Forwarded from BlackBox (Security) Archiv
We filed a criminal complaint: Prosecutor launches investigation into FinFisher for illegal export of state spyware
The state spyware FinFisher is developed in Munich and sold all over the world. The company needs approval for exports, but the German government has never granted that. Together with other NGOs, we have filed a criminal complaint. Customs is investigating, the crime is punishable by prison sentence up to five years.
Bahrain, Egypt, Ethiopia: Dictatorships around the world rely on surveillance technology „made in Germany“. The state spyware FinFisher or FinSpy is developed in Munich and sold to police and secret services in dozens of countries, including the German Federal Police.
To export such malware, FinFisher needs a license in accord with German and European law. However, the German Government has never issued one. Export without a license is a criminal offense. Thus we have filed a criminal complaint against the responsible companies and their managing directors.
Together with the Society for Civil Rights, Reporters without Borders and the European Center for Constitutional and Human Rights, we wrote a 21-page criminal complaint and an eight-page technical appendix, which we submitted to the public prosecutor’s office in Munich on July 5. Now they are investigating.
Our accusations are being taken seriously: The case was escalated directly to the Federal Customs Criminal Investigation Office, which is responsible for violations of the Foreign Trade and Payments Act.
From Munich via Turkey to prison?
Our principle case is Turkey. After the 2016 coup d’état attempt, the Turkish government arrested more than 77,000 people, including 34 journalists. A broad coalition of civil resistance organized against this repression, including the 2017 March for Justice.
During that time, a website „Walk for justice“ appeared, which offered an Android app to help organize the protest movement. This website was advertised on social media. But the app, which is still available today, is a camouflaged state spyware. After installation, it takes complete control of the device, monitors communication and extracts data.
In a detailed technical analysis and a technical appendix we prove that this Turkish state spyware is the German product FinFisher/FinSpy. We then analyze the company structure of FinFisher and suspicious individuals.
We are certain: FinFisher is developed in Munich and FinFisher was sold to Turkey without permission. That is a crime, punishable by a prison sentence up to five years. We hope that the authorities investigate extensively and confirm our accusations.
Until then, German authorities should stop using tools for dictators themselves and stop subsidizing such companies with taxpayers‘ money.
The legal documents are available in English as PDF and in German as HTML.
👉🏼 PDF:
https://cdn.netzpolitik.org/wp-upload/2019/09/2019-07-05_FinFisher_Criminal-Complaint_ENG.pdf
https://netzpolitik.org/2019/we-filed-a-criminal-complaint-prosecutor-launches-investigation-into-finfisher-for-illegal-export-of-state-spyware/
#FinFisher #FinSpy #spyware #CriminalComplaint #investigation #crime #StateTrojan #pdf
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
The state spyware FinFisher is developed in Munich and sold all over the world. The company needs approval for exports, but the German government has never granted that. Together with other NGOs, we have filed a criminal complaint. Customs is investigating, the crime is punishable by prison sentence up to five years.
Bahrain, Egypt, Ethiopia: Dictatorships around the world rely on surveillance technology „made in Germany“. The state spyware FinFisher or FinSpy is developed in Munich and sold to police and secret services in dozens of countries, including the German Federal Police.
To export such malware, FinFisher needs a license in accord with German and European law. However, the German Government has never issued one. Export without a license is a criminal offense. Thus we have filed a criminal complaint against the responsible companies and their managing directors.
Together with the Society for Civil Rights, Reporters without Borders and the European Center for Constitutional and Human Rights, we wrote a 21-page criminal complaint and an eight-page technical appendix, which we submitted to the public prosecutor’s office in Munich on July 5. Now they are investigating.
Our accusations are being taken seriously: The case was escalated directly to the Federal Customs Criminal Investigation Office, which is responsible for violations of the Foreign Trade and Payments Act.
From Munich via Turkey to prison?
Our principle case is Turkey. After the 2016 coup d’état attempt, the Turkish government arrested more than 77,000 people, including 34 journalists. A broad coalition of civil resistance organized against this repression, including the 2017 March for Justice.
During that time, a website „Walk for justice“ appeared, which offered an Android app to help organize the protest movement. This website was advertised on social media. But the app, which is still available today, is a camouflaged state spyware. After installation, it takes complete control of the device, monitors communication and extracts data.
In a detailed technical analysis and a technical appendix we prove that this Turkish state spyware is the German product FinFisher/FinSpy. We then analyze the company structure of FinFisher and suspicious individuals.
We are certain: FinFisher is developed in Munich and FinFisher was sold to Turkey without permission. That is a crime, punishable by a prison sentence up to five years. We hope that the authorities investigate extensively and confirm our accusations.
Until then, German authorities should stop using tools for dictators themselves and stop subsidizing such companies with taxpayers‘ money.
