Search This Blog

Showing posts with label Pegasus. Show all posts

New Zero-Click iMessage Exploit Used to Deploy Pegasus Spyware

 

Citizen Lab's digital threat researchers have discovered a new zero-click iMessage exploit that was exploited to install NSO Group's Pegasus spyware on Bahraini activists' smartphones. In total, nine Bahraini activists (including members of the Bahrain Center for Human Rights, Waad, and Al Wefaq) had their iPhones hacked in a campaign conducted by a Pegasus operator linked to the Bahraini government with high confidence, according to Citizen Lab. 

After being compromised using two zero-click iMessage exploits (that do not involve user participation), the spyware was installed on their devices: the 2020 KISMET exploit and a new never-before-seen exploit named FORCEDENTRY. 

In February 2021, Citizen Lab first noticed NSO Group deploying the new zero-click FORCEDENTRY iMessage attack, which bypasses Apple's BlastDoor protection. BlastDoor, a structural change in iOS 14 aimed to stop message-based, zero-click attacks like this, had just been released the month before. BlastDoor was designed to prevent Pegasus attacks by operating as a "tightly sandboxed" service responsible for "almost all" of the parsing of untrusted data in iMessages, according to Samuel Groß of Google Project Zero.

“We saw the FORCEDENTRY exploit successfully deployed against iOS versions 14.4 and 14.6 as a zero-day,” Citizen Lab said. “With the consent of targets, we shared these crash logs and some additional phone logs relating to KISMET and FORCEDENTRY with Apple, Inc., which confirmed they were investigating.” 

Attacks like the ones revealed by Citizen Lab, according to Ivan Krstić, head of Apple Security Engineering and Architecture, are highly targeted and hence nothing to worry about for most people, at least. Such attacks are "very complex, cost millions of dollars to design, often have a short shelf life, and are used to target specific individuals," according to Krstić. 

In addition to Apple's iMessage, NSO Group has a history of using other messaging apps, such as WhatsApp, to spread malware. Nonetheless, Citizen Lab believes that disabling iMessage and FaceTime in this circumstance, with these specific threats, may have blocked the threat actors. Researchers emphasized that disabling iMessage and FaceTime would not provide total security from zero-click assaults or adware.

NSO Group stated in a statement to Bloomberg that it hasn't read the report yet, but it has concerns about Citizen Lab's techniques and motivations. According to the company's statement, "If NSO gets reliable evidence relating to the system's misuse, the company will thoroughly investigate the claims and act accordingly."

Pegasus iPhone Hacks Used as Bait in Extortion Scam

 

A new extortion fraud attempts to profit from the recent Pegasus iOS spyware attacks to threaten victims to pay a blackmail demand. 

Last month, Amnesty International and the non-profit project Forbidden Stories disclosed that the Pegasus spyware was installed on completely updated iPhones via a zero-day zero-click iMessage vulnerability. 

A zero-click vulnerability is a flaw that can be exploited on a device without requiring the user's interaction. For instance, a zero-click hack would be a vulnerability that could be exploited just by visiting a website or getting a message. 

Governments are believed to have employed this spyware to eavesdrop on politicians, journalists, human rights activists, and corporate leaders worldwide. This week, a threat actor began contacting users, informing them that their iPhone had been compromised with a zero-click vulnerability that allowed the Pegasus spyware software to be installed. 

According to the fraudster, Pegasus has tracked the recipient's actions and captured recordings of them at "the most private moments" of their lives. According to the email, the threat actor will disseminate the recordings to the recipient's family, friends, and business partners if a 0.035 bitcoin (roughly $1,600) payment is not made. 

