path: /Policy | permalink | edit (requires password)
ICANN Board Blocks The Sale Of The .Org Registry
Last fall, we wrote about what appeared to be many of the sketchy details between the non-profit Internet Society (ISOC) agreeing to sell off the non-profit Public Interesty Registry (PIR), which runs the .org top level domain registry, to the very much for-profit private equity firm, Ethos Capital, which had recently been formed, and involved a bunch ex-ICANN execs and other internet registry folks. Even if the deal made perfect sense, there was a lot of questionable issues raised concerning who was involved, whether or not there was self-dealing, and how transparent the whole thing was. On the flipside, a number of very smart people I know and respect -- including some who worked for ISOC, insisted that the deal not only made sense, but was good for the future of the .org domain and the wider internet. In January, we had a long podcast with Mike Godwin, who is on the board of ISOC and voted for the deal, debating whether or not the deal made sense.In the intervening months, many people and organizations had petitioned ICANN to block the deal, and ICANN had repeatedly delayed its vote -- with the last day coming a few weeks ago right after California's Attorney General, Xavier Becerra, sent a pretty scathing letter about the deal.On Thursday, ICANN's board voted to block the deal, saying that it just created too much uncertainty for non-profit organizations who rely on the .org top level domain.
The Board was presented with a unique and complex situation - impacting one of the largest registries with more than 10.5 million domain names registered. After completing its evaluation, the ICANN Board finds that the public interest is better served in withholding consent as a result of various factors that create unacceptable uncertainty over the future of the third largest gTLD registry. Factors that were considered in determining reasonableness include, but are not limited to:It will be interesting to see what happens next -- but if ISOC wants to sell off PIR, it's apparently going to need to go down a different path. In the meantime, ISOC's CEO sent out an email and a blog post talking about his disappointment, and (once again) explaining why he felt the deal made sense and was done appropriately, and promises to continue to move forward with helping to make a better internet. He also insists that PIR is not for sale, while taking a dig at ICANN in the process:
The entire Board stands by this decision. After thorough due diligence and robust discussion, we concluded that this is the right decision to take. While recognizing the disappointment for some, we call upon all involved to find a healthy way forward, with a keen eye to provide the best possible support to the .ORG community.
- A change from the fundamental public interest nature of PIR to an entity that is bound to serve the interests of its corporate stakeholders, and which has no meaningful plan to protect or serve the .ORG community.
- ICANN is being asked to agree to contract with a wholly different form of entity; instead of maintaining its contract with the mission-based, not-for-profit that has responsibly operated the .ORG registry for nearly 20 years, with the protections for its own community embedded in its mission and status as a not-for-profit entity.
- The US$360 million debt instrument forces PIR to service that debt and provide returns to its shareholders, which raises further question about how the .ORG registrants will be protected or will benefit from this conversion. This is a fundamental change in financial position from a not-for-profit entity.
- There are additional uncertainties, such as an untested Stewardship Council that might not be properly independent, or why PIR needs to change its corporate form to pursue new business initiatives.
- The transaction as proposed relies on ICANN as a backstop for enforcement of disputes between the .ORG community and the registry operator in an untested manner.
Now that we know that ICANN believes its remit to be much larger than we believe it is, we can state this clearly: neither PIR nor any of its operations are for sale now, and the Internet Society will resist vigorously any suggestion that they ought to be.While most of the focus in these discussions has been specific to the impact on PIR and the .org domain, I do separately wonder if this whole mess will hurt ISOC itself in the very good work that it does. I hope not. Even as I came down pretty clearly against this deal, I can at least recognize that the people on the ISOC side at least were honestly trying to do what they believed made the most sense for everyone. However, a very large swath of the civil society, non-profit, and public interest world disagreed -- and I fear that this ends up damaging ISOC's overall credibility going forward. If that is the end result of this, it would be a huge shame.
Read more here
posted at: 12:00am on 02-May-2020
path: /Policy | permalink | edit (requires password)