The legal documents are available in English as PDF and in German as HTML.
👉🏼 PDF:
https://cdn.netzpolitik.org/wp-upload/2019/09/2019-07-05_FinFisher_Criminal-Complaint_ENG.pdf
https://netzpolitik.org/2019/we-filed-a-criminal-complaint-prosecutor-launches-investigation-into-finfisher-for-illegal-export-of-state-spyware/
#FinFisher #FinSpy #spyware #CriminalComplaint #investigation #crime #StateTrojan #pdf
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
Forwarded from BlackBox (Security) Archiv
CCC analyses Munich's state trojan FinSpy
The technical #analysis of copies of the #FinSpy #malware substantiates the reasons for the criminal complaint against the Munich manufacturer of the #StateTrojan. The #CCC publishes its report as well as several variants of FinSpy and a complete documentation of the analysis.
#Security researchers of the Chaos Computer Club (CCC) have analyzed a total of 28 copies of the #spy-#software FinSpy for #Android from 2012 to 2019. The main focus of the investigation was the origin of the malware and the date of its production. The reason for the investigation is the criminal complaint of the Gesellschaft für Freiheitsrechte (GFF) and other organizations against the German group of companies #FinFisher because of the deliberate violation of licensing requirements for dual-use software according to § 18 para. 2 No. 1 and § 18 para. 5 No. 1 Foreign Trade Act (AWG).
The CCC today publishes its comprehensive report: Evolution of a private sector malware for governmental players
💡 The result of the analysis is that a copy of malware, which according to the GFF was used against the Turkish opposition movement in 2016, was clearly created after the EU export control regulations for surveillance software came into force.
💡 By comparing it with over twenty other copies from a seven-year period, the CCC shows continuity in the further development into which this copy fits. This is seen as a strong indication that it is a variant of the state Trojan "FinSpy". FinSpy is a product of the FinFisher group of companies, which has branches in Munich and elsewhere.
💡 In its report, the CCC also documents references to German-speaking developers that can be found in the source code.
"Our analysis shows that surveillance software originally from Germany was apparently used against democratic dissidents," said Linus Neumann, one of the authors of the analysis. "How this could have come about, the public prosecutor's office and the customs criminal office must now clarify."
https://github.com/linuzifer/FinSpy-Dokumentation
https://github.com/devio/FinSpy-Tools
👉🏼 Read more:
https://www.ccc.de/de/updates/2019/finspy
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
The technical #analysis of copies of the #FinSpy #malware substantiates the reasons for the criminal complaint against the Munich manufacturer of the #StateTrojan. The #CCC publishes its report as well as several variants of FinSpy and a complete documentation of the analysis.
#Security researchers of the Chaos Computer Club (CCC) have analyzed a total of 28 copies of the #spy-#software FinSpy for #Android from 2012 to 2019. The main focus of the investigation was the origin of the malware and the date of its production. The reason for the investigation is the criminal complaint of the Gesellschaft für Freiheitsrechte (GFF) and other organizations against the German group of companies #FinFisher because of the deliberate violation of licensing requirements for dual-use software according to § 18 para. 2 No. 1 and § 18 para. 5 No. 1 Foreign Trade Act (AWG).
The CCC today publishes its comprehensive report: Evolution of a private sector malware for governmental players
💡 The result of the analysis is that a copy of malware, which according to the GFF was used against the Turkish opposition movement in 2016, was clearly created after the EU export control regulations for surveillance software came into force.
💡 By comparing it with over twenty other copies from a seven-year period, the CCC shows continuity in the further development into which this copy fits. This is seen as a strong indication that it is a variant of the state Trojan "FinSpy". FinSpy is a product of the FinFisher group of companies, which has branches in Munich and elsewhere.
💡 In its report, the CCC also documents references to German-speaking developers that can be found in the source code.
"Our analysis shows that surveillance software originally from Germany was apparently used against democratic dissidents," said Linus Neumann, one of the authors of the analysis. "How this could have come about, the public prosecutor's office and the customs criminal office must now clarify."
https://github.com/linuzifer/FinSpy-Dokumentation
https://github.com/devio/FinSpy-Tools
👉🏼 Read more:
https://www.ccc.de/de/updates/2019/finspy
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed
FinSpy is a commercial spyware suite produced by the Munich-based company FinFisher Gmbh. Since 2011 researchers have documented numerous cases of targeting of Human Rights Defenders (HRDs) - including activists, journalists, and dissidents with the use of FinSpy in many countries, including Bahrain, Ethiopia, UAE, and more. Because of this, Amnesty International’s Security Lab tracks FinSpy usage and development as part of our continuous monitoring of digital threats to Human Rights Defenders.