The full text of the email stated: 
"Hi there Hello, 
I'm going to share important information with you. 
Have you heard about Pegasus? 
You have become a collateral victim. It's very important that you read the information below. 
Your phone was penetrated with a “zero-click” attack, meaning you didn't even need to click on a malicious link for your phone to be infected. 
Pegasus is a malware that infects iPhones and Android devices and enables operators of the tool to extract messages, photos, and emails, record calls and secretly activate cameras or microphones and read the contents of encrypted messaging apps such as WhatsApp, Facebook, Telegram, and Signal.
Basically, it can spy on every aspect of your life. That's precisely what it did. I am a blackhat hacker and do this for a living. Unfortunately, you are my victim. Please read on. 
As you understand, I have used the malware capabilities to spy on you and harvested datas of your private life.
My only goal is to make money and I have perfect leverage for this. As you can imagine in your worst dream, I have videos of you exposed during the most private moments of your life when you are not expecting it. 
I personally have no interest in them, but there are public websites that have perverts loving that content. 
As I said, I only do this to make money and not trying to destroy your life. But if necessary, I will publish the videos. If this is not enough for you, I will make sure your contacts, friends, business associates and everybody you know sees those videos as well. 
Here is the deal. I will delete the files after I receive 0.035 Bitcoin (about 1600 US Dollars). You need to send that amount here bc1q7g8ny0p95pkuag0gay2lyl3m0emk65v5ug9uy7 
I will also clear your device from malware, and you keep living your life. Otherwise, shit will happen. The fee is non-negotiable, to be transferred within 2 business days. 
Obviously do not try to ask for any help from anybody unless you want your privacy to be violated. 
I will monitor your every move until I get paid. If you keep your end of the agreement, you won't hear from me ever again. 
Take care." 

Apparently, the bitcoin address indicated in the sample email seen by BleepingComputer has not received any payments. However, other bitcoin addresses might be utilized in this fraud. One may believe that no one would fall for this swindle, yet similar methods in the past have fetched over $50,000 in a week.

WhatsApp CEO: US Allies' National Security Officials Targeted with NSO Malware

 

According to WhatsApp CEO Will Cathcart, governments used NSO group malware to target high-ranking government officials all around the world. 

Cathcart addressed the spyware assaults discovered by the Project Pegasus inquiry with The Guardian, noting they are similar to a 2019 attack against 1,400 WhatsApp users. 

Cathcart added, “The reporting matches what we saw in the attack we defeated two years ago, it is very consistent with what we were loud about then. This should be a wake-up call for security on the internet … mobile phones are either safe for everyone or they are not safe for everyone.” 

NSO Group's military-grade spyware is suspected of being utilized against heads of state, cabinet members, activists, and journalists. Over 50,000 phone numbers have been leaked from the Pegasus project's central breach. The inclusion of a person's phone number on the list, however, does not always indicate that they were efficiently targeted, according to The Guardian. 

The leak is said to have included French President Emmanuel Macron, although NSO denies that none of its clients targeted Macron. The IT company also stated that the reported 50,000 figure was overstated. 

Cathcart, on the other hand, tried to refute this portrayal, stating that his firm had documented a two-week-long attack in 2019 that affected 1,400 customers. He added, “That tells us that over a longer period of time, over a multi-year period of time, the numbers of people being attacked are very high. That’s why we felt it was so important to raise the concern around this.” 

According to The Guardian, WhatsApp lodged a lawsuit against NSO in 2019, saying that the corporation had transmitted malware to its customers' phones. NSO, an Israeli firm, argued that the responsibility should be put on its customers who are the foreign government. 

“NSO Group claims that a large number of governments are buying their software, that means those governments, even if their use of it is more controlled, those governments are funding this," Cathcart stated. "Should they stop? Should there be a discussion about which governments were paying for this software?” 

The NSO spokesperson told The Guardian, "We are doing our best to help to create a safer world. Does Mr. Cathcart have other alternatives that enable law enforcement and intelligence agencies to legally detect and prevent malicious acts of pedophiles, terrorists, and criminals using end-to-end encryption platforms? If so, we would be happy to hear."

Pegasus: The Case of the Infamous Spyware

 

The case of the infamous spyware Pegasus has taken the world by storm, with news revealing its unlawful use infringing on many people's basic human rights. With such remote surveillance now accessible via an infected device, the issue of cybersecurity has grown more pressing than ever. According to sources from throughout the world, NSO Group's software was used to spy on around 50,000 people, including politicians, businessmen, journalists, and activists. 

