Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Pegasus. Show all posts

Apple Alerts Pegasus-like Attack on Indian Activists and Leaders

 

On July 10, two individuals in India received alarming notifications from Apple, Inc. on their iPhones, indicating they were targeted by a “mercenary” attack. This type of spyware allows attackers to infiltrate personal devices, granting access to messages, photos, and the ability to activate the microphone and camera in real time. Apple had previously described these as “state-backed” attacks but revised the terminology in April. 

Iltija Mufti, political adviser and daughter of former Jammu and Kashmir Chief Minister Mehbooba Mufti, and Pushparaj Deshpande, founder of the Samruddha Bharat Foundation, reported receiving these alerts. Both Mufti and Deshpande confirmed to The Hindu that they had updated their phones and planned to have them forensically examined. A spokesperson for Apple in India did not provide an immediate comment. 

Although the alert did not specifically mention state involvement, it cited Pegasus spyware as an example. Pegasus, developed by the Israeli NSO Group Technologies, is exclusively sold to governments. The Indian government has not confirmed or denied using Pegasus and declined to participate in a Supreme Court-ordered probe into its deployment. This is the first instance in months where such spyware alerts have been issued. 

The last known occurrence was in October, when Apple devices belonging to Siddharth Varadarajan of The Wire and Anand Mangnale of the Organized Crime and Corruption Report Project received similar warnings. Forensic analysis later confirmed they were targeted using vulnerabilities exploited by Pegasus clients. Both Mufti and Deshpande criticized the Union government, accusing it of using Pegasus. Mufti stated on X (formerly Twitter), “BJP shamelessly snoops on women only because we refuse to toe their line,” while Deshpande highlighted the government’s misplaced priorities, focusing on deploying Pegasus rather than addressing India’s significant challenges. 

An international investigation in 2021 by the Forbidden Stories collective exposed widespread targeting of civil society organizations, opposition politicians, and journalists with Pegasus spyware. The Indian government denied illegal activity but did not clearly confirm or deny the use of Pegasus. Alleged targets included Rahul Gandhi, former Election Commissioner Ashok Lavasa, student activist Umar Khalid, Union Minister Ashwini Vaishnaw, the Dalai Lama’s entourage, and individuals implicated in the 2018 Bhima Koregaon violence.

Russian Exiled Journalist Says EU Should Ban Spyware


The editor-in-chief of the independent Russian news site Meduza has urged the European Union to enact a comprehensive ban on spyware, given that spyware has been frequently used to violate human rights.

According to Ivan Kolpakov, Meduza’s editor-in-chief based in Latvia, it was obvious that Europeans should be very concerned about Pegasus in light of the discoveries regarding the hacking of his colleague Galina Timichenko by an as-yet-unconfirmed EU country.

“If they can use it against an exiled journalist there are no guarantees they cannot use it against local journalists as well[…]Unfortunately, there are a lot of fans in Europe, and we are not only talking about Poland and Hungary, but Western European countries as well,” said Kolpakov.

Since last month, the European Commission has been working on guidelines for how governments could employ surveillance technologies like spyware in compliance with EU data privacy and national security rules since last month. Despite the fact that member states are responsible for their own national security, the Commission is considering adopting a position after learning that 14 EU governments had purchased the Pegasus technology from NSO Group.

Apparently, Timichenko was targeted by Pegasus in February 2023 when she was in Berlin for a private gathering of Russian media workers exile. The meeting's subject was the threats posed by the Russian government's categorization of independent Russian media outlets as foreign agents.

Taking into account the work that Timichenko deals with, Russia was first suspected; but, according to the digital rights organization Access Now, additional information suggests that one of the intelligence services of an EU member state — the exact one is yet unknown — is more likely to be to blame.

Allegedly, the motive behind the hack could be that numerous Baltic nations, to whom Russia has consistently posed a threat, are worried that a few FSB or GRU agents may have infiltrated their borders among expatriate dissidents and journalists.

“It may happen and probably it actually happens, but in my opinion, it does not justify the usage of that kind of brutal tool as Pegasus against a prominent independent journalist,” Kolpakov said.

Kolpakov believes that the revelations have left the exiled community feeling they are not safe in Europe. “This spyware has to be banned here in Europe. It really violates human rights,” he added.     

FBI Nearly Adopted NSO's Spyware

According to a report published by the New York Times on Saturday, several agents from the US Federal Bureau of Investigation worked to enhance the rollout of Pegasus, the notorious phone-hacking program created by Israel's NSO Group. 

What is Pegasus?

Once installed, Pegasus spyware enables the user to fully manage a target's phone, allowing them to see messages, listen in on calls, and access the phone as a remote listening device.

Significant numbers of human rights activists, journalists, politicians, and corporate executives were reportedly designated as potential targets of NSO's Pegasus program, which has caused criticism for the Israeli company responsible for its development. 

When smartphones are infected with Pegasus, they effectively become portable surveillance tools that can be used to read the target's messages, browse through the images, or even switch on the user's camera and microphone secretly.

FBI Purchased Pegasus 

The highly classified files, which were provided to the Times in response to a FOIA request, reveal that agency officials had developed guidelines for federal prosecutors concerning how to disclose Pegasus usage in court proceedings and were progressed in organizing to brief FBI heads on the malware.

Additionally, the FBI asserted that Pegasus had never been used to assist an FBI investigation. The FBI only obtained a restricted license for product testing and evaluation, the statement read "There was no functional use in support of any investigation."

The announcement represents a clear admission by the FBI that it purchased Pegasus, one of the most advanced hacking tools in existence.

The FBI examined NSO's Phantom software, which has the ability to hack US phones, earlier this year, the press reported. After learning that NSO's hackers were linked to violations of human rights all around the world and as negative press about the technology spread, the FBI eventually opted against utilizing it.

The New York Times broke the news of the FBI's acquisition of Pegasus in 2019 while the Trump administration was in control. However, the bureau has still not ruled out the potential of using comparable technology in the future, the report said, citing recent court records.

