American Malware Purveyor That Did Nothing To Limit Misuse Now Horrified To Find Gov't Of India Misused Its Products

from the who-could-possibly-have-seen-this-inevitable-outcome dept

Another malware purveyor is shocked, SHOCKED to discover its products have been used to do Very Bad Things. Thomas Brewster has more details for Forbes. Here’s the setup:

Earlier this year, researchers at Russian cybersecurity firm Kaspersky witnessed a cyberespionage campaign targeting Microsoft Windows PCs at government and telecom entities in China and Pakistan. They began in June 2020 and continued through to April 2021. What piqued the researchers’ interest was the hacking software used by the digital spies, whom Kaspersky had dubbed Bitter APT, a pseudonym for an unspecified government agency. Aspects of the code looked like some the Moscow antivirus provider had previously seen and attributed to a company it gave the cryptonym “Moses.”

More digging by Kaspersky and others discovered who was actually behind these deployments. And the source wasn’t some state-supported hackers or a malware purveyor with a malleable set of morals. No, the exploits — which were deployed to indiscriminately target people in Pakistan and China — were sold (in a way) to the government of India by an American firm, Exodus Intelligence.

Operating out of Austin, Texas, Exodus doesn’t craft many exploits of its own, but rather provides access to information about known exploits, including where to obtain them, and how they can be utilized and leveraged.

Exodus, when asked by Five Eyes countries (an alliance of intelligence-sharing countries that includes the U.S., U.K., Canada, Australia, and New Zealand) or their allies, will provide both information on a zero-day vulnerability and the software required to exploit it. But its main product is akin to a Facebook news feed of software vulnerabilities, sans exploits, for up to $250,000 a year. It’s marketed primarily as a tool for defenders, but customers can do what they want with the information on those Exodus zero days—ones that typically cover the most popular operating systems, from Windows to Google’s Android and Apple’s iOS.

The government of India chose to leverage this knowledge to indiscriminately assault China and Pakistan entities in hopes of hitting targets of interest. That wasn’t what Exodus Intelligence’s info feed was designed to do. It’s only what it ended up being used for. And now the CEO of Exodus is acting like a parent disappointed a child has exceeded the boundaries he never bothered to set.

That feed is what India bought and likely weaponized, says 37-year-old Exodus CEO and cofounder Logan Brown. He tells Forbes that, after an investigation, he believes India handpicked one of the Windows vulnerabilities from the feed—allowing deep access to Microsoft’s operating system—and Indian government personnel or a contractor adapted it for malicious means. India was subsequently cut off from buying new zero-day research from his company in April, says Brown, and it has worked with Microsoft to patch the vulnerabilities. The Indian use of his company’s research was beyond the pale, though Exodus doesn’t limit what customers do with its findings, Brown says, adding, “You can use it offensively if you want, but not if you’re going to be . . . shotgun blasting Pakistan and China. I don’t want any part of that.”

While it’s great the CEO doesn’t want any part of that, not placing limits on end users is always going to result in things like this. And while it’s unlikely writing up a new ToS is going to deter customers from “shotgun blasting” people with the weaponry you’ve provided, it at least allows you to terminate contracts and access without having to engage in a bunch of costly litigation or fruitless negotiations.

And, if you’re going to be in the business of selling exploits (or indirect access to exploits), you need to be way more proactive on the security front.

Brown is also now exploring whether or not its code has been leaked or abused by others. Beyond the two zero days already abused, according to Kaspersky, “at least six vulnerabilities” made by Moses have made it out “into the wild” in the last two years.

Whoops. That doesn’t look good. But, in all fairness, even the NSA and CIA have seen their tech tools and exploits leaked, resulting in the infliction of misery worldwide by people a shade more malicious than the entities belatedly bemoaning the unplanned distribution of their digital secrets.

Speaking of belated, here’s some regret from the cofounder of Exodus Intelligence, Aaron Portnoy.

[T]oday, the 36-year-old self-taught hacker, who dropped out of Northwestern to carve his own career in cybersecurity, worries that he never knew who had access to his code or how they used it. He now regrets relinquishing control over his zero days to salespeople. “It’s almost like I was being taken advantage of . . . It felt very much like I was a tool that was being used for a bigger purpose that I really had no insight into,” says Portnoy, now plying his trade at Randori, a Massachusetts-based cybersecurity firm.

