Forwarded from BlackBox (Security) Archiv
We filed a criminal complaint: Prosecutor launches investigation into FinFisher for illegal export of state spyware
The state spyware FinFisher is developed in Munich and sold all over the world. The company needs approval for exports, but the German government has never granted that. Together with other NGOs, we have filed a criminal complaint. Customs is investigating, the crime is punishable by prison sentence up to five years.
Bahrain, Egypt, Ethiopia: Dictatorships around the world rely on surveillance technology „made in Germany“. The state spyware FinFisher or FinSpy is developed in Munich and sold to police and secret services in dozens of countries, including the German Federal Police.
To export such malware, FinFisher needs a license in accord with German and European law. However, the German Government has never issued one. Export without a license is a criminal offense. Thus we have filed a criminal complaint against the responsible companies and their managing directors.
Together with the Society for Civil Rights, Reporters without Borders and the European Center for Constitutional and Human Rights, we wrote a 21-page criminal complaint and an eight-page technical appendix, which we submitted to the public prosecutor’s office in Munich on July 5. Now they are investigating.
Our accusations are being taken seriously: The case was escalated directly to the Federal Customs Criminal Investigation Office, which is responsible for violations of the Foreign Trade and Payments Act.
From Munich via Turkey to prison?
Our principle case is Turkey. After the 2016 coup d’état attempt, the Turkish government arrested more than 77,000 people, including 34 journalists. A broad coalition of civil resistance organized against this repression, including the 2017 March for Justice.
During that time, a website „Walk for justice“ appeared, which offered an Android app to help organize the protest movement. This website was advertised on social media. But the app, which is still available today, is a camouflaged state spyware. After installation, it takes complete control of the device, monitors communication and extracts data.
In a detailed technical analysis and a technical appendix we prove that this Turkish state spyware is the German product FinFisher/FinSpy. We then analyze the company structure of FinFisher and suspicious individuals.
We are certain: FinFisher is developed in Munich and FinFisher was sold to Turkey without permission. That is a crime, punishable by a prison sentence up to five years. We hope that the authorities investigate extensively and confirm our accusations.
Until then, German authorities should stop using tools for dictators themselves and stop subsidizing such companies with taxpayers‘ money.
The legal documents are available in English as PDF and in German as HTML.
👉🏼 PDF:
https://cdn.netzpolitik.org/wp-upload/2019/09/2019-07-05_FinFisher_Criminal-Complaint_ENG.pdf
https://netzpolitik.org/2019/we-filed-a-criminal-complaint-prosecutor-launches-investigation-into-finfisher-for-illegal-export-of-state-spyware/
#FinFisher #FinSpy #spyware #CriminalComplaint #investigation #crime #StateTrojan #pdf
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
The state spyware FinFisher is developed in Munich and sold all over the world. The company needs approval for exports, but the German government has never granted that. Together with other NGOs, we have filed a criminal complaint. Customs is investigating, the crime is punishable by prison sentence up to five years.
Bahrain, Egypt, Ethiopia: Dictatorships around the world rely on surveillance technology „made in Germany“. The state spyware FinFisher or FinSpy is developed in Munich and sold to police and secret services in dozens of countries, including the German Federal Police.
To export such malware, FinFisher needs a license in accord with German and European law. However, the German Government has never issued one. Export without a license is a criminal offense. Thus we have filed a criminal complaint against the responsible companies and their managing directors.
Together with the Society for Civil Rights, Reporters without Borders and the European Center for Constitutional and Human Rights, we wrote a 21-page criminal complaint and an eight-page technical appendix, which we submitted to the public prosecutor’s office in Munich on July 5. Now they are investigating.
Our accusations are being taken seriously: The case was escalated directly to the Federal Customs Criminal Investigation Office, which is responsible for violations of the Foreign Trade and Payments Act.
From Munich via Turkey to prison?
Our principle case is Turkey. After the 2016 coup d’état attempt, the Turkish government arrested more than 77,000 people, including 34 journalists. A broad coalition of civil resistance organized against this repression, including the 2017 March for Justice.
During that time, a website „Walk for justice“ appeared, which offered an Android app to help organize the protest movement. This website was advertised on social media. But the app, which is still available today, is a camouflaged state spyware. After installation, it takes complete control of the device, monitors communication and extracts data.
In a detailed technical analysis and a technical appendix we prove that this Turkish state spyware is the German product FinFisher/FinSpy. We then analyze the company structure of FinFisher and suspicious individuals.
