Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Amberleigh Jack. This week's edition is sponsored by Dropzone.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Listen here

Photo by Glen Carrie on Unsplash

Google's announcement last week that it had disrupted the world's largest residential proxy network, IPIDEA, was welcome news. These networks are key enablers of cybercrime, and Google's action will make a significant dent in the residential proxy ecosystem. 

Residential proxy networks sell the ability to route traffic through home and business IP addresses so attackers can evade IP blocklists. Traffic in these networks is routed through everything from compromised smart devices to home users' computers. Sometimes the home users actually opt in to joining these networks, willingly installing the enabling software to earn "passive income" from their spare bandwidth. Most of the time, however, device owners are unaware. The proxy functionality is pre-loaded on devices or inadvertently installed via malware or trojanised software.

When it comes to IPIDEA, one way it acquired proxies was to pay developers to embed its software into applications via malicious SDKs. These applications would then proxy traffic for IPIDEA in addition to carrying out their main function, typically without the knowledge or consent of end users. 

Google says that IPIDEA was "overwhelmingly used by bad actors". In just a single week in January the company observed a "vast array" of more than 550 different threat actors using the service. It was a broad spectrum of activity covering espionage, crime and information operations, with some of the threat actors linked to China, North Korea, Iran and Russia. 

Google also says that IPIDEA was involved in the BadBox2.0, Aisuru and Kimwolf botnets. Here, its software played a "key role" in adding devices to the networks and was also used to control them.

So a worthy target for a dose of disruption, then. 

Google's action had two separate arms. The first was technical analysis and sharing details about IPIDEA SDKs with platform providers, law enforcement and research firms. Those SDKs are compatible with Android, Windows, iOS and WebOS.   

Google identified over 600 Android applications and more than 3,000 Windows executables that, based on the artefacts researchers analysed, appeared to connect to the IPIDEA network. This analysis fed into the systems that Google uses to protect Android devices and the Play Store. Sharing this information means other platform owners will also be able to act against IPIDEA's proxy network.

That kind of in-depth analysis is Google's bread and butter. 

The second part, however, involved complementary legal action.Google got court orders to take down domains used both to run IPIDEA's proxy network and market the company's products. 

Taken together, the court-authorised domain takedown actions hit IPIDEA's proxy network and hurt the company's marketing efforts. And the information sharing will make it difficult for IPIDEA to simply spin up new domains and rebrand. It will have to rework its SDK's to be able to fly under the radar. According to reporting from The Wall Street Journal, Google's actions "will knock more than nine million Android devices off IPIDEA's network". 

The IPIDEA disruption appears to be one of the first operations of Google's new cyber disruption unit we wrote about late last year. It is great to see this unit kicking its first goal. Governments should encourage the private sector to take more of these actions. 

The question is, what is the quickest, easiest way to make that happen?

Sezenah Seymour, author of a CSIS report on civil takedowns, told Seriously Risky Business that civil actions like these are a winner, and discussions about "hacking back" and letters of marque are "a distraction".

Seymour says governments should encourage more private sector action as law enforcement struggles to contain cyber threats on its own. Rather than focussing on resolving the legal thicket that is government-authorised hacking, Seymour says that making civil takedowns more quickly and easily accessible is the right answer. 

There is a process, and it works. The problem, Seymour says, is that "while criminals move in seconds, the legal process can take months". Even a company as well-resourced as Google has only conducted a handful of takedowns over its history. Microsoft, several more. But still not enough.

Seymour's report recommends that Congress establish a new specialised court to deal with civil takedowns, but it also suggests several incremental steps that the executive branch could take to help court action move faster, such as streamlining processes and providing evidentiary templates. 

We'd like to think that legal procedures can become faster while companies also become more aggressive about protecting their own products. We can even hope that Congress might pass some legislation! 

While we wait, residential proxies are a scourge and it is great that Google has taken a swipe at one of them. 

More of this, please.

SpaceX Says Nyet to Russian Drones

Late last week SpaceX deployed countermeasures to prevent Russian forces using its Starlink satellite communication service to control long-range drones deep within Ukrainian territory.

The action illustrated how rapidly SpaceX can react, but only when it wants to. The company has a track record of allowing problems to fester. 

In late January, the US-based Institute of War think tank reported that the Russian military was using Starlink to control Molniya fixed-wing drones to carry out strikes deep within Ukrainian territory. Within the week, SpaceX placed a 75 km/h "speed limit" on Starlink terminals within Ukraine, effectively stopping service on fast-moving drones. 

That's a wonderfully rapid response. 

This countermeasure also prevents Ukrainian forces from using Starlink on fast-moving vehicles. So as a second step, Starlink will limit service to authorised terminals registered to Ukrainians.

These are good moves, but we're amazed that the allowlisting measure wasn't put in place far, far earlier. 

In April of 2024 The Wall Street Journal reported that black market Starlink terminals were being sold in Russia and shipped to the front line for use by Russian forces. Starlink "stopped" Russian forces using its service with a naive geoblock: terminals on one side of the fence were assumed to be Ukrainian and therefore worked. Anything on the other side of the fence did not. It was an imperfect solution given the technology was being used by both sides on a front line that continuously moved.

The status quo was far from ideal but persisted for years, which is par for the course when Elon Musk is at the helm. He does things when an issue gets his attention or his hand is forced, rather than when they’re the right thing to do. For whatever reason, the Russian military using Starlink terminals for kinetic purposes upset him.

When it comes to folding under pressure, however, Musk also has form. We previously covered how Starlink provided an internet lifeline for Southeast Asian scam compounds until it was forced to act by the threat of a Congressional investigation. 

It's a pattern that repeats. Musk blinked in Brazil where X had refused to comply with a court order. He stood firm right up until a judge blocked X across the country and froze Starlink's financial assets. When that happened he folded like a lawn chair. 

His business interests are also coming under fire in France and the UK. He'll buckle there, too, we think.

For regulators and governments, the lesson to be learned here is that when it comes to Musk's companies, you may occasionally get very rapid action if an issue attracts his attention. Otherwise, bring a big stick.  

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Better phone security: Last week Google announced that a range of theft protection features will be rolled out to devices, depending on their specific Android version. Apple also announced that newer iPhones will support a feature to limit precise locations from cellular networks. It is good to see both major mobile operating system companies continuously and incrementally improving security. 
2. Firefox adds an AI killswitch: Mozilla has announced that Firefox will be getting an AI controls section that will be a single place to block current and future generative AI features in the browser. Yay for consumer choice. 
3. Arrested pentesters get a (small) payday: Dallas County in Iowa has been ordered to pay USD$600,000 for arresting two pentesters that were carrying out an authorised security assessment of a county courthouse.  Ars Technica has more coverage. 

Sponsor Section

In this sponsored interview, Casey Ellis chats to Edward Wu, founder of Dropzone AI about a recent Vanderbilt University report that reveals that foreign adversaries’ resources are growing. Edward says AI capabilities are critical to the future of cyber defence, because the west can’t hire itself out of the shortfall.