Google's Cyber Disruption Unit Kicks Its First Goal
.jpeg?sfvrsn=773924a2_5){kind=logo}
Google's Cyber Disruption Unit Kicks Its First Goal
Google's announcement last week that it had disrupted the world's largest residential proxy network, IPIDEA, was welcome news. These networks are key enablers of cybercrime, and Google's action will make a significant dent in the residential proxy ecosystem.
Residential proxy networks sell the ability to route traffic through home and business IP addresses so that attackers can evade IP blocklists. Traffic in these networks is routed through everything from compromised smart devices to home users' computers. Sometimes the home users actually opt in to joining these networks, willingly installing the enabling software to earn "passive income" from their spare bandwidth. Most of the time, however, device owners are unaware. The proxy functionality is preloaded on devices or inadvertently installed via malware or trojanized software.
When it comes to IPIDEA, one way it acquired proxies was to pay developers to embed its software into applications via malicious SDKs. These applications would then proxy traffic for IPIDEA in addition to carrying out their main function, typically without the knowledge or consent of end users.
Google says that IPIDEA was "overwhelmingly used by bad actors." In just a single week in January the company observed a "vast array" of more than 550 different threat actors using the service. It was a broad spectrum of activity covering espionage, crime, and information operations, with some of the threat actors linked to China, North Korea, Iran, and Russia.
Google also says that IPIDEA was involved in the BadBox2.0, Aisuru, and Kimwolf botnets. Here, its software played a "key role" in adding devices to the networks and was also used to control them.
So a worthy target for a dose of disruption, then.
Google's action had two separate arms. The first was technical analysis and sharing details about IPIDEA SDKs with platform providers, law enforcement, and research firms. Those SDKs are compatible with Android, Windows, iOS, and WebOS.
Google identified over 600 Android applications and more than 3,000 Windows executables that, based on the artifacts researchers analyzed, appeared to connect to the IPIDEA network. This analysis fed into the systems that Google uses to protect Android devices and the Play Store. Sharing this information means other platform owners will also be able to act against IPIDEA's proxy network.
That kind of in-depth analysis is Google's bread and butter.
The second part, however, involved complementary legal action. Google got court orders to take down domains used both to run IPIDEA's proxy network and to market the company's products.
Taken together, the court-authorized domain takedown actions hit IPIDEA's proxy network and hurt the company's marketing efforts. And the information sharing will make it difficult for IPIDEA to simply spin up new domains and rebrand. It will have to rework its SDKs to be able to fly under the radar. According to reporting from the Wall Street Journal, Google's actions "will knock more than nine million Android devices off IPIDEA's network."
The IPIDEA disruption appears to be one of the first operations of Google's new cyber disruption unit we wrote about late last year. It is great to see this unit kicking its first goal. Governments should encourage the private sector to take more of these actions.
The question is, what is the quickest, easiest way to make that happen?
Sezenah Seymour, author of a Center for Strategic & International Studies report on civil takedowns, told Seriously Risky Business that civil actions like these are a winner, and discussions about "hacking back" and letters of marque are "a distraction."
Seymour says governments should encourage more private-sector action as law enforcement struggles to contain cyber threats on its own. Rather than focusing on resolving the legal thicket that is government-authorized hacking, Seymour says that making civil takedowns more quickly and easily accessible is the right answer.
There is a process, and it works. The problem, Seymour says, is that "while criminals move in seconds, the legal process can take months." Even a company as well resourced as Google has conducted only a handful of takedowns over its history. Microsoft, several more. But still not enough.
Seymour's report recommends that Congress establish a new specialized court to deal with civil takedowns, but it also suggests several incremental steps that the executive branch could take to help court action move faster, such as streamlining processes and providing evidentiary templates.
We'd like to think that legal procedures can become faster while companies also become more aggressive about protecting their own products. We can even hope that Congress might pass some legislation!
While we wait, residential proxies are a scourge, and it is great that Google has taken a swipe at one of them.
More of this, please.
SpaceX Says Nyet to Russian Drones
Late last week, SpaceX deployed countermeasures to prevent Russian forces from using its Starlink satellite communication service to control long-range drones deep within Ukrainian territory.
The action illustrates how rapidly SpaceX can react, but only when it wants to. The company has a track record of allowing problems to fester.
In late January, the U.S.-based Institute of War think tank reported that the Russian military was using Starlink to control Molniya fixed-wing drones to carry out strikes deep within Ukrainian territory. Within the week, SpaceX placed a 75 km/h "speed limit" on Starlink terminals within Ukraine, effectively stopping service on fast-moving drones.