A legal brief submitted on the bureau's behalf last month stated that "just because the FBI eventually decided not to deploy the tool in support of criminal investigations does not mean it would not test, evaluate, and potentially deploy other similar tools for gaining access to encrypted communications used by criminals."



Telstra Struck by Data Breach Exposing 30,000 Employees' Data

 

Telstra, Australia's largest telecommunications company, revealed a data breach via a third-party supplier. The company stated that its systems were not compromised; rather, the security breach affected a third-party supplier who previously provided a now-defunct Telstra employee rewards programme. 

The data breach affected a third-party platform called Work Life NAB, which is no longer available, and was provided to several other organisations by Pegasus Group Australia (a subsidiary of MyRewards International Ltd.). Pegasus Group Australia, a subsidiary of MyRewards International Ltd, ran it. 

The third-party platform did not store any customer account information, according to Narelle Devine, the company's chief information security officer for the Asia Pacific region. Other companies appear to have been affected by the security breach. Data from 2017 was leaked online, and it included names (first and last) and email addresses used to sign up for the employee rewards programme.

“Information obtained as a result of a data breach at a third-party supplier was posted on the internet. The supplier previously provided a now-obsolete Telstra employee rewards program.” reads the statement published by the company. “Critically, there was no breach of any Telstra systems, and no customer account information was stored on the third-party platform.”

According to Reuters, people who obtained access to internal Telstra staff email, 30,000 current and former employees have been affected. The company is still investigating the incident and assisting the third party in determining how and to what extent the security breach occurred.

Optus, Australia's second-largest company, recently confirmed that a security breach impacted nearly 2.1 million of its current and former customers.

Report: Mexico Continued to Utilize Spyware Against Activists

 

Despite President Andrés Manuel López Obrador's pledge to end such practices, the Mexican government or army is said to have continued to use spyware designed to hack into activists' cellphones. 

As per press freedom groups, they discovered evidence of recent attempts to use the Israeli spyware programme Pegasus against activists investigating human rights violations by the Mexican army. A forensic investigation by the University of Toronto group Citizen Lab confirmed the Pegasus infection. 

The targets included rights activist, Raymundo Ramos, according to a report by the press freedom group Article 19, The Network for the Defense of Digital Rights, and Mexican media organisations. Ramos has spent years documenting military and police abuses, including multiple killings, in Nuevo Laredo, a drug cartel-dominated border city. In 2020, Ramos' cellphone was apparently infected with Pesgasus spyware.

“They do not like us documenting these types of cases, for them to be made public and have criminal complaints filed,” Ramos said.

Other victims in 2019 and 2020 included journalist and author Ricardo Raphael and an unnamed journalist for the online media outlet Animal Politico. 

According to Daniel Moreno, director of Animal Politico, "if the president didn't know, that is very serious because it means the army was spying on him without his consent." If the president was aware, it would be extremely serious."

López Obrador took office in December 2018 with the promise of ending government spying. The president claimed that as an opposition leader, he had been subjected to government surveillance for decades. Lopez Obrador said in 2019, in response to questions about the use of Pegasus, “We are not involved in that. Here we have decided not to go after anybody. Before, when we were in the opposition, we were spied on.”

According to the report, the Mexican army requested price quotes for surveillance programmes from companies involved in the distribution of Pegasus, which the company claims is only sold to governments. The hacker group Guacamaya discovered army documents containing requests for price quotes from 2020, 2021, and 2022.

Because of the nature of their work and the timing of the espionage, the victims of the spyware attacks assumed the military was to blame. Leopoldo Maldonado, the director of Article 19, stated, “All of this indicates two possible scenarios: the first, that the president lied to the people of Mexico. The second is that the armed forces are spying behind the president’s back, disobeying the orders of their commander in chief.”

When reached for comment, a spokesman for Mexico's Defense Department stated that there was no immediate response to the allegations. In 2021, a Mexican businessman was arrested on suspicion of spying on a journalist with the Pegasus spyware, but the Israeli spyware firm NSO Group distanced itself from him. In Mexico, the businessman has long been described as an employee of a company that acted as an intermediary in spyware purchases.

According to López Obrador's top security official, two previous administrations spent $61 million on Pegasus spyware. The NSO Group has been linked to government surveillance of political opponents and journalists all over the world. 

"NSO's technologies are only sold to vetted and approved government entities," as per the company.

Mexico had the largest list — approximately 15,000 phone numbers — of more than 50,000 reportedly selected for potential surveillance by NSO clients.

López Obrador has relied on the military more and given it more responsibilities than any of his predecessors, from building infrastructure to overseeing seaports and airports. This has sparked concern that the Mexican army, which has traditionally avoided politics, is becoming a force unto itself, with little oversight or transparency.

A spyware Rival Intellexa Challenges NSO Group

The Pegasus creator NSO Group is now facing competition from a little-known spyware company called Intellexa, which is charging $8 million for its services to hack into Android and iOS devices. 

Vx-underground, a distributor of malware source code, discovered documents that represented a proposal from Intellexa, a company that provides services like Android and iOS device exploits. On Wednesday, it shared several screenshots of documents that appeared to be part of an Intellexa business proposal on Twitter.

Europe is the base of Intellexa, which has six locations and R&D facilities there. According to a statement on the company's website, "We help law enforcement and intelligence organizations across the world reduce the digital gap with many and diverse solutions, all integrated with our unique and best-in-class Nebula platform."

A Greek politician was the target of Intellexa, a Cytrox iPhone predator spyware program, according to a Citizen Lab study from last year.

The Intellexa Alliance, which Citizen Lab defined as "a marketing term for a range of mercenary surveillance companies that emerged in 2019," included Cytrox, according to Citizen Lab.

Spyware threat 

The product specifically focuses on remote, one-click browser-based exploits that let users inject a payload into iOS or Android mobile devices. According to the brief explanation, in order for the exploit to be used, the victim must click on a link.

