Another malware purveyor is shocked, SHOCKED to discover its products have been used to do Very Bad Things. Thomas Brewster has more details for Forbes. Here's the setup:

More digging by Kaspersky and others discovered who was actually behind these deployments. And the source wasn't some state-supported hackers or a malware purveyor with a malleable set of morals. No, the exploits -- which were deployed to indiscriminately target people in Pakistan and China -- were sold (in a way) to the government of India by an American firm, Exodus Intelligence.

Operating out of Austin, Texas, Exodus doesn't craft many exploits of its own, but rather provides access to information about known exploits, including where to obtain them, and how they can be utilized and leveraged.

Exodus, when asked by Five Eyes countries (an alliance of intelligence-sharing countries that includes the U.S., U.K., Canada, Australia, and New Zealand) or their allies, will provide both information on a zero-day vulnerability and the software required to exploit it. But its main product is akin to a Facebook news feed of software vulnerabilities, sans exploits, for up to $250,000 a year. It’s marketed primarily as a tool for defenders, but customers can do what they want with the information on those Exodus zero days—ones that typically cover the most popular operating systems, from Windows to Google’s Android and Apple’s iOS.

The government of India chose to leverage this knowledge to indiscriminately assault China and Pakistan entities in hopes of hitting targets of interest. That wasn't what Exodus Intelligence's info feed was designed to do. It's only what it ended up being used for. And now the CEO of Exodus is acting like a parent disappointed a child has exceeded the boundaries he never bothered to set.

That feed is what India bought and likely weaponized, says 37-year-old Exodus CEO and cofounder Logan Brown. He tells Forbes that, after an investigation, he believes India handpicked one of the Windows vulnerabilities from the feed—allowing deep access to Microsoft’s operating system—and Indian government personnel or a contractor adapted it for malicious means. India was subsequently cut off from buying new zero-day research from his company in April, says Brown, and it has worked with Microsoft to patch the vulnerabilities. The Indian use of his company’s research was beyond the pale, though Exodus doesn’t limit what customers do with its findings, Brown says, adding, “You can use it offensively if you want, but not if you’re going to be . . . shotgun blasting Pakistan and China. I don't want any part of that.”

While it's great the CEO doesn't want any part of that, not placing limits on end users is always going to result in things like this. And while it's unlikely writing up a new ToS is going to deter customers from "shotgun blasting" people with the weaponry you've provided, it at least allows you to terminate contracts and access without having to engage in a bunch of costly litigation or fruitless negotiations.

And, if you're going to be in the business of selling exploits (or indirect access to exploits), you need to be way more proactive on the security front.

Whoops. That doesn't look good. But, in all fairness, even the NSA and CIA have seen their tech tools and exploits leaked, resulting in the infliction of misery worldwide by people a shade more malicious than the entities belatedly bemoaning the unplanned distribution of their digital secrets.

Speaking of belated, here's some regret from the cofounder of Exodus Intelligence, Aaron Portnoy.

[T]oday, the 36-year-old self-taught hacker, who dropped out of Northwestern to carve his own career in cybersecurity, worries that he never knew who had access to his code or how they used it. He now regrets relinquishing control over his zero days to salespeople. “It's almost like I was being taken advantage of . . . It felt very much like I was a tool that was being used for a bigger purpose that I really had no insight into,” says Portnoy, now plying his trade at Randori, a Massachusetts-based cybersecurity firm.

Sure, but not so concerning Portnoy didn't leap from Exodus to defense contract Raytheon, and from there to startup Boldend, which partnered with Raytheon to (and I'm directly quoting here) "accelerate cyber operations with greater force."

While it's great that Exodus has revoked the Indian government's access to its exploit feed, the larger problem remains. American companies are aiding and abetting mass surveillance, targeting of dissidents and activists, and other human rights abuses by not being more selective of who they sell to or placing limits on how their products are used. This puts them in the same shady neighborhood as overseas malware merchants like NSO Group and Hacking Team. Sooner or later, it's going to put them on the wrong end of UN sanctions or DOJ investigations. Until then, it appears it will be risky business as usual, making the United States home to plenty of proxy human rights violators.

Source: Techdirt

Powered by NewsAPI.org