全球联盟和科技巨头发起行动，打击商业间谍软件滥用

A coalition of dozens of countries, including France, the U.K., and the U.S., along with tech companies such as Google, MDSec, Meta, and Microsoft, have signed a joint agreement to curb the abuse of commercial spyware to commit human rights abuses.

数十个国家，包括法国、英国和美国，以及谷歌、MDSec、Meta和微软等科技公司，签署了一项联合协议，以遏制滥用商业间谍软件进行侵犯人权的行为。

The initiative, dubbed the Pall Mall Process, aims to tackle the proliferation and irresponsible use of commercial cyber intrusion tools by establishing guiding principles and policy options for States, industry, and civil society in relation to the development, facilitation, purchase, and use of such tools.

该倡议被称为《帕尔摩尔进程》，旨在通过为国家、行业和公民社会在开发、促进、购买和使用此类工具方面制定指导原则和政策选择，解决商业网络入侵工具的扩散和不负责任使用问题。

The declaration stated that "uncontrolled dissemination" of spyware offerings contributes to "unintentional escalation in cyberspace," noting it poses risks to cyber stability, human rights, national security, and digital security.

声明指出，间谍软件的"无控制传播"导致"网络空间中意外升级"，并指出这对网络稳定、人权、国家安全和数字安全构成风险。

"Where these tools are used maliciously, attacks can access victims' devices, listen to calls, obtain photos and remotely operate a camera and microphone via 'zero-click' spyware, meaning no user interaction is needed," the U.K. government said in a press release.

英国政府在新闻稿中表示：“在这些工具被恶意使用的情况下，攻击者可以访问受害者的设备，监听通话，获取照片，并通过零点击间谍软件远程操作摄像头和麦克风，即无需用户交互。

According to the National Cyber Security Centre (NCSC), thousands of individuals are estimated to have been globally targeted by spyware campaigns every year.

据国家网络安全中心（NCSC）估计，每年全球数千人受到间谍软件攻击。

"And as the commercial market for these tools grows, so too will the number and severity of cyber attacks compromising our devices and our digital systems, causing increasingly expensive damage and making it more challenging than ever for our cyber defenses to protect public institutions and services," Deputy Prime Minister Oliver Dowden said at the U.K.-France Cyber Proliferation conference.

在英国-法国网络扩散会议上，副总理奥利弗·道登表示：“随着这些工具在商业市场上的增长，攻击我们的设备和数字系统的网络攻击数量和严重性也将增加，造成越来越昂贵的损害，使我们的网络防御更加艰巨，难以保护公共机构和服务。”

Notably missing from the list of countries that participated in the event is Israel, which is home to a number of private sector offensive actors (PSOAs) or commercial surveillance vendors (CSVs) such as Candiru, Intellexa (Cytrox), NSO Group, and QuaDream.

在参与此次活动的国家名单中明显缺少以色列，该国是一些私营部门攻击者（PSOAs）或商业监视供应商（CSVs）的所在地，如Candiru、Intellexa（Cytrox）、NSO Group和QuaDream。

Recorded Future News reported that Hungary, Mexico, Spain, and Thailand – which have been linked to spyware abuses in the past – did not sign the pledge.

据The Record报告，过去曾与间谍软件滥用相关的匈牙利、墨西哥、西班牙和泰国没有签署协议。

The multi-stakeholder action coincides with an announcement by the U.S. Department of State to deny visas for individuals that it deems to be involved with the misuse of dangerous spyware technology.

这一多利盟行动与美国国务院宣布拒绝签发涉及危险间谍技术滥用的个人签证的消息同时发生。

"Until recently, a lack of accountability has enabled the spyware industry to proliferate dangerous surveillance tools around the world," Google said in a statement shared with The Hacker News. "Limiting spyware vendors' ability to operate in the U.S. helps to change the incentive structure which has allowed their continued growth."

谷歌在与The Hacker News分享的一份声明中表示：“直到最近，缺乏问责制使得间谍软件行业能够在全球范围内扩散危险的监控工具。限制间谍软件供应商在美国的运营能力有助于改变这种一直让其不断增长的激励结构。”

One hand, spyware such as Chrysaor and Pegasus are licensed to government customers for use in law enforcement and counterterrorism. On the other hand, they have also been routinely abused by oppressive regimes to target journalists, activists, lawyers, human rights defenders, dissidents, political opponents, and other civil society members.