We are certain: FinFisher is developed in Munich and FinFisher was sold to Turkey without permission. That is a crime, punishable by a prison sentence up to five years. We hope that the authorities investigate extensively and confirm our accusations.
Until then, German authorities should stop using tools for dictators themselves and stop subsidizing such companies with taxpayers‘ money.
The legal documents are available in English as PDF and in German as HTML.
👉🏼 PDF:
https://cdn.netzpolitik.org/wp-upload/2019/09/2019-07-05_FinFisher_Criminal-Complaint_ENG.pdf
https://netzpolitik.org/2019/we-filed-a-criminal-complaint-prosecutor-launches-investigation-into-finfisher-for-illegal-export-of-state-spyware/
#FinFisher #FinSpy #spyware #CriminalComplaint #investigation #crime #StateTrojan #pdf
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
Forwarded from BlackBox (Security) Archiv
CCC analyses Munich's state trojan FinSpy
The technical #analysis of copies of the #FinSpy #malware substantiates the reasons for the criminal complaint against the Munich manufacturer of the #StateTrojan. The #CCC publishes its report as well as several variants of FinSpy and a complete documentation of the analysis.
#Security researchers of the Chaos Computer Club (CCC) have analyzed a total of 28 copies of the #spy-#software FinSpy for #Android from 2012 to 2019. The main focus of the investigation was the origin of the malware and the date of its production. The reason for the investigation is the criminal complaint of the Gesellschaft für Freiheitsrechte (GFF) and other organizations against the German group of companies #FinFisher because of the deliberate violation of licensing requirements for dual-use software according to § 18 para. 2 No. 1 and § 18 para. 5 No. 1 Foreign Trade Act (AWG).
The CCC today publishes its comprehensive report: Evolution of a private sector malware for governmental players
💡 The result of the analysis is that a copy of malware, which according to the GFF was used against the Turkish opposition movement in 2016, was clearly created after the EU export control regulations for surveillance software came into force.
💡 By comparing it with over twenty other copies from a seven-year period, the CCC shows continuity in the further development into which this copy fits. This is seen as a strong indication that it is a variant of the state Trojan "FinSpy". FinSpy is a product of the FinFisher group of companies, which has branches in Munich and elsewhere.
💡 In its report, the CCC also documents references to German-speaking developers that can be found in the source code.
"Our analysis shows that surveillance software originally from Germany was apparently used against democratic dissidents," said Linus Neumann, one of the authors of the analysis. "How this could have come about, the public prosecutor's office and the customs criminal office must now clarify."
https://github.com/linuzifer/FinSpy-Dokumentation
https://github.com/devio/FinSpy-Tools
👉🏼 Read more:
https://www.ccc.de/de/updates/2019/finspy
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
The technical #analysis of copies of the #FinSpy #malware substantiates the reasons for the criminal complaint against the Munich manufacturer of the #StateTrojan. The #CCC publishes its report as well as several variants of FinSpy and a complete documentation of the analysis.
#Security researchers of the Chaos Computer Club (CCC) have analyzed a total of 28 copies of the #spy-#software FinSpy for #Android from 2012 to 2019. The main focus of the investigation was the origin of the malware and the date of its production. The reason for the investigation is the criminal complaint of the Gesellschaft für Freiheitsrechte (GFF) and other organizations against the German group of companies #FinFisher because of the deliberate violation of licensing requirements for dual-use software according to § 18 para. 2 No. 1 and § 18 para. 5 No. 1 Foreign Trade Act (AWG).
The CCC today publishes its comprehensive report: Evolution of a private sector malware for governmental players
💡 The result of the analysis is that a copy of malware, which according to the GFF was used against the Turkish opposition movement in 2016, was clearly created after the EU export control regulations for surveillance software came into force.
💡 By comparing it with over twenty other copies from a seven-year period, the CCC shows continuity in the further development into which this copy fits. This is seen as a strong indication that it is a variant of the state Trojan "FinSpy". FinSpy is a product of the FinFisher group of companies, which has branches in Munich and elsewhere.
💡 In its report, the CCC also documents references to German-speaking developers that can be found in the source code.
"Our analysis shows that surveillance software originally from Germany was apparently used against democratic dissidents," said Linus Neumann, one of the authors of the analysis. "How this could have come about, the public prosecutor's office and the customs criminal office must now clarify."
https://github.com/linuzifer/FinSpy-Dokumentation
https://github.com/devio/FinSpy-Tools
👉🏼 Read more:
https://www.ccc.de/de/updates/2019/finspy
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
Forwarded from BlackBox (Security) Archiv
Hacking Team Founder: ‘Hacking Team is Dead’
The founder and former CEO of the infamous surveillance technology company Hacking Team wrote a bizarre obituary for his old company on its official LinkedIn account.
