Headline
Zero-Day iOS Exploit Chain Infects Devices with Predator Spyware
By Waqas Former Egyptian MP targeted with predator spyware ahead of 2024 presidential run - Therefore, Update your macOS Ventura, iOS, and iPadOS devices NOW, as Apple has released emergency updates to address the flaws. This is a post from HackRead.com Read the original post: Zero-Day iOS Exploit Chain Infects Devices with Predator Spyware
****Key Findings****
Ahmed Eltantawy, a former Egyptian MP and presidential candidate, was targeted with Cytrox’s Predator spyware after announcing his bid for the presidency.
The spyware was delivered through SMS, WhatsApp messages, and network injection attacks, highlighting the advanced tactics used against Eltantawy.
Researchers obtained an iPhone zero-day exploit chain used to install Predator on iOS devices, affecting versions through 16.6.1.
The network injection attack was attributed with high confidence to the Egyptian government, as it originated from a device physically located within Egypt.
This case raises concerns about the lack of controls on the export of spyware technologies and underscores the importance of security updates and lockdown modes on Apple devices.
In a recent investigation by Citizen Lab, alarming findings reveal that former Egyptian Member of Parliament, Ahmed Eltantawy, was the victim of a sophisticated cyber espionage campaign that leveraged Cytrox’s Predator spyware.
This targeting occurred between May and September 2023, shortly after Eltantawy publicly announced his intention to run for President in the 2024 Egyptian elections.
Here, it is worth noting that Cytrox’s Predator spyware was initially discovered targeting Android devices in May 2022. However, in August 2022, Citizen Lab pointed out a connection between the spyware and the European spyware vendor, Intellexa Alliance.
At that time, the spyware was used to target a lawmaker in Greece, and interestingly, the same firm had previously made headlines in November 2019 when Cypriot authorities seized a surveillance van belonging to Intellexa. This surveillance van was equipped with hacking tools capable of intercepting, cracking, and tracking smartphones.
The campaign against Eltantawy utilized various tactics, including SMS and WhatsApp messages containing malicious links. Moreover, Eltantawy’s mobile connection with Vodafone Egypt was persistently selected for targeting via network injection.
When Eltantawy visited non-HTTPS websites, a device within Vodafone Egypt’s network automatically redirected him to a malicious website to infect his phone with Cytrox’s Predator spyware.
Citizen Lab’s investigation uncovered an iPhone zero-day exploit chain designed to install Predator on iOS versions through 16.6.1. They also obtained the first stage of the spyware, which shared notable similarities with a sample of Cytrox’s Predator spyware obtained in 2021. With high confidence, Citizen Lab attributes the spyware to Cytrox’s Predator spyware.
Given Cytrox’s known association with the Egyptian government, which is a customer of the Predator spyware, and the fact that the spyware was delivered via network injection from a device physically located within Egypt, Citizen Lab confidently attributes the network injection attack to the Egyptian government.
This isn’t the first time Eltantawy has been targeted. In November 2021, his phone was infected with Cytrox’s Predator spyware through a text message containing a link to a Predator website.
These revelations raise serious concerns about the use of spyware to target opposition figures in a democratic process. Ahmed Eltantawy’s case underscores the need for strong cybersecurity measures and heightened awareness of potential threats during election campaigns.
****Apple Releases Emergency Updates Amid Citizen Lab’s Disclosure****
In response to Citizen Lab’s findings, Apple has issued three emergency updates for iOS, iPadOS (1), and macOS Ventura (2). The updates address the following vulnerabilities:
- CVE-2023-41991
- CVE-2023-41992
- CVE-2023-41993
Apple has also acknowledged the researchers’ findings and stated that the company is aware of reports suggesting that this issue may have been actively exploited in versions of iOS prior to iOS 16.7.
Commenting on this, Dr Klaus Schenk, senior vice president of security and threat research at Verimatrix, said “The vulnerabilities discovered in Apple’s platforms are highly concerning due to their potential impact. Privilege escalation, arbitrary code execution, and especially remote exploitable arbitrary code execution rank among the most dangerous issues for any computing system.”