一方面，诸如Chrysaor和Pegasus之类的间谍软件被授权给政府客户用于执法和反恐。另一方面，它们也经常被压迫性政权滥用，以打击记者、活动家、律师、人权捍卫者、异见者、政治反对派和其他公民社会成员。

Such intrusions typically leverage zero-click (or one-click) exploits to surreptitiously deliver the surveillanceware onto the targets' Google Android and Apple iOS devices with the goal of harvesting sensitive information.

这些侵入通常利用零点击（或一点击）漏洞，偷偷将监控软件传送到目标的Google Android和Apple iOS设备上，以收集敏感信息为目的。

That having said, ongoing efforts to combat and contain the spyware ecosystem have been something of a whack-a-mole, underscoring the challenge of fending off recurring and lesser-known players who provide or come up with similar cyber weapons.

然而，打击和遏制间谍软件生态系统的持续努力有点像是一场“打地鼠游戏”，突显了防范反复出现和较为未知的参与者提供或设计类似网络武器的挑战。

This also extends to the fact that CSVs continue to expend effort developing new exploit chains as companies like Apple, Google, and others discover and plug the zero-day vulnerabilities.

这也包括CSVs继续努力开发新的攻击链，就像苹果、谷歌等公司发现并修复零日漏洞一样。

"As long as there is a demand for surveillance capabilities, there will be incentives for CSVs to continue developing and selling tools, perpetrating an industry that harms high risk users and society at large," Google's Threat Analysis Group (TAG) said.

“只要存在对监控能力的需求，CSVs就会有继续开发和销售工具的动机，从而推动一种损害高风险用户和整个社会的产业，”谷歌的威胁分析小组（TAG）表示。

An extensive report published by TAG this week revealed that the company is tracking roughly 40 commercial spyware companies that sell their products to government agencies, with 11 of them linked to the exploitation of 74 zero-days in Google Chrome (24), Android (20), iOS (16), Windows (6), Adobe (2), and Mozilla Firefox (1) over the past decade.

TAG本周发布的一份详尽报告显示，该公司正在追踪大约40家销售产品给政府机构的商业间谍公司，其中有11家与过去十年间利用74个零日漏洞攻击Google Chrome（24个）、Android（20个）、iOS（16个）、Windows（6个）、Adobe（2个）和Mozilla Firefox（1个）的活动有关。

Unknown state-sponsored actors, for example, exploited three flaws in iOS (CVE-2023-28205, CVE-2023-28206, and CVE-2023-32409) as a zero-day last year to infect victims with spyware developed by Barcelona-based Variston. The flaws were patched by Apple in April and May 2023.

例如，去年未知的国家赞助行为者利用iOS中的三个漏洞（CVE-2023-28205、CVE-2023-28206和CVE-2023-32409）作为零日漏洞感染受害者，这些漏洞由巴塞罗那的Variston开发的间谍软件利用。这些漏洞于2023年4月和5月由苹果修补。

The campaign, discovered in March 2023, delivered a link via SMS and targeted iPhones located in Indonesia running iOS versions 16.3.0 and 16.3.1 with an aim to deploy the BridgeHead spyware implant via the Heliconia exploitation framework. Also weaponized by Variston is a high-severity security shortcoming in Qualcomm chips (CVE-2023-33063) that first came to light in October 2023.

该运动于2023年3月被发现，通过短信传递链接，瞄准在印度尼西亚运行iOS版本16.3.0和16.3.1的iPhone，旨在通过Heliconia攻击框架部署BridgeHead间谍软件植入。Variston还武装了一种用于Qualcomm芯片的高风险安全漏洞（CVE-2023-33063），该漏洞于2023年10月首次曝光。

The complete list of zero-day vulnerabilities in Apple iOS and Google Chrome that were discovered in 2023 and have been tied to specific spyware vendors is as follows:
在2023年发现并与特定间谍软件供应商相关联的Apple iOS和Google Chrome的零日漏洞完整列表如下：

"Private sector firms have been involved in discovering and selling exploits for many years, but the rise of turnkey espionage solutions is a newer phenomena," the tech giant said.

“私营部门公司多年来一直参与发现和销售漏洞，但全套间谍解决方案的崛起是一个较新的现象，”这家科技公司表示。

"CSVs operate with deep technical expertise to offer 'pay-to-play' tools that bundle an exploit chain designed to get past the defenses of a selected device, the spyware, and the necessary infrastructure, all to collect the desired data from an individual's device."