Meta警告：iOS、Android和Windows设备受到间谍软件公司威胁

Meta Platforms said it took a series of steps to curtail malicious activity from eight different firms based in Italy, Spain, and the United Arab Emirates (U.A.E.) operating in the surveillance-for-hire industry.

Meta平台表示，他们采取了一系列措施，以遏制总部位于意大利、西班牙和阿拉伯联合酋长国（U.A.E.）的八家不同公司从事的雇佣监视行业的恶意活动。

The findings are part of its Adversarial Threat Report for the fourth quarter of 2023. The spyware targeted iOS, Android, and Windows devices.

这些发现是其2023年第四季度的对手威胁报告的一部分。间谍软件针对iOS、Android和Windows设备。

"Their various malware included capabilities to collect and access device information, location, photos and media, contacts, calendar, email, SMS, social media, and messaging apps, and enable microphone,camera, and screenshot functionality," the company said.

该公司表示：“它们的各种恶意软件包括收集和访问设备信息、位置、照片和媒体、联系人、日历、电子邮件、短信、社交媒体和消息应用，以及启用麦克风、摄像头和截屏功能。”

The eight companies are Cy4Gate/ELT Group, RCS Labs, IPS Intelligence, Variston IT, TrueL IT, Protect Electronic Systems, Negg Group, and Mollitiam Industries.

这八家公司是Cy4Gate/ELT Group、RCS Labs、IPS Intelligence、Variston IT、TrueL IT、Protect Electronic Systems、Negg Group和Mollitiam Industries。

These firms, per Meta, also engaged in scraping, social engineering, and phishing activity that targeted a wide range of platforms such as Facebook, Instagram, X (formerly Twitter), YouTube, Skype, GitHub, Reddit, Google, LinkedIn, Quora, Tumblr, VK, Flickr, TikTok, SnapChat, Gettr, Viber, Twitch and Telegram.

这些公司还从事抓取、社会工程和钓鱼活动，针对Facebook、Instagram、X（前身为Twitter）、YouTube、Skype、GitHub、Reddit、Google、LinkedIn、Quora、Tumblr、VK、Flickr、TikTok、SnapChat、Gettr、Viber、Twitch和Telegram等各种平台。

Specifically, a network of fictitious personas linked to RCS Labs, which is owned by Cy4Gate, is said to have tricked users into providing their phone numbers and email addresses, in addition to clicking on bogus links for conducting reconnaisance.

具体而言，与Cy4Gate旗下的RCS Labs相连的一组虚构人物网络据说已经骗取用户提供他们的电话号码和电子邮件地址，另外还点击伪造的链接进行侦察。

Another set of now-removed Facebook and Instagram accounts associated with Spanish spyware vendor Variston IT was employed for exploit development and testing, including sharing of malicious links. Last week, reports emerged that the company is shutting down its operations.

与西班牙间谍软件供应商Variston IT相关的一组已删除的Facebook和Instagram帐户被用于开发和测试利用，包括分享恶意链接。上周，有报道称该公司正在关闭其业务。

Meta also said it identified accounts used by Negg Group to test the delivery of its spyware, as well as by Mollitiam Industries, a Spanish firm that advertises a data collection service and spyware targeting Windows, macOS, and Android, to scrape public information.

此外，Meta还表示，它确定了Negg Group用于测试其间谍软件交付的帐户，以及Mollitiam Industries使用的帐户，这是一家西班牙公司，宣传一项针对Windows、macOS和Android的数据收集服务和间谍软件，以抓取公开信息。

Elsewhere, the social media giant actioned on networks from Myanmar, and Ukraine exhibiting coordinated inauthentic behavior (CIB) by removing over 2,000 accounts, Pages, and Groups from Facebook and Instagram.

在其他地方，这家社交媒体巨头通过删除Facebook和Instagram上的2000多个帐户、页面和群组，采取了针对来自缅甸和乌克兰展示协调不真实行为（CIB）的网络的行动。

While the cluster targeted U.S. audiences with content related to criticism of U.S. foreign policy towards Taiwan and Israel and its support of Ukraine, the network originating from Myanmar targeted its own residents with original articles that praised the Burmese army and disparaged the ethnic armed organizations and minority groups.

集群针对美国受众，内容涉及对美国对台湾和以色列的外交政策的批评以及对乌克兰的支持，缅甸源自的网络则针对自己的居民，发布赞扬缅甸军队和贬低少数民族武装组织和少数群体的原创文章。

The third cluster is notable for its use of fake Pages and Groups to post content that supported Ukrainian politician Viktor Razvadovskyi, while also sharing "supportive commentary about the current government and critical commentary about the opposition" in Kazakhstan.

