It’s often difficult to overestimate the benefits that we accrue from the use of technology in our daily lives. But these benefits have come at a price that has redefined what we expect in terms of privacy. As a member of Generation X, which came of age at the dawn of the internet era, I have, on occasion, struck my own Faustian bargains, offering up my personal data in exchange for convenience, as have we all. In doing so, we are implicitly trusting the organization that runs the website or app in question to safeguard our information effectively.
Spyware, as the name suggests, has been designed to covertly gather data about a victim without their consent. Spyware can infect both computers and mobile devices, infiltrating them through malicious or hacked websites, phishing emails, and software downloads. Unlike other forms of malware that may seek to disrupt or damage systems, spyware operates discreetly, often evading detection while silently siphoning off sensitive information. When deployed against individuals this data can range from browsing habits and keystrokes to login credentials and financial information. Spyware can access microphones and cameras for purposes of gathering intelligence or evidence when deployed by government agencies, or capturing content for purposes of sale, blackmail, or other monetization schemes if deployed by threat actors, often to a devasting extent.
The proliferation of commercial spyware poses significant risks to companies as well. Commercial spyware has become a niche industry that develops and markets software for the purpose of data collection. Their products use many of the same methods as other kinds of malware. Often, commercial spyware leverages zero-day exploits that were either developed by the vendor in question or purchased from independent researchers. For example, in a recent report, Google researchers concluded that approximately half of the zero-day vulnerabilities targeting their products over the past decade were the work of “commercial surveillance vendors.”
These zero-days are the commercial spyware vendors’ intellectual property and enable the success of their products in the market. As such, they do not disclose these zero-day threats to the vendors responsible for remediation. The longer such zero-day issues are unreported and unpatched, the greater the risk of additional threat actor groups discovering and weaponizing them. In addition, there’s the ongoing threat that such tools could get disclosed to unintended, and unscrupulous, audiences. Look no further than the tools that were auctioned off to threat actors by The Shadow Brokers. Those exploits were reputed to have been the property of an intelligence agency. In some cases, the vulnerabilities exercised by the exploits had been present in systems for several years and were previously undisclosed. This led to widespread ransomware infections resulting from “EternalBlue,” later known as MS17-010.
While these events were not that long ago, times have changed. There’s an ever-increasing focus on privacy of personally identifiable information (PII) and more legislation has been enacted to protect it since 2017. Attackers have also shifted tactics to include stealing data prior to encrypting it, so-called double extortion.
As a result, commercial spyware creates significant risk exposure for companies on two fronts. First, by putting organizations at risk from known zero-days that could be remediated by vendors had they been responsibly disclosed. Secondly, by creating an increased risk of fines, penalties, and litigation under all privacy laws applicable to the data impacted.
Protecting against spyware requires a multi-pronged approach that includes the following:
- Install endpoint security software. Products such as SentinelOne, with real-time scanning capabilities, can help detect and remove spyware infections based on behavioral analytics before they cause significant harm.
- Keep the operating system, software, and security patches up-to-date. This will minimize known vulnerabilities that spyware could exploit.
- Be wary of unsolicited emails, suspicious links, and unknown or “free” software downloads. Practice safe browsing habits and only download apps from trusted sources.
- Conduct regular threat hunting within the environment. Look for signs of potential infection and data exfiltration.
- Reboot devices regularly. This will combat memory resident malware that has not yet established a persistence mechanism.
- Evaluate data retention policies. Keep only the data the organization requires for business purposes and ensure that it is well protected with strong encryption and least-privilege access.
Vigilance, awareness, and proactive defense are essential in safeguarding our systems and data, and by extension, our privacy. Whether as shareholders or consumers, it’s all of us who ultimately bear the costs associated with malicious software. So, while this may result in an inconvenience at times, remember that taking these steps will protect the privacy of everyone at the company.
Mike Klepper, national practice director for application security, threat and vulnerability management, AT&T Cybersecurity Consulting