The docs, "classified as proprietary and confidential," according to Security Week, confirmed that the exploits should function on iOS 15.4.1 and the most recent Android 12 upgrade." The fact that Apple released iOS 15.4.1 in March indicates that the offer is current.

The deal gives a "magazine of 100 active infections" in addition to 10 concurrent infections for iOS and Android devices. A sample list of Android devices that an attack would allegedly be effective against is also displayed in the stolen documents.

Last year, Apple sued NSO Group to prevent the business from using its products and services. It implies that the offer is relatively new. Since then, three security patches for the mobile operating system have been released.

This indicates that Apple might have addressed one or more of the zero-day vulnerabilities utilized by the Intellexa iOS attack, but it's also feasible that the exploits provided by these kinds of businesses could stay unpatched for a considerable amount of time.

The buyer would actually receive considerably more for the $8 million, despite the fact that some have claimed that this is the cost of an iOS hack. The offer is for a whole platform with a 12-month guarantee and the ability to evaluate the data obtained by the exploits.

The documents are undated, but according to vx-underground, the screenshots were published on the hacker forum XSS in Russian on July 14. While there is a wealth of technical knowledge available about the exploits provided by spyware companies, nothing is known regarding the prices they charge clients.

According to a 2019 estimate from India's Economic Times, a Pegasus license costs about $7-8 million each year. Additionally, it is well-known that brokers of exploits are willing to pay up to $2 million for fully automated iOS and Android flaws.



'Hermit' Spyware Deployed in Syria, Kazakhstan, and Italy



Lookout Inc. discovered an enterprise-grade Android surveillanceware being used by the authorities operating within Kazakhstan's borders. Lookout researchers identified evidence of the spyware, called "Hermit," being used in Italy and northern Syria. 

Researchers got a sample of "Hermit" in April 2022, four months after a series of violently suppressed nationwide rallies against government policies. The Hermit spyware was most likely built by RCS Lab S.p.A, an Italian surveillance firm, and Tykelab Srl. 

The Hermit spyware was most likely produced by Italian surveillance vendor RCS Lab S.p.A and Tykelab Srl, a telecommunications solutions company accused of acting as a front company, according to Lookout. 

In the same market as Pegasus creator NSO Group Technologies and Gamma Group, which invented FinFisher, is a well-known developer with previous interactions with governments such as Syria. This appears to be the first time that a modern RCS Lab mobile spyware client has been publicly disclosed. 

The spyware is said to be spread by SMS messages that spoof users into installing what appear to be harmless apps from Samsung, Vivo, and Oppo, which, when launched, load a website from the impersonated company while silently initiating the kill chain. 

Spyware has been seen to infect Android smartphones in the past. The threat actor APT-C-23 (aka Arid Viper) was linked to a series of attacks targeting Middle Eastern users with new FrozenCell versions in November 2021. Last month, Google's Threat Analysis Group (TAG) revealed that government-backed actors in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia are purchasing Android zero-day exploits for covert surveillance efforts. 

As per Lookout, the samples studied used a Kazakh language website as a decoy, and the main Command-and-control (C2) server used by this app was a proxy, with the true C2 being located on an IP from Kazakhstan. "They call themselves 'lawful intercept' organizations since they claim to only sell to customers with legitimate surveillance purposes, such as intelligence and law enforcement agencies. Under the pretext of national security, similar technologies have been used to phish on corporate executives, human rights activists, journalists, academics, and government officials "as per the researchers. 

The revelations came as the Israel-based NSO Group is rumored to be in talks to sell its Pegasus technology to US defense contractor L3Harris, which makes StingRay cellular phone trackers, raising concerns it could allow law enforcement to deploy the controversial hacking tool.

Malware Seller Faces Charges for Peddling WhatsApp Espionage Tools

 

The US Justice Department (DoJ) reported a Mexican businessman named Carlos Guerrero admitted guilt in federal court for peddling spyware/hacking tools to clients in the United States and Mexico.

Authorities accused Guerrero of facilitating the sale of monitoring and surveillance technologies to both Mexican government users and private customers for commercial and personal purposes. Guerrero "knowingly arranged" for a Mexican mayor to obtain access to a political rival's email and social media accounts, according to the investigators. Guerrero also utilized the technology to listen in on the phone calls of a rival from the United States who had been in Southern California and Mexico at the time. 

Guerrero is also suspected of assisting a Mexican mayor in gaining unlawful access to his rival's iCloud, Hotmail, as well as Twitter pages, according to the Department of Justice's news release. A sales representative's phone and email data were hacked in another case, so he had to pay $25,000 to regain the information. The accused also utilized the gadgets to listen more into his rival's phone calls in Mexico and South California. Guerrero's company, Elite by Carga, imported surveillance technology and espionage tools from unknown Israeli, Italian, and other companies. 

Guerrero operated as a broker for an undisclosed Italian business, referred to only as Company A in the accusation, which offered bugging devices and tracking tools between 2014 and 2015. The organization is thought to be Hacking Team, a bankrupt Milan-based maker of offensive infiltration tools which was also breached in 2015 and had leaked emails leaked online, including a cache of Guerrero-related messages. 

Pegasus, strong mobile spyware created by Israeli corporation NSO Group which can acquire near-complete permissions on a target's smartphone, is among the most prominent and reported keylogging software used in Mexico. Over the last two decades, Mexico has spent $61 million on contracts, primarily targeting journalists, activists, and human rights defenders. According to a leaked list of phone numbers suspected to be NSO surveillance targets, Mexico has the most targets — around 700 phones — of any country on the list, which NSO has consistently denied.

Guerrero's information director Daniel Moreno, who is often mentioned in the hacking team's emails, is scheduled to file a similar pleading in the coming weeks.

An Israeli Spy Agency, QuaDream, Hacks Devices 

 

According to Reuters, an Apple software loop exploited by Israeli spy firm NSO Group to hack access iPhones in 2021 was also targeted by a competitor at the same time. 