David Vincenzetti posted a short message saying “Hacking Team is dead” on Tuesday, more than a year after the Italian company was acquired by another cybersecurity firm and rebranded as Memento Labs. As Motherboard reported earlier this year, Memento Labs is struggling to take off after several key Hacking Team employees have left, slowing down the development of new products that it would need to compete with companies such as NSO Group.
https://www.thinkingport.com/2020/05/26/news-94365/
https://t3n.de/news/spionagesoftware-hacking-team-tot-1284946
#HackingTeam #MementoLabs #nso #finfisher #surveillance #cybersecurity #Vincenzetti
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
The founder and former CEO of the infamous surveillance technology company Hacking Team wrote a bizarre obituary for his old company on its official LinkedIn account.
David Vincenzetti posted a short message saying “Hacking Team is dead” on Tuesday, more than a year after the Italian company was acquired by another cybersecurity firm and rebranded as Memento Labs. As Motherboard reported earlier this year, Memento Labs is struggling to take off after several key Hacking Team employees have left, slowing down the development of new products that it would need to compete with companies such as NSO Group.
https://www.thinkingport.com/2020/05/26/news-94365/
https://t3n.de/news/spionagesoftware-hacking-team-tot-1284946
#HackingTeam #MementoLabs #nso #finfisher #surveillance #cybersecurity #Vincenzetti
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
Forwarded from BlackBox (Security) Archiv
German State-Malware Company FinFisher Raided
The public prosecutor has searched multiple premises of the FinFisher company group in Munich and Romania. They are suspected of having exported state malware without the required authorization. The investigations follow a criminal complaint we filed together with other NGOs.
Law enforcement agencies have conducted a large-scale raid of the German state malware company group FinFisher last week. The customs authorities are investigating the suspicion „that software may have been exported without the required export license from the Federal Office of Economics and Export Control“.
The raids follow our criminal complaint, which we have written and submitted together with the Society for Freedom Rights, Reporters Without Borders and the European Center for Constitutional and Human Rights.
15 objects
A spokesperson of the responsible public prosecutor’s office in Munich comments:
"In co-operation with the Customs Investigation Bureau and supported by further prosecution authorities the public prosecutor’s office Munich I searched 15 objects (business premises and private apartments) around Munich and an enterprise from the entrepreneurial group in Romania on 06.10.2020. The search lasted until the evening of 08.10.2020."
"Investigations are still being conducted against managing directors and employees of FinFisher GmbH and at least two other companies on suspicion of violation of the Foreign Trade and Payments Act. The investigations were started in summer 2019 on the basis of criminal charges."
3 days
FinFisher advertises its state malware as „complete IT intrusion portfolio“, both German federal police and Berlin police have purchased the powerful surveillance tool. Variants of the FinFisher suite have been found in dictatorships like Ethiopia and Bahrain, or more recently again in Egypt.
In summer 2017 a FinFisher sample was discovered in Turkey. The authors of the criminal complaint assume that FinFisher is developed and produced in Munich. If true, the group of companies needs an export license, which the German government has not issued. An export without a license would be a criminal offense.
FinFisher denies these accusations. In a statutory declaration, the CEO states:
"FinFisher GmbH has at no time sold or distributed the FinFisher software in Turkey. Against this background, FinFisher GmbH has at no time violated export regulations of the Federal Republic of Germany or the EU."
👀 👉🏼 https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/
👀 👉🏼 This is a translation of our original german reporting.
#german #statemalware #FinFisher #raid
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag
The public prosecutor has searched multiple premises of the FinFisher company group in Munich and Romania. They are suspected of having exported state malware without the required authorization. The investigations follow a criminal complaint we filed together with other NGOs.
Law enforcement agencies have conducted a large-scale raid of the German state malware company group FinFisher last week. The customs authorities are investigating the suspicion „that software may have been exported without the required export license from the Federal Office of Economics and Export Control“.
The raids follow our criminal complaint, which we have written and submitted together with the Society for Freedom Rights, Reporters Without Borders and the European Center for Constitutional and Human Rights.
