by Larry Loeb

FinFisher is a suite of surveillance tools that has achieved notoriety for its use by repressive regimes and rogue states to spy on their citizens and civil rights organizations.

Security firm ESET has now found evidence for the first time that an ISP colluded with third parties to enable this surveillance software.

FinFisher features a wide range of capabilities for spying on users, including, among others, live surveillance through webcams and microphones, keylogging, and the exfiltration of files.

The first way that FinFisher infected victims was fairly typical of malware tricks and often exploited local browser vulnerabilities.

The arsenal included zero-day exploits, spear-phishing emails, drive-by downloads when users navigated to hacked sites, as well as directly installing the malware if physical access could be made to target's device.

Some of that still happens. Earlier this month, a spearphishing campaign targeting Russian users was launched which leveraged an Office 365 zero-day to distribute the malware.

Now ESET has found a totally different FinFisher distribution method. In two countries (which they would not directly name) researchers detected that web links to some popular software packages like WhatsApp, Skype and VLC Player had been poisoned on a direct basis. But, as Filip Kafka points out on the ESET blog: “It is important to note that virtually any application could be misused in this way.”

When a targeted user attempted to download the software, they were redirected to a poisoned site that would change the file downloaded from a legitimate copy to one that contained FinFisher.

The method to do this was a HTTP 307 temporary redirect command, one that does announce itself to the user. That means that the target has no idea they have been bamboozled.

This is a Man-in-the Middle (MitM) kind of operation. In it, the threat actor changes both navigation and results to what they want. ESET noted that the technical sophistication observed in this case indicates a high-level MitM operation, rather than a lower-level approach such as hijacking a public WiFi hub.

Firstly, it was already known from files on WikiLeaks that a FinFisher component called “FinFly ISP” existed. This indicates that ISP-level of compromises were possible from FinFisher, since the component software to handle them had already been written. But such a deployment has never been seen before, even though the component existed.

Second, this particular infection technique was implemented in the very same manner in both of the countries that ESET found it. They conclude that this commonality of implementation is very unlikely unless it was developed or provided by the same source. That source would be the FinFly ISP component.

Thirdly, all affected targets seen by ESET within a country were using the very same ISP. This means if an ISP would do it once, they could easily do it many times.

Awareness that an ISP used at work, at home or on the road can be potentially turned against you is the first important step. Avoiding potential exposure through an ISP requires a mix of measures.

A basic step would be masking or proxying your true IP address, since exploit kits like FinFisher will be looking for one specific address to put the hook in. By hiding or masking the IP address associated with your account, you make it harder to directly zoom in on it.

A way to completely remove the ISP attack vector is remote browser isolation. This solution shifts all browser activity offsite, to a centrally managed “disposable” browser in a secure cloud container with its own - temporarily assigned - IP number.

The advantage of this approach is that it keeps your endpoint’s IP number non-public, by disconnecting it from the web. An encrypted connection prevents your ISP from snooping on you.

Since all web activities are handled by the remote browser, malware cannot get dropped on your computer in the first place. Such a solution would also prevent any ISP-induced software from functioning.

Indeed, a secure remote browser will self-destruct at the end of each web session, deleting any code or cookies that a website may have passed on to you. This will further stymie any attempts to track or attack.

FinFisher is one more example that shows how much aggressive surveillance and invasions of privacy using web exploits have become the norm, a reality without borders that we have to reckon with.

In the U.S., individuals and organizations, such as businesses, think tanks or non-profits, usually access the web through two or three large ISPs.

This can make targeting them for surveillance and economic espionage (such as IP theft) easier. ISPs used to go online from hotel or airport WiFi hotspots while traveling add to the risk.

The tools we choose to protect our data should be able to neutralize threats like FinFisher - including future ones working through the ISP infrastructure - before they can even reach the endpoint.


Larry Loeb has been online since uucp "bang" addressing (where the world existed relative to !decvax) and served as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. He wrote for BYTE magazine, was a senior editor for the launch of WebWeek, and authored books on the Secure Electronic Transaction Internet protocol and "Hack Proofing XML" (his latest). Larry currently writes about cybersecurity for IBM's SecurityIntelligence as well as Security Now.