The two companies QuaDream got the capacity to remotely hack into iPhones, compromising the smartphones without the user clicking on a malicious link. The fact the two firms employed the same advanced 'zero-click' hacking technique suggests that cellphones are more prone to digital espionage than the industry admits. 

The two organizations utilized ForcedEntry software exploits to steal iPhones. In the context, it's worth noting that an exploit is a piece of computer code that takes advantage of a set of unique software flaws to provide a hacker unauthorized access to data. 

"People want to feel they're safe, and telecommunications companies want the user to assume they're safe," stated Dave Aitel, a cybersecurity partner at Cordyceps Systems. 

Some notable Israelis have been attacked with Pegasus, according to a recent revelation from the Israeli publication Calcalist, including a son of former Prime Minister Benjamin Netanyahu. "CEOs of government ministries, news reporters, tycoons, corporate executives, mayors, social activists, and even the Prime Minister's relatives were all police targets," according to Calcalist. "Phones were hacked by NSO's spyware prior to any research even opening and without any judicial authorization." 

Some of QuaDream's clients overlapped with NSO Group's  implying that the buyers utilized Pegasus and REIGN for surveillance, specifically targeting political opponents. Surprisingly, the two cyberweapon's techniques were so identical when Apple patched the security weakness, it didn't make a difference. 

Spyware firms have long claimed to sell high-powered technologies to assist governments in combating national security threats. Human rights organizations and journalists, on the other hand, have reported the use of spyware to harm civil society, discredit political opposition, and sabotage elections on numerous occasions. 

Pegasus was also recently discovered on the devices of Finland's diplomatic corps working outside the nation, according to Finnish officials, as well as of a wide-ranging espionage campaign. Pegasus was allegedly installed on the iPhones of at least nine US State Department workers.

Citizen Lab Exposes Cytrox as Vendor Behind 'Predator' iPhone Spyware

 

The University of Toronto's Citizen Lab has found yet another player in the private sector mobile spyware market, citing a small North Macedonian firm called Cytrox as the maker of high-end iPhone implants. 

Citizen Lab worked with Facebook parent company Meta's threat-intelligence team to expose Cytrox and a handful of other PSOAs (private sector offensive actors) in the murky surveillance-for-hire industry. Citizen Lab stated that Cytrox is behind a piece of iPhone spying malware that was put on the phones of two prominent Egyptians, according to a detailed technical analysis published. 

Predator, the malware, was able to infect the most recent iOS version (14.6) utilising single URLs provided via WhatsApp. Exiled Egyptian politician Ayman Nour was spooked by his iPhone overheating, and later discovered evidence of two different spyware applications running on the device, administered by two different government APT actors. 

The Egyptian government, a known Cytrox customer, has been attributed with the attack, according to Citizen Lab. Nour's phone was infected with both Cytrox's Predator and Israeli vendor NSO Group's more well-known Pegasus spyware, according to Citizen Lab. Citizen Lab's exposé detailed Cytrox's background as a startup launched in 2017 by Ivo Malinkovksi, a North Macedonian who later integrated the company with Intellexa and publicly hawked digital forensics tools. The firm claims to be established in the European Union, with R&D labs and sites all over Europe. 

In a separate advisory published by Meta’s security team, Cytrox is listed alongside Cobwebs Technologies, Cognate, Black Cupe, Bluehawk CI, BellTroX and two unknown Chinese entities among a growing roster of private companies in the surveillance-for-hire business. 

These firms handle the reconnaissance, engagement, and exploitation phases of advanced malware campaigns for governments and law enforcement agencies all across the world, including those that target journalists, politicians, and other members of civil society. 

Cytrox was recognised as a company that "develops exploits and sells surveillance tools and viruses that enable its clients to compromise iOS and Android devices," as per Facebook's team. 

Facebook’s security team stated, “[We were] able to find a vast domain infrastructure that we believe Cytrox used to spoof legitimate news entities in the countries of their interest and mimic legitimate URL-shortening and social media service.” 

“They used these domains as part of their phishing and compromise campaigns. Cytrox and its customers took steps to tailor their attacks for particular targets by only infecting people with malware when they passed certain technical checks, including IP address and device type. If the checks failed, people could be redirected to legitimate news or other websites.” 

“Targets of Cytrox and its customers included politicians and journalists around the world, including in Egypt and Armenia.”

Pegasus Spyware Reportedly Hacked iPhones of U.S. State Department & Diplomats

 

An unidentified party used NSO Group's Pegasus spyware to attack the Apple iPhones of at least nine US State Department officials, as per a report published Friday by Reuters. 

After receiving a query about the incident, NSO Group indicated in an email to The Register that it had barred an unnamed customer's access to its system, but it has yet to determine whether its software was engaged. 

An NSO spokesperson told The Register in an email, "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations." 

"To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case." 

The Israel-based firm, which was recently sanctioned by the US for reportedly selling intrusion software to repressive regimes and is being sued by Apple and Meta's (Facebook's) WhatsApp for allegedly assisting the hacking of their customers, says it will work cooperatively with any relevant government authority and share what it learns from its investigation. 

NSO's spokesperson stated, “To clarify, the installation of our software by the customer occurs via phone numbers. As stated before, NSO’s technologies are blocked from working on US (+1) numbers. Once the software is sold to the licensed customer, NSO has no way to know who the targets of the customers are, as such, we were not and could not have been aware of this case." 

According to Reuters, the impacted State Department officials were situated in Uganda or were focused on Ugandan issues, therefore their phone numbers had a foreign nation prefix rather than a US prefix. When Apple launched its complaint against the NSO Group on November 23rd, the iPhone maker also stated that it will tell iPhone customers who have been the target of state-sponsored hacking. On the same day, Norbert Mao, a communist, was assassinated. On the same day, Norbert Mao, a lawyer and the President of Uganda's Democratic Party, tweeted that he'd gotten an Apple threat notification. 