Dmitry Galov, a security researcher at Kaspersky's GReAT, describes the Pegasus spyware's beginnings and how it differs from vulnerabilities. “Pegasus is a spyware with versions for both iOS and Android devices,” he explains. Even in 2017, the criminal had the ability to “read the victim's SMS and emails, listen to calls, take screenshots, record keystrokes, and access contacts and browser history, among other things.” To clarify, Galov argues that Pegasus is a sophisticated and costly malware. It was created with the intent of spying on people of particular interest. As a result, the typical user is unlikely to be a target. 

However, the spyware's sophistication makes it one of the most powerful tools for spying on one's smartphone. Pegasus has evolved over time to attack a number of zero-day vulnerabilities in Android and iOS. Although it tries to remove its own traces from an infected device, some of them can still be seen under forensic examination. According to Galov, many parties on the darknet can sell and buy malware as well as zero-day vulnerabilities. Vulnerabilities can cost up to $2.5 million - that's how much the whole chain of Android vulnerabilities was offered for, in 2019. 

Amnesty International researchers have created a toolkit that can assist consumers to determine whether their phone has been infected with spyware. The open-source toolkit has been made accessible on GitHub by Amnesty International. Users must first download and install a python package from the MVT (Mobile Verification Toolkit) website's documentation. It also contains advice on how to complete the procedure on both iOS and Android. Users must take a backup of their iOS device before launching MVT. 

According to Amnesty International, the goal of MVT is to make it easier to conduct a "consensual forensic study" of devices belonging to people who may be the victims of sophisticated mobile spyware attacks. “We do not want MVT to enable privacy violations of non-consenting individuals,” Amnesty said. “Therefore, the goal of this license is to prohibit the use of MVT (and any other software licensed the same) for the purpose of adversarial forensics.”

Apple’s iPhone is the Easiest to Snoop on Using the Pegasus, Says Amnesty

 

NSO Group, an Israeli cyber intelligence firm, developed Pegasus spyware as a surveillance tool. As claimed by the corporation, this firm is known for developing advanced software and technology for selling primarily to law enforcement and intelligence agencies of approved nations with the sole objective of saving lives by preventing crime and terror activities. Pegasus is one such software designed to get unauthorized access to your phone, gather personal and sensitive data, and transfer it to the user who is spying on you. 

Pegasus spyware, according to Kaspersky, can read SMS messages and emails, listen to phone calls, take screenshots, record keystrokes, and access contacts and browser history. A hacker may commandeer the phone's microphone and camera, turning it into a real-time monitoring device, according to another claim. It's also worth mentioning that Pegasus is a complex and expensive spyware meant to spy on specific individuals, so the typical user is unlikely to come across it. 

Pegasus malware snooped on journalists, activists, and certain government officials, and Apple, the tech giant that emphasizes user privacy, was a victim of the attack. Indeed, according to Amnesty's assessment, Apple's iPhone is the easiest to snoop on with Pegasus software. According to the leaked database, iPhones running iOS 14.6 feature a zero-click iMessage exploit, which could have been used to install Pegasus software on the targeted entities' iPhones. The Cupertino behemoth has issued a statement condemning the assault. 

Apple’s Head of Security Engineering and Architecture, Ivan Krsti, in a statement said, "Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data." 

Citizen Labs had already uncovered this flaw. Zero-click attacks are practically invisible and run in the background because they do not require the user's involvement. In iOS 14, Apple included the Blastdoor framework to make zero-click attacks more difficult, although it does not appear to be operating as planned.

Israeli Firm Assisted Governments Target Journalists & Activists with Zero Days and Spyware

 

Microsoft as part of its Patch on Tuesday fixed two of the zero-day Windows flaws weaponized by Candiru, an Israeli firm in a series of "precision attacks" to hack more than 100 journalists, academics, activists, and political dissidents globally. 

According to a report published by the University of Toronto's Citizen Lab, the spyware vendor has also been formally identified as the commercial surveillance firm that Google's Threat Analysis Group (TAG) revealed was exploiting multiple zero-day vulnerabilities in Chrome browser to attack victims in Armenia. 

