- A Russian cybersecurity company had witnessed a cyber espionage campaign targeting Microsoft Windows PCs in China and Pakistan.
- The CEO of Exodus has said after an investigation that he believes India has handpicked one of the vulnerabilities in Windows for malicious means.
- India was then barred from purchasing new zero-day research from his company, he adds.
Texas-based Exodus Intelligence believed India was using its “zero-day” security vulnerabilities, which hackers can use to attack systems, to spy on Pakistan and China, according to a report in Forbes
Exodus CEO and co-founder Logan Brown said after an investigation he believes India has handpicked one of the Windows vulnerabilities in the stream, allowing deeper access to the operating system. from Microsoft, and that Indian government personnel or a contractor adapted it for malicious purposes.
Earlier this year, researchers at Russian cybersecurity firm Kaspersky witnessed a cyber espionage campaign targeting Microsoft Windows PCs at government and telecommunications entities in China and Pakistan. They started in June 2020 and continued until April 2021.
Exodus Intelligence stops selling new zero-day research to India
The CEO of Exodus said India was subsequently barred from purchasing new zero-day research from his company in April and worked with Microsoft to fix the vulnerabilities.
His company’s Indian use of research was beyond pallor, although Exodus doesn’t limit what customers do with its findings, Brown said, adding, “You can use it offensively if you want to, but not if you are going to. . . shotgun exploding Pakistan and China. I don’t want any part of it. (The Indian Embassy in London had not responded to requests for comment.)
The American company also examined a second vulnerability that Kaspersky attributed to Moses, another flaw that allowed a hacker to gain higher privileges on a Windows computer. This was not linked to any particular espionage campaign, but Brown confirmed that it was one of his companies, adding that it would “make sense” for India or one of its contractors have also turned this vulnerability into a weapon.
Beyond the two zero days already abused, according to Kaspersky, “at least six vulnerabilities” created by Moses have been revealed “in nature” in the past two years. Also according to Kaspersky, another hacking team known as DarkHotel – which some cybersecurity researchers say is sponsored by South Korea – used Moses’ Zero Days. South Korea is not an Exodus customer.
“India discloses some of our research”
âWe’re pretty sure India has disclosed some of our research,â Brown said. âWe cut them off and haven’t heard anything since. . . so the assumption is that we were right.
Exodus, when requested by the Five Eyes countries (an alliance of intelligence-sharing countries that includes the United States, United Kingdom, Canada, Australia and New Zealand) or their allies, will provide both information about a zero-day vulnerability and the software required to exploit it. But its main product is akin to a Facebook news feed about software vulnerabilities, without exploits, up to $ 250,000 per year.
Luca Todesco, an Italian zero-day developer and former Forbes 30 Under 30, tweeted last year about “the worst result I’ve seen doing my job” after seeing iPhone hacks being used for monitor the Uyghur community, a minority persecuted by the Chinese government.
In direct messages on Twitter, Todesco denied ever selling any code that ended up in the attacks, but said it openly shared its findings with several anonymous people. He claimed he did not know how or why his code ended up being used in attacks on the Uyghur community, but added: “I would have avoided sharing if I had known.” He continues to develop exploits as part of a new Italian company he co-founded, Dataflow Security.
This kind of abuse is what recently worried Aaron Portnoy, a 36-year-old former executive and co-founder of Exodus with Brown.
âIt’s almost like I’m being exploited. . . I really felt like I was a tool being used for a bigger purpose that I really had no idea about, âsays Portnoy, who is now practicing at Randori, a Massachusetts-based cybersecurity company. “I don’t know if I would trust a particular administration to make all the choices I would make.”
But Exodus was right to cut India off, Moussouris says, and it should be more on buyers to prevent abuse. Brown says he never had to cut another client, a French police department, after an Exodus hack he was using to target child predators on the dark web was revealed. âAnytime our data becomes available to the public, especially malicious actors, it is a breach of contract,â adds Brown.
Pedram Amini, Exodus advisor and founder of Zero Day Initiative, where Brown, Portnoy, and another Exodus co-founder previously worked, says the company’s record of severing ties with just two clients over a decade is awesome. Amini adds that he is happy with “the tightrope that Exodus walked” when checking out customers. “I wouldn’t be involved in this business at all if we were to work, for example, with the Saudis.”
Knowing that its zero days can be used offensively, Brown’s company could have chosen not to sell to India, a country that has been accused of spyware abuse in recent revelations about the global use of it. tools by the Israeli group NSO, valued at $ 1 billion.