Sure, but not so concerning Portnoy didn’t leap from Exodus to defense contract Raytheon, and from there to startup Boldend, which partnered with Raytheon to (and I’m directly quoting here) “accelerate cyber operations with greater force.”

While it’s great that Exodus has revoked the Indian government’s access to its exploit feed, the larger problem remains. American companies are aiding and abetting mass surveillance, targeting of dissidents and activists, and other human rights abuses by not being more selective of who they sell to or placing limits on how their products are used. This puts them in the same shady neighborhood as overseas malware merchants like NSO Group and Hacking Team. Sooner or later, it’s going to put them on the wrong end of UN sanctions or DOJ investigations. Until then, it appears it will be risky business as usual, making the United States home to plenty of proxy human rights violators.

Filed Under: , , , , , ,
Companies: exodus intelligence

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “American Malware Purveyor That Did Nothing To Limit Misuse Now Horrified To Find Gov't Of India Misused Its Products”

Subscribe: RSS Leave a comment
Koby (profile) says:

Gray Hat Hacker

A number of companies have offered bounties for finding exploits in their software, but some of the dollar figures that I’ve seen look kind of piddly for finding a somewhat serious zero day. The paid news feed, at $250k per year per subscriber, seems to be earning a lot more that what a white hat hacker would get. It’s fascinating how mercenary this is, in that everyone concerned needs to pay for the information and then race to use it before it gets exploited or patched. Both sides get played off one another, for which Exodus can charge a lot of money, and also avoid liability. Personally, I doubt that Exodus doesn’t realize exactly what they’re doing.

ECA (profile) says:

Re: Gray Hat Hacker

Fun part is tracking your own programs, and Maybe disable them or the whole system.

Running someone elses programs is a minefield, if you dont have someone smart enough to eval and scan the program.

When we had 56k, you could tell when things were happening. After a full re-install of Windows, I tried a simple thing(I know what would happen) Jumped on the net, used Explorer and connected to MSN. Took 15 min before the computer settle down, Downloading and installing all the adverts, Bots trackers, and Virus. The computer ran like a Dog in Rut. It just couldnt run. Scanned it and WOW, 15 trackers, 4 virus, and Many Bots on the system. Had to re-install, as the computer in the background WOULD NOT slow down to do anything else.

That Same 15min from the old days, is now 0.10 seconds. Gives good reasoning to have MORE then 1 OS out in the wild. Even if you customize it to protect it.

Lostinlodos (profile) says:

Re: Gray Hat Hacker

But bounties suck. I know from experience. Finding holes and flaws gets most people a few hundreds bucks. Solving them can boost you up to o a few thousand.

The problem is “doing the right” thing isn’t paying the bills for many; most?
That’s a dangerous aspect of the grey hacks market. Where people are already walking a very fine line of what’s actually legal and what’s acceptable.
When solving a catastrophic hole involves bending rules and ignoring law you teach a point where the “dark side of the force” is already flowing through you.

If someone is willing to pay a million dollars crypto ransom they should have paid a 10k bounty up front to find problems in the first place.

People like me, getting $50 her or $100 there…
I don’t agree with going black but I get why they do.

Bobvious says:

Portnoy's Complaint (not that one)

Portnoy’s Complaint: A disorder in which strongly felt ethical and altruistic impulses are perpetually warring……

Speaking of belated, here’s some regret from the cofounder of Exodus Intelligence, Aaron Portnoy.

……worries that he never knew who had access to his code or how they used it. He now regrets relinquishing control over his zero days to salespeople. “It’s almost like I was being taken advantage of . . . It felt very much like I was a tool that was being used for a bigger purpose that I really had no insight into,”

tp (profile) says:

White hat is being duped by black hats...

if releasing software on the internet is dangerous for projects like 3d engines and 3d modelling, it must be completely horror on security/exploit area. The potential for misuse in those technologies is so great that it shows significant non-professional conduct from security researchers to get into situation where their work is being misused around the world. They should have known it from the beginning, and they should have taken steps to deal with it before it actually happened. Preventing misuses is everyone’s responsibility, even normally innocent software can be misused for evil purposes. It just takes one mistake and it’ll cause tons of problems. Would be better if the exploits were not developed in the first place. (Cyber-)Weapon manufacturers must know beforehand how powerful tools they’re creating and they should build appropriate limits for the technology so that misuses are minimized. This needs to happen before letting internet play with the tech.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...