Dr Klaus emphasised that “It’s reassuring that Apple has not yet disclosed technical details of the attack vectors. Keeping that information private significantly reduces the risk of widespread exploits, since threat actors have less information to engineer effective attacks. For remote code execution to occur, a user would need to visit a website specifically crafted to leverage these vulnerabilities and distribute malicious code. With details undisclosed, the number of sites currently capable of mounting such an attack is likely very low.”
“That said, Apple customers should immediately install these emergency security updates to protect themselves against potential targeted attacks. Timely patching is critical, as threat actors will eventually reverse engineer the fixes to understand the underlying flaws. By updating promptly, users ensure their devices cannot be compromised by attacks exploiting these particular zero-day vulnerabilities, he advised.” “Moving forward, it’s essential that Apple continue working diligently to identify and rectify security issues in their software before they can be weaponised against users.”
This marks the second time in a month that Citizen Lab has detected a sophisticated spyware campaign targeting Apple devices. On September 7th, 2023, Apple released a critical security update to address a zero-click vulnerability that was actively delivering NSO Group’s Pegasus spyware to iPhones. These revelations were initially reported by Citizen Lab, which classified the attack as a BLASTPASS operation.
****Conclusion****
The Citizen Lab’s findings also shed light on the importance of maintaining up-to-date software and enabling security features like Lockdown Mode on Apple devices. They emphasize the critical role that security measures play in safeguarding individuals from cyber threats.
Additionally, the report calls for increased controls on the export of technologies that can be misused to violate human rights. It highlights the need for greater transparency and accountability in regulating dual-use technology exports, especially in cases involving companies headquartered in Canada.
In a world where cyber threats are becoming increasingly sophisticated, these findings serve as a stark reminder of the importance of digital security and the potential consequences of inadequate measures.
****RELATED ARTICLES****
- QuaDream: Israeli Cyber Mercenary Behind iPhone Hacks
- Apple AirTags can be used as trojan for credential hacking
- Israeli spyware used in hacking phones of journalists globally
- Android Version of Sophisticated Pegasus Spyware Discovered
- Israeli Spyware Vendor Uses Chrome 0day to Target Journalists
Related news
Gentoo Linux Security Advisory 202401-33 - Multiple vulnerabilities have been found in WebKitGTK+, the worst of which may lead to remote code execution. Versions greater than or equal to 2.42.2:4 are affected.
Debian Linux Security Advisory 5527-1 - Marcin Noga discovered that a specially crafted web page can abuse a vulnerability in the MediaRecorder API to cause memory corruption and potentially arbitrary code execution. Junsung Lee and Me Li discovered that processing web content may lead to arbitrary code execution. Bill Marczak and Maddie Stone discovered that processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Apple on Wednesday rolled out security patches to address a new zero-day flaw in iOS and iPadOS that it said has come under active exploitation in the wild. Tracked as CVE-2023-42824, the kernel vulnerability could be abused by a local attacker to elevate their privileges. The iPhone maker said it addressed the problem with improved checks. "Apple is aware of a report that this issue may have
Apple Security Advisory 09-26-2023-5 - macOS Monterey 12.7 addresses code execution and out of bounds read vulnerabilities.
Apple Security Advisory 09-26-2023-4 - macOS Ventura 13.6 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.
Apple Security Advisory 09-26-2023-3 - iOS 16.7 and iPadOS 16.7 addresses bypass, code execution, and out of bounds read vulnerabilities.
Plus: Mozilla patches 10 Firefox bugs, Cisco fixes a vulnerability with a rare maximum severity score, and SAP releases updates to stamp out three highly critical flaws.
The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.6. Apps that fail verification checks may still launch.
This issue was addressed with improved iframe sandbox enforcement. This issue is fixed in Safari 17. An attacker with JavaScript execution may be able to execute arbitrary code.
A permissions issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Sonoma 14. An app may be able to access sensitive user data.
Apple Security Advisory 2023-09-21-7 - macOS Monterey 12.7 addresses a privilege escalation vulnerability.
Apple Security Advisory 2023-09-21-6 - macOS Ventura 13.6 addresses bypass vulnerabilities.
Apple Security Advisory 2023-09-21-5 - watchOS 9.6.3 addresses bypass vulnerabilities.
