Share this page!

J. A. Guerrero-Saade Profile picture
Twitter logo
15 Oct, 12 tweets, 3 min read
Tbh, when I tweeted out the story about VPNs getting consolidated under a shady company with a reputation for malware/adware distribution, I didn't expect that it would get that big of a response. Since folks are interested, I wanted to discuss my biggest issue w this... #Thread
Sure, shady monetization schemes w ads are the bulk of the business model but it doesn't take into account the targeted espionage concern. Ad networks are fantastically positioned to profile internet users to an impressive level of granularity but they're limited–
For a determined adversary with control or influence over an ad network, you might have access to selectively injecting iframes or malicious ads in the hopes of hitting that one precious target. But a VPN introduces a much smoother avenue of attack.
The combo of malicious ad-network+VPN-provider means that not only can they profile specific users but they can also shape their traffic. And that's where the real magic enters the picture as 'TNI'!
'Tactical network injection', as some 'lawful intercept' companies dub it, is one of the holy grails of mid-tier state espionage. The idea is that (by being on the same network or via an appliance in attacker-controlled ISP) the attackers can trojanize executables in flight.
Scenario 1: User downloads Skype installer from the Skype website, attacker has set a rule for this, gets in the middle of that connection and keeps it alive, downloads the skype installer, trojanizes it with their backdoor, then serves the installer to the user.
Sure, the hash is wrong, the signature is either replaced or missing, but the victim got the installer they wanted from the legitimate website they visited so suspicions are low, and the target is infected.
These capabilities were developed and sold by HackingTeam and FinFisher among many others. Here's a recent example–
citizenlab.ca/2018/03/bad-tr…
The limitations of TNI solutions are obvious. A 'mobile' setup (a laptop w fancy network cards etc) is limited to proximity to a shared wifi network. The more expensive appliance requires access to a compliant ISP and that the victim be a customer of that ISP (region limited).
How would you go about using this technology for targets of interest that live somewhere else? Fly people there each time(RU)? Break into a foreign ISP with a big box(US)?...or you could own and proselytize the use of attacker VPN services in the regions you're interested in?
Think about it... it's not only cheaper, people are paying you to run this, you also make ad revenue, you can sell their data, AND.. you can occasionally serve some other shady interest by infecting some unsuspecting customer.
There's always been an expectation that this was happening, particularly with VPNs in the Middle East. How about a VPN monopoly? /rant

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with J. A. Guerrero-Saade

J. A. Guerrero-Saade Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @juanandres_gs

J. A. Guerrero-Saade Profile picture
2 Oct
It's awesome to see analysis of Lamberts and Equation Group tools. They're some of the most noteworthy findings in the short history of Cyber Threat Intelligence and we're doing a disservice by collectively ignoring their existence. Great work @runasand and @patrickwardle!
If you missed it, I'm sure the video will be up in the near future. In the meantime, here's Runa's blog on Green Lambert OS X
objective-see.com/blog/blog_0x68…
For additional (non-MacOS) background, here's an overview of the color-coded constellation of the Lambert's toolkit up to a point–
securelist.com/unraveling-the…
Read 7 tweets
J. A. Guerrero-Saade Profile picture
24 Aug
There are three things you don't want to see made– laws, sausages, and threat intelligence.

Frankly, I'm bummed out at the framing of this issue. It adds fuel to the air-quote 'privacy' debate that keeps eating away at our ability to do security research, as in the case of GDPR.
I've played with Augury before. Netflow can be useful. But for the most part it's spotty, incomplete, and inconclusive. You don't turn into a SIGINT agency because you have visibility into a few hops along a path for a sliver of time. Internet routing doesn't work that way.
You're seeing points connecting to other points at a given time. If the connection is routed a different way, if it takes a hop you don't have access to, if any number of factors changes the connective tissue of the internet, you don't see anything.
Read 7 tweets
J. A. Guerrero-Saade Profile picture
23 Aug
When researching MeteorExpress, I couldn't have guessed the direction the discussion would take. Let's take a minute to evaluate these different claims– Indra, non-state-sponsored, MBC, SEA... (thread)
(1)Let's dispense with the patently brittle claims– just because a ransomware group claims they perpetrated an attack doesn't make a credibly claim... looking at you DarkTracer.
(2)Subsequent claims that it's related to SEA are using a reference so outdated as to be meaningless. Additionally, SEA was a pro-regime group so nothing about this adds up other than a vague Syria connection.
Read 9 tweets
J. A. Guerrero-Saade Profile picture
22 Jul
Alright, let's add some substance to this Pegasus discussion. Contrary to what you might read, research into NSO has been going on for years and has involved a lot of great research groups (@citizenlab, @kaspersky, @Lookout, to name a few). It has also included leaks.
Folks are speculating about how we might know about the targets of Pegasus customers. NSO simultaneously claims that they don't know their customers targets but at the same time they know that none of the @AmnestyTech infections are real. Two obviously incompatible statements.
Assuming NSO doesn't have access to their customers targets, a list of targets of interest would have to come from a structural fault in the agent/exploit delivery infrastructure that NSO uses. We have a high-level view of how that system is architected.
Read 17 tweets
J. A. Guerrero-Saade Profile picture
22 Jul
The new cybertruthers have come out the play.
Please beware the false parity of 'experts'. Random technical ppl aren't sources on difficult threat intel topics. Open speculation isn't substantiation for denials ('More details plz'). And neither is technical solipsism ('Everything can be faked! I'd do better than this!').
This uncoordinated flailing is being used to substantiate state interests that would rather not have the spotlight shined on them. We'll all do well to display sound judgement.
Read 4 tweets
J. A. Guerrero-Saade Profile picture
18 Jul
As to NSO’s blanket denial of having any access to how their customers use their software, that’s not entirely true by design —they manage the exploit delivery infrastructure for their clients. This is a hard-earned lesson from the HackingTeam days—
HT had a lot of woes attempting to idiotproof their payload building and exploit delivery process. The former was characterized by a prompt urging operators NOT to upload to VT (aimed primarily at dim Saudi operators). Exploits were handled more carefully via support portal—
The support portal required a backdoor created with the HT masternode and a lure document of the customer’s choosing. HT would create the exploit-laced file and host it via a one-time link that the operators could deliver in the method of their choosing.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @juanandres_gs has new unrolls!

Check out other threads from @juanandres_gs!

Read all threads by @juanandres_gs

:(