Amnesty International published a report in March 2019 describing phishing attacks targeting Egyptian human rights defenders and media and civil society organizations staff carried out by an attacker group known as “NilePhish”. While continuing research into this group’s activity, we discovered it has distributed samples of FinSpy for Microsoft Windows through a fake Adobe Flash Player download website. Amnesty International has not documented human rights violations by NilePhish directly linked to FinFisher products.
Through additional technical investigations into this most recent variant, Amnesty’s Security Lab also discovered, exposed online by an unknown actor, new samples of FinSpy for Windows, Android, and previously undisclosed versions for Linux and MacOS computers.
https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/
#FinSpy #surveillance
FinSpy is a commercial spyware suite produced by the Munich-based company FinFisher Gmbh. Since 2011 researchers have documented numerous cases of targeting of Human Rights Defenders (HRDs) - including activists, journalists, and dissidents with the use of FinSpy in many countries, including Bahrain, Ethiopia, UAE, and more. Because of this, Amnesty International’s Security Lab tracks FinSpy usage and development as part of our continuous monitoring of digital threats to Human Rights Defenders.
Amnesty International published a report in March 2019 describing phishing attacks targeting Egyptian human rights defenders and media and civil society organizations staff carried out by an attacker group known as “NilePhish”. While continuing research into this group’s activity, we discovered it has distributed samples of FinSpy for Microsoft Windows through a fake Adobe Flash Player download website. Amnesty International has not documented human rights violations by NilePhish directly linked to FinFisher products.
Through additional technical investigations into this most recent variant, Amnesty’s Security Lab also discovered, exposed online by an unknown actor, new samples of FinSpy for Windows, Android, and previously undisclosed versions for Linux and MacOS computers.
https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/
#FinSpy #surveillance
Amnesty International
German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed
• FinSpy is a commercial spyware suite produced by the Munich-based company FinFisher Gmbh. Since 2011 researchers have documented numerous cases of targeting of Human Rights Defenders (HRDs) - including activists, journalists, and dissidents with the use…
FinSpy: unseen findings
FinSpy, also known as FinFisher or Wingbird, is an infamous surveillance toolset. Kaspersky has been tracking deployments of this spyware since 2011. Historically, its Windows implant was distributed through a single-stage installer. This version was detected and researched several times up to 2018. Since that year, we observed a decreasing detection rate of FinSpy for Windows. While the nature of this anomaly remained unknown, we began detecting some suspicious installers of legitimate applications, backdoored with a relatively small obfuscated downloader. We were unable to cluster those packages until the middle of 2019 when we found a host that served these installers among FinSpy Mobile implants for Android. Over the course of our investigation, we found out that the backdoored installers are nothing more than first stage implants that are used to download and deploy further payloads before the actual FinSpy Trojan.
Apart from the Trojanized installers, we also observed infections involving usage of a UEFI or MBR bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit are publicly revealed in this article for the first time.
We decided to share some of our unseen findings about the actual state of FinSpy implants. We will cover not only the version for Windows, but also the Linux and macOS versions, since they have a lot of internal structure and code similarities.
The full details of this research, as well as future updates on FinSpy, are available to customers of the APT reporting service through our Threat Intelligence Portal.
https://securelist.com/finspy-unseen-findings/104322/
#FinSpy #FinFisher #Wingbird #surveillance #malware #trojan
FinSpy, also known as FinFisher or Wingbird, is an infamous surveillance toolset. Kaspersky has been tracking deployments of this spyware since 2011. Historically, its Windows implant was distributed through a single-stage installer. This version was detected and researched several times up to 2018. Since that year, we observed a decreasing detection rate of FinSpy for Windows. While the nature of this anomaly remained unknown, we began detecting some suspicious installers of legitimate applications, backdoored with a relatively small obfuscated downloader. We were unable to cluster those packages until the middle of 2019 when we found a host that served these installers among FinSpy Mobile implants for Android. Over the course of our investigation, we found out that the backdoored installers are nothing more than first stage implants that are used to download and deploy further payloads before the actual FinSpy Trojan.
Apart from the Trojanized installers, we also observed infections involving usage of a UEFI or MBR bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit are publicly revealed in this article for the first time.
We decided to share some of our unseen findings about the actual state of FinSpy implants. We will cover not only the version for Windows, but also the Linux and macOS versions, since they have a lot of internal structure and code similarities.
The full details of this research, as well as future updates on FinSpy, are available to customers of the APT reporting service through our Threat Intelligence Portal.
https://securelist.com/finspy-unseen-findings/104322/
#FinSpy #FinFisher #Wingbird #surveillance #malware #trojan
Securelist
FinSpy: unseen findings
FinSpy, also known as FinFisher or Wingbird, is an infamous surveillance toolset that has been tracking since 2011. We decided to share our unseen findings about the actual state of FinSpy implants.