Apple Security Advisory 2023-09-21-4 - watchOS 10.0.1 addresses bypass vulnerabilities.
Apple Security Advisory 2023-09-21-3 - iOS 16.7 and iPadOS 16.7 addresses bypass vulnerabilities.
Apple Security Advisory 2023-09-21-2 - iOS 17.0.1 and iPadOS 17.0.1 addresses bypass vulnerabilities.
Apple Security Advisory 2023-09-21-1 - Safari 16.6.1 addresses a code execution vulnerability.
The three zero-day flaws addressed by Apple on September 21, 2023, were leveraged as part of an iPhone exploit chain in an attempt to deliver a spyware strain called Predator targeting former Egyptian member of parliament Ahmed Eltantawy between May and September 2023. "The targeting took place after Eltantawy publicly stated his plans to run for President in the 2024 Egyptian elections," the
Categories: Exploits and vulnerabilities Categories: News Tags: Apple Tags: emergency Tags: update Tags: CVE-2023-41991 Tags: CVE-2023-41992 Tags: CVE-2023-41993 Apple has released patches for three zero-day vulnerabilities that may have been actively exploited. (Read more...) The post Emergency update! Apple patches three zero-days appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News Tags: Apple Tags: emergency Tags: update Tags: CVE-2023-41991 Tags: CVE-2023-41992 Tags: CVE-2023-41993 Apple has released patches for three zero-day vulnerabilities that may have been actively exploited. (Read more...) The post Emergency update! Apple patches three zero-days appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News Tags: Apple Tags: emergency Tags: update Tags: CVE-2023-41991 Tags: CVE-2023-41992 Tags: CVE-2023-41993 Apple has released patches for three zero-day vulnerabilities that may have been actively exploited. (Read more...) The post Emergency update! Apple patches three zero-days appeared first on Malwarebytes Labs.
Apple has released yet another round of security patches to address three actively exploited zero-day flaws impacting iOS, iPadOS, macOS, watchOS, and Safari, taking the total tally of zero-day bugs discovered in its software this year to 16. The list of security vulnerabilities is as follows - CVE-2023-41991 - A certificate validation issue in the Security framework that could allow a
Apple has released yet another round of security patches to address three actively exploited zero-day flaws impacting iOS, iPadOS, macOS, watchOS, and Safari, taking the total tally of zero-day bugs discovered in its software this year to 16. The list of security vulnerabilities is as follows - CVE-2023-41991 - A certificate validation issue in the Security framework that could allow a
Apple has released yet another round of security patches to address three actively exploited zero-day flaws impacting iOS, iPadOS, macOS, watchOS, and Safari, taking the total tally of zero-day bugs discovered in its software this year to 16. The list of security vulnerabilities is as follows - CVE-2023-41991 - A certificate validation issue in the Security framework that could allow a
The issue was addressed with improved checks. This issue is fixed in Safari 17, iOS 16.7 and iPadOS 16.7, macOS Sonoma 14. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
The issue was addressed with improved checks. This issue is fixed in iOS 16.7 and iPadOS 16.7, OS 17.0.1 and iPadOS 17.0.1, watchOS 9.6.3, macOS Ventura 13.6, macOS Monterey 12.7, watchOS 10.0.1. A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
The issue was addressed with improved checks. This issue is fixed in Safari 16.6.1, macOS Ventura 13.6, OS 17.0.1 and iPadOS 17.0.1, iOS 16.7 and iPadOS 16.7. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
The issue was addressed with improved checks. This issue is fixed in iOS 16.7 and iPadOS 16.7, OS 17.0.1 and iPadOS 17.0.1, watchOS 9.6.3, macOS Ventura 13.6, macOS Monterey 12.7, watchOS 10.0.1. A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
The issue was addressed with improved checks. This issue is fixed in Safari 16.6.1, macOS Ventura 13.6, OS 17.0.1 and iPadOS 17.0.1, iOS 16.7 and iPadOS 16.7. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.
The issue was addressed with improved checks. This issue is fixed in Safari 16.6.1, macOS Ventura 13.6, OS 17.0.1 and iPadOS 17.0.1, iOS 16.7 and iPadOS 16.7. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.