According to the Washington Post, NSO's Pegasus software was involved in the attempted or accomplished hacking of 37 phones linked to journalists and rights activists, including two women connected to Saudi journalist Jamal Khashoggi. The findings contradicted NSO Group's claims that their software was only licenced for battling terrorists and law enforcement, according to the report. 

The NSO Group released its 2021 Transparency and Responsibility Report [PDF] the same month, insisting that its software is only used against groups with few sympathisers, such as terrorists, criminals, and pedophiles. 

Several reports from cybersecurity research and human rights organisations, not to mention UN, EU, and US claims about the firm, have disputed that assertion. The US State Department refused The Register's request for confirmation of the Reuters claim but said the agency takes its obligation to protect its data seriously. They were also told that the Biden-Harris administration is seeking to limit the use of repressive digital tools.

Apple Sues NSO Group for Using Pegasus Spyware to Spy on iPhone Users

 

In a U.S. federal court, Apple has sued NSO Group and its parent firm Q Cyber Technologies for illegally targeting users with its Pegasus spying tool, marking yet another setback for the Israeli spyware vendor. NSO Group is described as "notorious hackers — amoral 21st-century mercenaries who have constructed highly sophisticated cyber-surveillance equipment that promotes routine and egregious exploitation" by the Cupertino-based tech giant. 

“State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change,” said Craig Federighi, Apple’s senior vice president of Software Engineering. “Apple devices are the most secure consumer hardware on the market — but private companies developing state-sponsored spyware have become even more dangerous."

Pegasus is designed as an invasive "military-grade" spyware capable of exfiltrating sensitive personal and geolocation information and stealthily activating the phones' cameras and microphones. It is typically installed by leveraging "zero-click" exploits that infect targeted devices without any user interaction. 

The FORCEDENTRY exploit in iMessage was used to evade iOS security measures and target nine Bahraini activists, according to Apple's lawsuit. The attackers used over 100 false Apple IDs to send harmful data to the victims' devices, allowing NSO Group or its clients to deploy and install Pegasus spyware without their knowledge, according to the firm. In September, Apple patched the zero-day vulnerability. 

"The abusive data was sent to the target phone through Apple's iMessage service, disabling logging on a targeted Apple device so that Defendants could surreptitiously deliver the Pegasus payload via a larger file," Apple detailed in its filing. "That larger file would be temporarily stored in an encrypted form unreadable to Apple on one of Apple's iCloud servers in the United States or abroad for delivery to the target." 

The lawsuit also mirrors a similar action taken by Meta (previously Facebook) in October 2019, when it sued the firm for installing Pegasus on 1,400 mobile devices belonging to diplomats, journalists, and human rights activists by exploiting a weakness in its WhatsApp messaging software. 

Apple praises organizations such as Citizen Lab and Amnesty Tech for their pioneering efforts in identifying cyber-surveillance abuses and assisting victims. To support efforts like these, Apple announced that it will donate $10 million to organizations conducting cyber surveillance research and advocacy, plus any damages from the lawsuit.

New Trojan Attack Campaign Prompted by Pegasus Spyware

 

An unexplored Sarwent Trojan is being distributed by a threat organization via a bogus Amnesty International website that claims to protect customers from the Pegasus smartphone spyware. 

The operation is intended towards those who feel they have been attacked by the NSO Group's Pegasus spyware and thus are tied to nation-state action, according to Cisco Talos security analysts, but Talos is yet to identify the exact threat actor. 

Pegasus is a piece of spyware created by the Israeli cyber arms firm NSO Group which can be loaded secretly on smartphones (and other devices) running most versions of iOS and Android. According to the disclosures from Project Pegasus 2021, the existing Pegasus program can attack all recent iOS versions up to iOS 14.6. Pegasus could intercept text messages, track calls, gather passwords, monitor position, access the target device's camera and microphone, and collect data from apps as of 2016. 

Despite the claims regarding authorized utilization, Pegasus - a contentious surveillance software technology has been allegedly used by tyrannical governments in operations targeting journalists, human rights activists, as well as other opponents of the state. 

Soon after the release of a comprehensive Amnesty International report on Pegasus in July of this year, as well as Apple's dissemination of updates for the ForcedEntry zero-day exploit, several users started exploring ways of protecting themselves from the spyware that was exploited by adversaries. 

On a bogus website that I identical to Amnesty International, the malicious actors claim to be delivering "Amnesty Anti Pegasus," an anti-virus tool that can allegedly guard against NSO Group's malware. 

Alternatively, customers are given the Sarwent remote access tool (RAT), which allows attackers to easily upload and run payloads on compromised PCs, as well as extract relevant and sensitive data. 

Despite its low intensity, the attack has struck individuals in the United States, the United Kingdom, Colombia, the Czech Republic, India, Romania, Russia, and Ukraine, as per Cisco Talos. 

“Given the current information, we are unsure of the actor’s objectives. The use of Amnesty International’s name, a group whose work frequently puts it at odds with governments around the world, as well as the Pegasus brand, malware that has been used to target dissidents and journalists on behalf of governments, raises questions about who is being targeted and why,” according to Cisco Talo. 

The campaign's adversary seems to be a Russian speaker who has been using Sarwent to target patients from different walks of life all across the globe since at least January 2021. The malicious actors have been using the Trojan and one with a comparable backdoor since 2014, according to security experts.

5 French Minister Phones Affected with Pegasus Spyware

 

At least five French ministers and President Emmanuel Macron's diplomatic advisor mobile phones have been infected by Israel-made Pegasus spyware, whistle-blowers confirmed on Friday 24th of September. 

As per a Mediapart report on Friday, French security agencies have discovered software during the phone inspection, with breaches reported in 2019 and 2020. 

In July Pegasus produced by NSO Group, the Israeli company, was already in the middle of a hurricane following a list of around 50,000 possible surveillance targets worldwide leaking to the media, and was capable of switching the camera or microphone and harbor their data. 