第三个集群以虚假页面和群组发布支持乌克兰政治家维克托·拉兹瓦多夫的内容为特色，同时分享了“对当前政府的支持性评论和对哈萨克斯坦反对派的批评”。

The development comes as a coalition of government and tech companies, counting Meta, have signed an agreement to curb the abuse of commercial spyware to commit human rights abuses.

此举发生在一群政府和技术公司的联盟，Meta包括在内，已签署了一项协议，旨在制止滥用商业间谍软件以实施侵犯人权的行为。

As countermeasures, the company has introduced new features like enabled Control Flow Integrity (CFI) on Messenger for Android and VoIP memory isolation for WhatsApp in an effort to make exploitation harder and reduce the overall attack surface.

作为对策，该公司推出了新功能，如在Messenger for Android上启用了控制流完整性（CFI），并在WhatsApp上实现了VoIP内存隔离，以使利用变得更加困难，并减少整体攻击面。

That said, the surveillance industry continues to thrive in myriad, unexpected forms. Last month, 404 Media — building off prior research from the Irish Council for Civil Liberties (ICCL) in November 2023 — unmasked a surveillance tool called Patternz that leverages real-time bidding (RTB) advertising data gathered from popular apps like 9gag, Truecaller, and Kik to track mobile devices.

然而，监视行业仍在以各种意想不到的形式蓬勃发展。上个月，404 Media根据2023年11月爱尔兰公民自由委员会的先前研究，揭示了一种名为Patternz的监视工具，利用从诸如9gag、Truecaller和Kik等热门应用收集的实时竞价（RTB）广告数据来跟踪移动设备。

"Patternz allows national security agencies utilize real-time and historical user advertising generated data to detect, monitor and predict users actions, security threats and anomalies based on users' behavior, location patterns and mobile usage characteristics, ISA, the Israeli company behind the product claimed on its website.

“Patternz允许国家安全机构利用实时和历史用户广告生成的数据来检测、监控和预测用户的行为、安全威胁和异常，ISA，该产品背后的以色列公司在其网站上声称。

Then last week, Enea took the wraps off a previously unknown mobile network attack known as MMS Fingerprint that's alleged to have been utilized by Pegasus-maker NSO Group. This information was included in a 2015 contract between the company and the telecom regulator of Ghana.

上周，Enea揭开了一个名为MMS Fingerprint的以前未知的移动网络攻击，据称由Pegasus制造商NSO Group利用。这些信息包含在公司和加纳电信监管机构之间的2015年合同中。

While the exact method used remains something of a mystery, the Swedish telecom security firm suspects it likely involves the use of MM1_notification.REQ, a special type of SMS message called a binary SMS that notifies the recipient device of an MMS that's waiting for retrieval from the Multimedia Messaging Service Center (MMSC).

尽管使用的确切方法仍然是个谜，但这家瑞典电信安全公司怀疑它很可能涉及使用MM1_notification.REQ，一种名为二进制SMS的特殊类型的短信，通知接收设备有待从多媒体消息服务中心（MMSC）检索的MMS。

The MMS is then fetched by means of MM1_retrieve.REQ and MM1_retrieve.RES, with the former being an HTTP GET request to the URL address contained in the MM1_notification.REQ message.

然后，通过MM1_retrieve.REQ和MM1_retrieve.RES来获取MMS，前者是对包含在MM1_notification.REQ消息中的URL地址的HTTP GET请求。

What's notable about this approach is that user device information such as User-Agent (different from a web browser User-Agent string) and x-wap-profile is embedded in the GET request, thereby acting as a fingerprint of sorts.

这种方法的显著之处在于用户设备信息，如用户代理（与Web浏览器用户代理字符串不同）和x-wap-profile被嵌入到GET请求中，从而充当某种指纹。

"The (MMS) User-Agent is a string that typically identifies the OS and device," Enea said. "x-wap-profile points to a UAProf (User Agent Profile) file that describes the capabilities of a mobile handset."

Enea表示：“（MMS）用户代理是一个通常用于标识操作系统和设备的字符串。”“x-wap-profile指的是描述移动手机功能的UAProf（用户代理配置文件）文件。”

A threat actor looking to deploy spyware could use this information to exploit specific vulnerabilities, tailor their malicious payloads to the target device, or even craft more effective phishing campaigns. That said, there is no evidence that this security hole has been exploited in the wild in recent months.

希望利用间谍软件的威胁行为者可以利用这些信息来利用特定漏洞，将其恶意有效负载量身定制给目标设备，甚至制定更有效的网络钓鱼活动。尽管如此，近几个月来没有证据表明这个安全漏洞被利用了。

原文始发于微信公众号（知机安全）：Meta警告：iOS、Android和Windows设备受到间谍软件公司威胁