Three zero-day vulnerabilities that Apple addressed on September 21, 2023 were used as part of an iPhone exploit chain in an attempt to target former Egyptian MP Ahmed Eltantawi between May and September 2023. Ahmed Eltantawy spreads spyware called Predator.
"The attack occurred after El Tantawi publicly stated his plans to run for president in Egypt's 2024 elections," the lab said. The lab attributed the attack with a high degree of confidence to the Egyptian government, which is Known customers of this commercial espionage tool.
According to a joint investigation by Interdisciplinary Labs Canada and Google's Threat Analysis Group (TAG), the mercenary surveillance tool was allegedly delivered via text messages and links sent on WhatsApp.
"In August and September 2023, Eltantawy's Vodafone Egypt mobile connections continued to be selected for attacks via network injection; when Eltantawy visited certain websites that did not use HTTPS, devices installed at the perimeter of the Vodafone Egypt network automatically redirected him to a malicious website, thereby infecting his website. "Cytrox's Predator spyware was installed on the phone," Citizen Lab researchers said.
The exploit chain exploits three vulnerabilities: CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993, which could allow a malicious attacker to bypass certificate verification, escalate privileges, and achieve remote code execution on the target. A device used when processing specially crafted web content.
Predator, made by a company called Cytrox, is similar to NSO Group's Pegasus and enables customers to monitor targets of interest and obtain sensitive data from infected devices. It is part of a consortium of spyware vendors called the Intellexa Alliance, which was blacklisted by the US government in July 2023 for "contributing to repression and other human rights abuses."
The vulnerability, hosted on a domain called sec-flare[.]com, is said to have been exploited through a sophisticated network injection attack using a Sandvine-based PacketLogic middlebox after Eltantawy was redirected to a website called c.betly[.]me And spread. Link between Telecom Egypt and Vodafone Egypt.
"The body of the target website consists of two iframes, ID "if1" containing apparently benign decoy content (in this case a link to an APK file that does not contain spyware), and ID "if2" an invisible iframe containing a Predator infection link Hosted on sec-flare[.]com," Citizen Lab said.
Google TAG researcher Maddie Stone describes it as an adversary-in-the-middle (AitM) attack that uses HTTP (rather than HTTPS) access to the website to intercept and force the victim to visit a different website. Websites run by threat actors.
"In this campaign, if the target visited any 'http' website, the attackers injected traffic to silently redirect it to the Intellexa website c.betly[.]me," Stone explained. "If the user is the intended target user, the website redirects the target to the exploit server sec-flare[.]com."
Eltantawy received three text messages in September 2021, May 2023, and September 2023 that were disguised as security alerts from WhatsApp urging Eltantawy to click on links to terminate suspicious login sessions from purported Windows devices.
While the links did not match the fingerprints of the domains mentioned above, the investigation revealed that the Predator spyware was installed on the device approximately 2 minutes and 30 seconds after Eltantawy read the message sent in September 2021.
Be prepared for new AI-drivencyber securityChallenged? Join us for an insightful webinar in partnership with Zscaler to address the growing threat of generative AI in cybersecurity.
Join today
He also received two WhatsApp messages on June 24, 2023, and July 12, 2023, in which an individual claiming to work for the International Federation for Human Rights (FIDH) solicited information regarding an article pointing to the sec-flare website. hisopinions[.]com. These messages are not read.
Google TAG said it also detected an exploit chain that weaponized a remote code execution flaw (CVE-2023-4762) in the Chrome web browser to deliver Predator on Android devices using two methods: AitM injection and via one-time link destinations sent directly to.
CVE-2023-4762 is a type confusion vulnerability in the V8 engine that was reported anonymously on August 16, 2023 and patched by Google on September 5, 2023, although the Internet giant assessed that Cytrox/Intellexa may exploit the Vulnerabilities as zero days.
According to a brief description in the NIST National Vulnerability Database (NVD), CVE-2023-4762 involves "type confusion in V8 in Google Chrome before 116.0.5845.179, allowing a remote attacker to execute arbitrary code via a crafted HTML page."
In addition to highlighting the misuse of surveillance tools against civil society, the latest findings also highlight blind spots in the telecom ecosystem that can be used to intercept network traffic and inject malware into target devices.
"Despite the huge advances in 'encrypting the web' in recent years, users still occasionally visit websites without HTTPS, and a single non-HTTPS website visit can lead to a spyware infection," Citizen Lab said.
Users who are at risk from spyware due to their "identity or conduct" are advised to keep their devices up to date and enable Lockdown Mode on their iPhones, iPads and Macs to avoid such attacks.
Original article by Chief Security Officer, if reproduced, please credit https://cncso.com/en/predator-software-exploits-zero-day-vulnerability-attack-html