The insinuation was made about two months after the Pegasus Project, the media consortium which included the Guardian, found that a leaked database at the core of the investigatory project included contact information of top France officials, including French President Emmanuel Macron and most of its 20-strong cabinet. 

There is no strong proof of successful hacking of phones of the five cabinet members however media reports suggest that the devices were targeted by the potent spyware known as Pegasus, which is created by the NSO Group. 

Pegasus enables users to track the conversation, text messages, pictures, and location whenever installed effectively by government customers within the Israeli firm and can convert phones into remotely controlled listening devices. 

The consortium of Pegasus Project, organized by the French Forbidden Stories non-profit media, showed that international customers of NSO utilized hacker tools to attack journalists and human rights organizations. 

NSO reportedly stated that its strong malware is designed not to target civilian society members but to probe severe criminals. It has stated it has no link to the leaked database reviewed by the Pegasus Project and also the tens of thousands of numbers included do not target NSO customers. It has also firmly disputed that Pegasus Spyware has always targeted Macron. 

In a statement released on Thursday night, NSO said: “We stand by our previous statements regarding French government officials. They are not and have never been Pegasus targets. We won’t comment on anonymous source allegations.” 

Furthermore, the authenticity of the allegation was verified by two French individuals with knowledge of the inquiry, but they asked not to be named since they had not been allowed to talk to the media. 

"My phone is one of those checked out by the national IT systems security agency, but I haven't yet heard anything about the investigation so I cannot comment at this stage," Wargon told the L'Opinion website Friday. 

Mediapart stated that the handsets of the ministers for education (Jean-Michel Blanquer), Jacqueline Gourault, Julien Denormandie, Emmanuelle Wargon, Sébastien Lecornu and others – displayed indications of the virus Pegasus. The report noted that at the time of the allegations of targeting that happened in 2019 and less often in 2020, not all the Ministers had their current roles, but all were Ministers. The phone of the Macron Diplomatic Consultants at the Elysee Palace was also targeted. 

The Élysée Palace also stated that it would not comment on “long and complex investigations which are still ongoing”. 

The Prosecutor's Office refused to comment or to clarify whether or whether not the ministers' phone hacking had been found, stating that the investigation was subject to judicial confidentiality regulations. Although since the end of July, when the palace officials notified prudence, the Élysée has not reacted to the Pegasus affair and said that “no certainty at this stage”.

New Zero-Click iMessage Exploit Used to Deploy Pegasus Spyware

 

Citizen Lab's digital threat researchers have discovered a new zero-click iMessage exploit that was exploited to install NSO Group's Pegasus spyware on Bahraini activists' smartphones. In total, nine Bahraini activists (including members of the Bahrain Center for Human Rights, Waad, and Al Wefaq) had their iPhones hacked in a campaign conducted by a Pegasus operator linked to the Bahraini government with high confidence, according to Citizen Lab. 

After being compromised using two zero-click iMessage exploits (that do not involve user participation), the spyware was installed on their devices: the 2020 KISMET exploit and a new never-before-seen exploit named FORCEDENTRY. 

In February 2021, Citizen Lab first noticed NSO Group deploying the new zero-click FORCEDENTRY iMessage attack, which bypasses Apple's BlastDoor protection. BlastDoor, a structural change in iOS 14 aimed to stop message-based, zero-click attacks like this, had just been released the month before. BlastDoor was designed to prevent Pegasus attacks by operating as a "tightly sandboxed" service responsible for "almost all" of the parsing of untrusted data in iMessages, according to Samuel Groß of Google Project Zero.

“We saw the FORCEDENTRY exploit successfully deployed against iOS versions 14.4 and 14.6 as a zero-day,” Citizen Lab said. “With the consent of targets, we shared these crash logs and some additional phone logs relating to KISMET and FORCEDENTRY with Apple, Inc., which confirmed they were investigating.” 

Attacks like the ones revealed by Citizen Lab, according to Ivan Krstić, head of Apple Security Engineering and Architecture, are highly targeted and hence nothing to worry about for most people, at least. Such attacks are "very complex, cost millions of dollars to design, often have a short shelf life, and are used to target specific individuals," according to Krstić. 

In addition to Apple's iMessage, NSO Group has a history of using other messaging apps, such as WhatsApp, to spread malware. Nonetheless, Citizen Lab believes that disabling iMessage and FaceTime in this circumstance, with these specific threats, may have blocked the threat actors. Researchers emphasized that disabling iMessage and FaceTime would not provide total security from zero-click assaults or adware.

NSO Group stated in a statement to Bloomberg that it hasn't read the report yet, but it has concerns about Citizen Lab's techniques and motivations. According to the company's statement, "If NSO gets reliable evidence relating to the system's misuse, the company will thoroughly investigate the claims and act accordingly."

Pegasus iPhone Hacks Used as Bait in Extortion Scam

 

A new extortion fraud attempts to profit from the recent Pegasus iOS spyware attacks to threaten victims to pay a blackmail demand. 

Last month, Amnesty International and the non-profit project Forbidden Stories disclosed that the Pegasus spyware was installed on completely updated iPhones via a zero-day zero-click iMessage vulnerability. 

A zero-click vulnerability is a flaw that can be exploited on a device without requiring the user's interaction. For instance, a zero-click hack would be a vulnerability that could be exploited just by visiting a website or getting a message. 

Governments are believed to have employed this spyware to eavesdrop on politicians, journalists, human rights activists, and corporate leaders worldwide. This week, a threat actor began contacting users, informing them that their iPhone had been compromised with a zero-click vulnerability that allowed the Pegasus spyware software to be installed. 

According to the fraudster, Pegasus has tracked the recipient's actions and captured recordings of them at "the most private moments" of their lives. According to the email, the threat actor will disseminate the recordings to the recipient's family, friends, and business partners if a 0.035 bitcoin (roughly $1,600) payment is not made. 