That's a wonderfully rapid response.
This countermeasure also prevents Ukrainian forces from using Starlink on fast-moving vehicles. So as a second step, Starlink will limit service to authorized terminals registered to Ukrainians.
These are good moves, but we're amazed that the allowlisting measure wasn't put in place far, far earlier.
In April 2024, the Wall Street Journal reported that black-market Starlink terminals were being sold in Russia and shipped to the front line for use by Russian forces. Starlink "stopped" Russian forces from using its service with a naive geoblock: Terminals on one side of the fence were assumed to be Ukrainian and therefore worked. Anything on the other side of the fence did not. It was an imperfect solution given the technology was being used by both sides on a front line that moved continuously.
The status quo was far from ideal but persisted for years, which is par for the course when Elon Musk is at the helm. He does things when an issue gets his attention or his hand is forced, rather than when they’re the right thing to do. For whatever reason, the Russian military using Starlink terminals for kinetic purposes upset him.
When it comes to folding under pressure, however, Musk also has form. We previously covered how Starlink provided an internet lifeline for Southeast Asian scam compounds until it was forced to act by the threat of a congressional investigation.
It's a pattern that repeats. Musk blinked in Brazil where X had refused to comply with a court order. He stood firm right up until a judge blocked X across the country and froze Starlink's financial assets. When that happened, he folded like a lawn chair.
Musk’s business interests are also coming under fire in France and the U.K. He'll buckle there, too, we think.
For regulators and governments, the lesson to be learned here is that when it comes to Musk's companies, you may occasionally get very rapid action if an issue attracts his attention. Otherwise, bring a big stick.
Three Reasons to Be Cheerful This Week:
- Better phone security: Last week, Google announced that a range of theft protection features will be rolled out to devices, depending on their specific Android version. Apple also announced that newer iPhones will support a feature to limit precise locations from cellular networks. It is good to see both major mobile operating system companies continuously and incrementally improving security.
- Firefox adds an AI killswitch: Mozilla has announced that Firefox will be getting an AI controls section that will be a single place to block current and future generative AI features in the browser. Yay for consumer choice.
- Arrested pentesters get a (small) payday: Dallas County in Iowa has been ordered to pay $600,000 for arresting two pentesters who were carrying out an authorized security assessment of a county courthouse. Ars Technica has more coverage.
Shorts
Less Regulation, Less Cooperation?
CyberScoop has pithily described National Cyber Director Sean Cairncross's cybersecurity agenda as "less regulation, more cooperation."
Philosophically, that’s fine, but also reported in CyberScoop, Sen. Maria Cantwell (D-Wash.) released a public letter calling for the CEOs of Verizon and AT&T to explain the Salt Typhoon breach and what the telcos have done to remediate it.
That breach is probably the most significant in U.S. telecommunications history, yet Congress still doesn't have a good account of what happened and how it is being fixed.
That doesn't strike us as very cooperative so far.
Risky Biz Talks
In our latest "Between Two Nerds" discussion, Tom Uren and The Grugq discuss the recent Russian attack on Polish electricity infrastructure.
From Risky Bulletin:
Plone CMS stops supply chain attack: Plone, a Python-based content management system, avoided a supply chain attack at the start of this year.
A threat actor inserted malicious code in five of the organization's repositories, but the modifications were spotted before they made it to any official release.
The incident was traced back to a single developer's account.
The attacker managed to get their hands on the developer's GitHub personal access token and force-pushed the malicious code hidden after a lot of white space.
StopICE blames hack on "a CBP agent here in SoCal": StopICE, an app that lets Americans track the location of U.S. Immigration and Customs Enforcement (ICE) raids, has played down a recent security breach and claims to have linked the hack to "a personal server associated with a CBP agent here in SoCal."
Administrators said this wasn't the first time the same agent tried to hack or disrupt their systems.
The latest incident took place on Friday when users started receiving SMS alerts warning them to uninstall the app.
Individuals on Twitter claimed that hackers collected the app's user data and shared it with law enforcement agencies, including details such as names, logins, passwords, location data, and phone numbers.
eScan antivirus distributes backdoor in latest supply chain attack: Cybersecurity firm MicroWorld Technologies, the maker of the eScan antivirus, has fallen victim to a cyberattack after an unidentified threat actor breached its software update infrastructure and deployed malware to customer environments.
The incident took place on Jan. 20 and lasted for only about an hour, according to reports from rival security firms Morphisec and Kaspersky, both of which spotted the malware being delivered to customer systems.