15 objects
A spokesperson of the responsible public prosecutor’s office in Munich comments:
"In co-operation with the Customs Investigation Bureau and supported by further prosecution authorities the public prosecutor’s office Munich I searched 15 objects (business premises and private apartments) around Munich and an enterprise from the entrepreneurial group in Romania on 06.10.2020. The search lasted until the evening of 08.10.2020."
"Investigations are still being conducted against managing directors and employees of FinFisher GmbH and at least two other companies on suspicion of violation of the Foreign Trade and Payments Act. The investigations were started in summer 2019 on the basis of criminal charges."
3 days
FinFisher advertises its state malware as „complete IT intrusion portfolio“, both German federal police and Berlin police have purchased the powerful surveillance tool. Variants of the FinFisher suite have been found in dictatorships like Ethiopia and Bahrain, or more recently again in Egypt.
In summer 2017 a FinFisher sample was discovered in Turkey. The authors of the criminal complaint assume that FinFisher is developed and produced in Munich. If true, the group of companies needs an export license, which the German government has not issued. An export without a license would be a criminal offense.
FinFisher denies these accusations. In a statutory declaration, the CEO states:
"FinFisher GmbH has at no time sold or distributed the FinFisher software in Turkey. Against this background, FinFisher GmbH has at no time violated export regulations of the Federal Republic of Germany or the EU."
👀 👉🏼 https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/
👀 👉🏼 This is a translation of our original german reporting.
#german #statemalware #FinFisher #raid
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag
netzpolitik.org
Our Criminal Complaint: German Made State Malware Company FinFisher Raided
The public prosecutor has searched multiple premises of the FinFisher company group in Munich and Romania. They are suspected of having exported state malware without the required authorization. The investigations follow a criminal complaint we filed together…
FinSpy: unseen findings
FinSpy, also known as FinFisher or Wingbird, is an infamous surveillance toolset. Kaspersky has been tracking deployments of this spyware since 2011. Historically, its Windows implant was distributed through a single-stage installer. This version was detected and researched several times up to 2018. Since that year, we observed a decreasing detection rate of FinSpy for Windows. While the nature of this anomaly remained unknown, we began detecting some suspicious installers of legitimate applications, backdoored with a relatively small obfuscated downloader. We were unable to cluster those packages until the middle of 2019 when we found a host that served these installers among FinSpy Mobile implants for Android. Over the course of our investigation, we found out that the backdoored installers are nothing more than first stage implants that are used to download and deploy further payloads before the actual FinSpy Trojan.
Apart from the Trojanized installers, we also observed infections involving usage of a UEFI or MBR bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit are publicly revealed in this article for the first time.
We decided to share some of our unseen findings about the actual state of FinSpy implants. We will cover not only the version for Windows, but also the Linux and macOS versions, since they have a lot of internal structure and code similarities.
The full details of this research, as well as future updates on FinSpy, are available to customers of the APT reporting service through our Threat Intelligence Portal.
https://securelist.com/finspy-unseen-findings/104322/
#FinSpy #FinFisher #Wingbird #surveillance #malware #trojan
FinSpy, also known as FinFisher or Wingbird, is an infamous surveillance toolset. Kaspersky has been tracking deployments of this spyware since 2011. Historically, its Windows implant was distributed through a single-stage installer. This version was detected and researched several times up to 2018. Since that year, we observed a decreasing detection rate of FinSpy for Windows. While the nature of this anomaly remained unknown, we began detecting some suspicious installers of legitimate applications, backdoored with a relatively small obfuscated downloader. We were unable to cluster those packages until the middle of 2019 when we found a host that served these installers among FinSpy Mobile implants for Android. Over the course of our investigation, we found out that the backdoored installers are nothing more than first stage implants that are used to download and deploy further payloads before the actual FinSpy Trojan.
Apart from the Trojanized installers, we also observed infections involving usage of a UEFI or MBR bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit are publicly revealed in this article for the first time.
We decided to share some of our unseen findings about the actual state of FinSpy implants. We will cover not only the version for Windows, but also the Linux and macOS versions, since they have a lot of internal structure and code similarities.
The full details of this research, as well as future updates on FinSpy, are available to customers of the APT reporting service through our Threat Intelligence Portal.
https://securelist.com/finspy-unseen-findings/104322/
#FinSpy #FinFisher #Wingbird #surveillance #malware #trojan
Securelist
FinSpy: unseen findings
FinSpy, also known as FinFisher or Wingbird, is an infamous surveillance toolset that has been tracking since 2011. We decided to share our unseen findings about the actual state of FinSpy implants.