"Candiru's apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse," Citizen Lab researchers stated.

"This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services." 

Founded in 2014, the private-sector offensive actor (PSOA) — codenamed "Sourgum" by Microsoft — is stated to be the creator of DevilsTongue, an espionage toolkit able to infect and track a wide range of devices across multiple platforms, including iPhones, Androids, Macs, PCs, and cloud accounts. 

After gaining a hard drive from "a politically active victim in Western Europe," Citizen Lab stated it was able to restore a copy of Candiru's Windows spyware, which was then reverse engineered to identify two never-before-seen Windows zero-day exploits for vulnerabilities tracked as CVE-2021-31979 and CVE-2021-33771 that were leveraged to install malware on victim boxes. 

The infection chain used a combination of browser and Windows vulnerabilities, with the latter being transmitted through single-use URLs emailed on WhatsApp to targets. On July 13, Microsoft patched both privilege escalation issues, which allow an attacker to bypass browser sandboxes and obtain kernel code execution. 

The attacks resulted in the deployment of DevilsTongue, a modular C/C++-based backdoor capable of exfiltrating files, exporting messages saved in the encrypted messaging app Signal, and stealing cookies and passwords from Chrome, Internet Explorer, Firefox, Safari, and Opera browsers. Microsoft discovered that the digital weapon could gather data, read the victim's messages, get photos, and even send messages on their behalf using stolen cookies from logged-in email and social media accounts including Facebook, Twitter, Gmail, Yahoo, Mail.ru, Odnoklassniki, and Vkontakte.

Furthermore, the Citizen Lab study linked two Google Chrome vulnerabilities — CVE-2021-21166 and CVE-2021-30551 — to the Tel Aviv firm, citing similarities in the websites used to disseminate the exploits. 

A total of 764 domains related to Candiru's spyware infrastructure were discovered, many of which purported to be advocacy groups such as Amnesty International, the Black Lives Matter movement, media businesses, and other civil-society-oriented enterprises. 

Saudi Arabia, Israel, the United Arab Emirates, Hungary, and Indonesia were among the countries that ran systems under their authority. 

According to a Microsoft report, an Israeli hacking-for-hire firm has assisted government clients in spying on more than 100 people throughout the world, including politicians, dissidents, human rights activists, diplomatic staff, and journalists.

Among other well-known news outlets, the Guardian and the Washington Post released information of what they termed "global surveillance operations" using Pegasus. The surveillance is said to be aimed at journalists and according to the claims, Pegasus malware is being used to spy on people by over ten nations. 

SOURGUM's malware has so far targeted over 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia, and Singapore. 

These attacks mostly targeted consumer accounts, implying that Sourgum's users were pursuing part of the attack. TAG researchers Maddie Stone and Clement Lecigne noticed a rise in attackers utilizing more zero-day vulnerabilities in their cyber offensives in the early 2010s, which they attribute to more commercial vendors offering access to zero-day flaws. 

Microsoft Threat Intelligence Center (MSTIC) stated in a technical rundown, "Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets' computers, phones, network infrastructure, and other devices.” 

"With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves. The tools, tactics, and procedures used by these companies only add to the complexity, scale, and sophistication of attacks," MSTIC added.

iPhones of Al Jazeera Journalists Being Snooped On Via Israeli Firm's Spyware

 

iPhones of around 36 Journalists at Al Jazeera news organisation have been hacked by nation-sponsored hackers who sent malware laden iMessages. The attackers who are suspected to be backed by the governments of the United Arab Emirates and Saudi Arabia, exploited a zero-day vulnerability in iMessage which was later fixed by Apple. 

In a technical report, experts have stated that the Journalists' iPhones were snooped on by attackers who employed NSO's Pegasus software to deploy spyware onto the iPhones of 36 journalists, executives and producers at the news agency, Al Jazeera. 

Pegasus is a modular malware developed by the Israeli firm NSO which is used for surveillance purposes and has also been linked to surveillance abuse at multiple occasions. The spyware allows hosts to remotely monitor and exploit devices. Reportedly, the attack took place invisibly and it didn't require the attackers to trick the victims into clicking on a malicious link – as opposed to conventional ways of deploying malware. 