The full text of the email stated: 
"Hi there Hello, 
I'm going to share important information with you. 
Have you heard about Pegasus? 
You have become a collateral victim. It's very important that you read the information below. 
Your phone was penetrated with a “zero-click” attack, meaning you didn't even need to click on a malicious link for your phone to be infected. 
Pegasus is a malware that infects iPhones and Android devices and enables operators of the tool to extract messages, photos, and emails, record calls and secretly activate cameras or microphones and read the contents of encrypted messaging apps such as WhatsApp, Facebook, Telegram, and Signal.
Basically, it can spy on every aspect of your life. That's precisely what it did. I am a blackhat hacker and do this for a living. Unfortunately, you are my victim. Please read on. 
As you understand, I have used the malware capabilities to spy on you and harvested datas of your private life.
My only goal is to make money and I have perfect leverage for this. As you can imagine in your worst dream, I have videos of you exposed during the most private moments of your life when you are not expecting it. 
I personally have no interest in them, but there are public websites that have perverts loving that content. 
As I said, I only do this to make money and not trying to destroy your life. But if necessary, I will publish the videos. If this is not enough for you, I will make sure your contacts, friends, business associates and everybody you know sees those videos as well. 
Here is the deal. I will delete the files after I receive 0.035 Bitcoin (about 1600 US Dollars). You need to send that amount here bc1q7g8ny0p95pkuag0gay2lyl3m0emk65v5ug9uy7 
I will also clear your device from malware, and you keep living your life. Otherwise, shit will happen. The fee is non-negotiable, to be transferred within 2 business days. 
Obviously do not try to ask for any help from anybody unless you want your privacy to be violated. 
I will monitor your every move until I get paid. If you keep your end of the agreement, you won't hear from me ever again. 
Take care." 

Apparently, the bitcoin address indicated in the sample email seen by BleepingComputer has not received any payments. However, other bitcoin addresses might be utilized in this fraud. One may believe that no one would fall for this swindle, yet similar methods in the past have fetched over $50,000 in a week.

WhatsApp CEO: US Allies' National Security Officials Targeted with NSO Malware

 

According to WhatsApp CEO Will Cathcart, governments used NSO group malware to target high-ranking government officials all around the world. 

Cathcart addressed the spyware assaults discovered by the Project Pegasus inquiry with The Guardian, noting they are similar to a 2019 attack against 1,400 WhatsApp users. 

Cathcart added, “The reporting matches what we saw in the attack we defeated two years ago, it is very consistent with what we were loud about then. This should be a wake-up call for security on the internet … mobile phones are either safe for everyone or they are not safe for everyone.” 

NSO Group's military-grade spyware is suspected of being utilized against heads of state, cabinet members, activists, and journalists. Over 50,000 phone numbers have been leaked from the Pegasus project's central breach. The inclusion of a person's phone number on the list, however, does not always indicate that they were efficiently targeted, according to The Guardian. 

The leak is said to have included French President Emmanuel Macron, although NSO denies that none of its clients targeted Macron. The IT company also stated that the reported 50,000 figure was overstated. 

Cathcart, on the other hand, tried to refute this portrayal, stating that his firm had documented a two-week-long attack in 2019 that affected 1,400 customers. He added, “That tells us that over a longer period of time, over a multi-year period of time, the numbers of people being attacked are very high. That’s why we felt it was so important to raise the concern around this.” 

According to The Guardian, WhatsApp lodged a lawsuit against NSO in 2019, saying that the corporation had transmitted malware to its customers' phones. NSO, an Israeli firm, argued that the responsibility should be put on its customers who are the foreign government. 

“NSO Group claims that a large number of governments are buying their software, that means those governments, even if their use of it is more controlled, those governments are funding this," Cathcart stated. "Should they stop? Should there be a discussion about which governments were paying for this software?” 

The NSO spokesperson told The Guardian, "We are doing our best to help to create a safer world. Does Mr. Cathcart have other alternatives that enable law enforcement and intelligence agencies to legally detect and prevent malicious acts of pedophiles, terrorists, and criminals using end-to-end encryption platforms? If so, we would be happy to hear."

Pegasus: The Case of the Infamous Spyware

 

The case of the infamous spyware Pegasus has taken the world by storm, with news revealing its unlawful use infringing on many people's basic human rights. With such remote surveillance now accessible via an infected device, the issue of cybersecurity has grown more pressing than ever. According to sources from throughout the world, NSO Group's software was used to spy on around 50,000 people, including politicians, businessmen, journalists, and activists. 

Dmitry Galov, a security researcher at Kaspersky's GReAT, describes the Pegasus spyware's beginnings and how it differs from vulnerabilities. “Pegasus is a spyware with versions for both iOS and Android devices,” he explains. Even in 2017, the criminal had the ability to “read the victim's SMS and emails, listen to calls, take screenshots, record keystrokes, and access contacts and browser history, among other things.” To clarify, Galov argues that Pegasus is a sophisticated and costly malware. It was created with the intent of spying on people of particular interest. As a result, the typical user is unlikely to be a target. 

However, the spyware's sophistication makes it one of the most powerful tools for spying on one's smartphone. Pegasus has evolved over time to attack a number of zero-day vulnerabilities in Android and iOS. Although it tries to remove its own traces from an infected device, some of them can still be seen under forensic examination. According to Galov, many parties on the darknet can sell and buy malware as well as zero-day vulnerabilities. Vulnerabilities can cost up to $2.5 million - that's how much the whole chain of Android vulnerabilities was offered for, in 2019. 

Amnesty International researchers have created a toolkit that can assist consumers to determine whether their phone has been infected with spyware. The open-source toolkit has been made accessible on GitHub by Amnesty International. Users must first download and install a python package from the MVT (Mobile Verification Toolkit) website's documentation. It also contains advice on how to complete the procedure on both iOS and Android. Users must take a backup of their iOS device before launching MVT. 