While examining one of the victim's device, researchers discovered that spyware was deployed secretly through iMessage and was able to take images using iPhone's camera, access passwords, and victim's location. Besides, it's likely that the spyware was also recording phone calls and microphone.  

As per the researchers at Citizen Lab, a total of four operators belonging to Pegasus were observed to have assisted the hack. Two of the operators namely SNEAKY KESTREL and MONARCHY are suspected to be having links with the governments of Middle Eastern countries; to the UAE and Saudi Arabia, respectively.  

According to the reports by Citizen Lab, "In July and August 2020, government operatives used NSO Group’s Pegasus spyware to hack 36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera. The personal phone of a journalist at London-based Al Araby TV was also hacked." 

"The phones were compromised using an exploit chain that we call KISMET, which appears to involve an invisible zero-click exploit in iMessage. In July 2020, KISMET was a zero-day against at least iOS 13.5.1 and could hack Apple’s then-latest iPhone 11." 

"We do not believe that KISMET works against iOS 14 and above, which includes new security protections. All iOS device owners should immediately update to the latest version of the operating system," the report further read.

Israeli Security Company NSO Pretends to Be Facebook


As per several reports, Facebook was imitated by an Israeli security company that is known as the “NSO Group” to get the targets to install their “phone-hacking software”.

Per sources, a Facebook-like doppelganger domain was engineered to distribute the NSO’s “Pegasus” hacking contrivance. Allegedly, serves within the boundaries of the USA were employed for the spreading of it.

The Pegasus, as mentioned in reports, if installed once, can have access to text messages, device microphone, and camera as well as other user data on a device along with the GPS location tracking.

NSO has denied this but it still happens to be in a legal standoff with Facebook, which contends that NSO on purpose distributed its software on WhatsApp that led to the exploitation of countless devices. Another allegation on NSO is about having delivered the software to spy on journalist Jamal Khashoggi before his killing, to the government of Saudi Arabia, citing sources.

Facebook also claimed that NSO was also behind the operation of the spyware to which NSO appealed to the court to dismiss the case insisting that sovereign governments are the ones who use the spyware.

Per sources, NSO’s ex-employee, allegedly, furnished details of a sever which was fabricated to spread the spyware by deceiving targets into clicking on links. The server was connected with numerous internet addresses which happened to include the one that pretended to be Facebook’s. And Facebook had to buy it to stop the abuse of it.

As per reports, package tracking links from FedEx and other links for unsubscribing from emails were also employed on other such domains.

NSO still stand their ground about never using the software, themselves. In fact they are pretty proud of their contribution to fighting crime and terrorism, mention sources.

Security researchers say that it’s almost impossible for one of the servers to have helped in the distribution of the software to be within the borders of the USA. Additionally, reports mention, NSO maintains that its products could not be employed to conduct cyber-surveillance within the United States of America.

Facebook still holds that NSO is to blame for cyber-attacks. And NSO maintains that they don’t use their own software.

Israeli spyware firm NSO can mine data from social media accounts









An Israeli spyware firm has claimed that they can scoop  user data from the world’s top social media, the Financial Times report. 

The powerful malware Pegasus from NSO Group is the same spyware that breached WhatsApp data earlier this year. 

The firm said that this time their malware can scrap data from the servers of Apple, Google, Amazon, Facebook, and Microsoft. 

According to the reports of the Times, the NSO group had “told buyers its technology can surreptitiously scrape all of an individual’s data from the servers of Apple, Google, Facebook, Amazon and Microsoft, according to people familiar with its sales pitch”.

However, the companies spokesperson denied the allegation in a in written statement to AFP’s request for comment. 
“There is a fundamental misunderstanding of NSO, its services and technology,” it said.

“NSO’s products do not provide the type of collection capabilities and access to cloud applications, services, or infrastructure as listed and suggested in today’s FT article.”

In the mean time, Amazon and Google told AFP that they have started an investigation on the basis of report, but so far found no evidence that the software had breached their systems or customer accounts.