According to Amnesty International, the goal of MVT is to make it easier to conduct a "consensual forensic study" of devices belonging to people who may be the victims of sophisticated mobile spyware attacks. “We do not want MVT to enable privacy violations of non-consenting individuals,” Amnesty said. “Therefore, the goal of this license is to prohibit the use of MVT (and any other software licensed the same) for the purpose of adversarial forensics.”

Apple’s iPhone is the Easiest to Snoop on Using the Pegasus, Says Amnesty

 

NSO Group, an Israeli cyber intelligence firm, developed Pegasus spyware as a surveillance tool. As claimed by the corporation, this firm is known for developing advanced software and technology for selling primarily to law enforcement and intelligence agencies of approved nations with the sole objective of saving lives by preventing crime and terror activities. Pegasus is one such software designed to get unauthorized access to your phone, gather personal and sensitive data, and transfer it to the user who is spying on you. 

Pegasus spyware, according to Kaspersky, can read SMS messages and emails, listen to phone calls, take screenshots, record keystrokes, and access contacts and browser history. A hacker may commandeer the phone's microphone and camera, turning it into a real-time monitoring device, according to another claim. It's also worth mentioning that Pegasus is a complex and expensive spyware meant to spy on specific individuals, so the typical user is unlikely to come across it. 

Pegasus malware snooped on journalists, activists, and certain government officials, and Apple, the tech giant that emphasizes user privacy, was a victim of the attack. Indeed, according to Amnesty's assessment, Apple's iPhone is the easiest to snoop on with Pegasus software. According to the leaked database, iPhones running iOS 14.6 feature a zero-click iMessage exploit, which could have been used to install Pegasus software on the targeted entities' iPhones. The Cupertino behemoth has issued a statement condemning the assault. 

Apple’s Head of Security Engineering and Architecture, Ivan Krsti, in a statement said, "Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data." 

Citizen Labs had already uncovered this flaw. Zero-click attacks are practically invisible and run in the background because they do not require the user's involvement. In iOS 14, Apple included the Blastdoor framework to make zero-click attacks more difficult, although it does not appear to be operating as planned.

Israeli Firm Assisted Governments Target Journalists & Activists with Zero Days and Spyware

 

Microsoft as part of its Patch on Tuesday fixed two of the zero-day Windows flaws weaponized by Candiru, an Israeli firm in a series of "precision attacks" to hack more than 100 journalists, academics, activists, and political dissidents globally. 

According to a report published by the University of Toronto's Citizen Lab, the spyware vendor has also been formally identified as the commercial surveillance firm that Google's Threat Analysis Group (TAG) revealed was exploiting multiple zero-day vulnerabilities in Chrome browser to attack victims in Armenia. 

"Candiru's apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse," Citizen Lab researchers stated.

"This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services." 

Founded in 2014, the private-sector offensive actor (PSOA) — codenamed "Sourgum" by Microsoft — is stated to be the creator of DevilsTongue, an espionage toolkit able to infect and track a wide range of devices across multiple platforms, including iPhones, Androids, Macs, PCs, and cloud accounts. 

After gaining a hard drive from "a politically active victim in Western Europe," Citizen Lab stated it was able to restore a copy of Candiru's Windows spyware, which was then reverse engineered to identify two never-before-seen Windows zero-day exploits for vulnerabilities tracked as CVE-2021-31979 and CVE-2021-33771 that were leveraged to install malware on victim boxes. 

The infection chain used a combination of browser and Windows vulnerabilities, with the latter being transmitted through single-use URLs emailed on WhatsApp to targets. On July 13, Microsoft patched both privilege escalation issues, which allow an attacker to bypass browser sandboxes and obtain kernel code execution. 

The attacks resulted in the deployment of DevilsTongue, a modular C/C++-based backdoor capable of exfiltrating files, exporting messages saved in the encrypted messaging app Signal, and stealing cookies and passwords from Chrome, Internet Explorer, Firefox, Safari, and Opera browsers. Microsoft discovered that the digital weapon could gather data, read the victim's messages, get photos, and even send messages on their behalf using stolen cookies from logged-in email and social media accounts including Facebook, Twitter, Gmail, Yahoo, Mail.ru, Odnoklassniki, and Vkontakte.

Furthermore, the Citizen Lab study linked two Google Chrome vulnerabilities — CVE-2021-21166 and CVE-2021-30551 — to the Tel Aviv firm, citing similarities in the websites used to disseminate the exploits. 

A total of 764 domains related to Candiru's spyware infrastructure were discovered, many of which purported to be advocacy groups such as Amnesty International, the Black Lives Matter movement, media businesses, and other civil-society-oriented enterprises. 

Saudi Arabia, Israel, the United Arab Emirates, Hungary, and Indonesia were among the countries that ran systems under their authority. 

According to a Microsoft report, an Israeli hacking-for-hire firm has assisted government clients in spying on more than 100 people throughout the world, including politicians, dissidents, human rights activists, diplomatic staff, and journalists.

Among other well-known news outlets, the Guardian and the Washington Post released information of what they termed "global surveillance operations" using Pegasus. The surveillance is said to be aimed at journalists and according to the claims, Pegasus malware is being used to spy on people by over ten nations. 

SOURGUM's malware has so far targeted over 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia, and Singapore. 

These attacks mostly targeted consumer accounts, implying that Sourgum's users were pursuing part of the attack. TAG researchers Maddie Stone and Clement Lecigne noticed a rise in attackers utilizing more zero-day vulnerabilities in their cyber offensives in the early 2010s, which they attribute to more commercial vendors offering access to zero-day flaws. 

Microsoft Threat Intelligence Center (MSTIC) stated in a technical rundown, "Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets' computers, phones, network infrastructure, and other devices.” 

"With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves. The tools, tactics, and procedures used by these companies only add to the complexity, scale, and sophistication of attacks," MSTIC added.