Pegasus – BIG

While Israeli cyberarms firm NSO Group’s ‘Pegasus‘ spyware dominated headlines, other groups quietly sold equally powerful spyware. Security researchers at Toronto-based Citizen Lab released a lengthy report on spyware called ‘Predator’ after finding it on an iPhone that had also been infected with NSO Group’s Pegasus.

Citizen Lab discovered Predator when an exiled Egyptian politician named Ayman Nour became suspicious because his phone was “running hot.” Researchers found Nour’s phone was infected with Pegasus and also identified other spyware, which researchers determined was Predator. They also connected Predator to Cytrox, based in North Macedonia.

Researchers also found Predator running on the phone of an Egyptian news show host who asked not to be named.

Both phones were iPhones running iOS 14.6 — the latest version at the time of the hacks — which suggests that Predator exploited a never-before-seen vulnerability in the iPhone’s software to infect the phones.

Techcrunch asked Apple about the vulnerability, but a company spokesperson declined to say whether Apple had patched it. Citizen Lab noted that it shared copies of “forensic artifacts” from its Predator investigation with Apple and that the iPhone-maker confirmed it was investigating.

Predator can survive a reboot, making it more persistent than Pegasus

Predator and Pegasus have similar feature sets and, according to Citizen Lab, Predator was delivered to Nour’s iPhone via a malicious link sent over WhatsApp. When Nour opened the link, Predator was able to gain access to the phone’s cameras and microphone, as well as pull data off the phone. Unlike Pegasus, however, Predator cannot silently infect a phone without user interaction. In other words, the spyware relies on user input, like clicking a malicious link, to activate.

Researchers said Predator makes up for that with persistence — the spyware can survive a reboot of an iPhone, which would typically clear out any spyware lurking in the phone’s memory. It does so by creating an automation using the Shortcuts feature built into iOS.

Meta banned Cytrox and other groups from its platforms

Techcrunch also detailed an effort by Facebook parent company Meta to ban surveillance-for-hire groups. Meta banned seven groups — including Cytrox — from its platforms and said it removed over 1,500 Facebook and Instagram accounts associated with the seven groups. Further, Meta said the accounts were used to send malicious links to targets in over 100 countries. The company alerted some 50,000 people it believes were targeted by these groups.

Citizen Lab said that Predator was likely being used by government customers in Armenia, Greece, Serbia, Indonesia, Madagascar, Oman, Egypt and Saudia Arabia. Meta’s investigation also found Predator customers in Vietnam, the Philippines and Germany.

While certainly concerning, it’s worth keeping in mind that these tools aren’t necessarily problems for the average person. Pegasus and Predator have so far been used to target journalists, politicians, human rights advocates and similar figures. Moreover, these spyware tools are commonly delivered through malicious links — as such, it’s a good idea to avoid clicking any link you receive, especially if it comes from an unfamiliar source.

You can read Citizen Lab’s full report here.

Source: Citizen Lab, Meta Via: Techcrunch

Following Apple’s announcement that it will sue NSO for attacking iOS users, the iPhone-maker also revealed its monitoring devices for signs of compromise and will alert users with affected devices.

As a refresher, NSO is an Israel-based company that developed the ‘Pegasus‘ spyware used to compromise iPhones. NSO claims it only sells the tool to governments and law enforcement agencies, but reports show that Pegasus was used against activists, journalists and even Jeff Bezos (just to name a few targets).

According to a new support document from Apple, the company will deliver threat notifications to people potentially targeted by Pegasus in three ways: via iMessage, email and an alert on the Apple ID website (pictured below).

Further, Apple says that these threat notifications will never ask users to click on any links or install anything. If you receive a threat notification and aren’t sure about its validity, Apple suggests you sign into ‘appleid.apple.com’ to check.

However, the company also acknowledges that things can change quickly, and says it cannot guarantee it will detect all attacks. Apple warns that false alarms are possible as well.

Finally, Apple lays out several steps iPhone owners should take to further protect themselves from potential attacks. Steps include updating devices to the latest software and security fices, protecting devices with a passcode, using two-factor authentication (2FA) and a strong password for their Apple ID, only installing apps from the App Store (where else would you get them?), using strong passwords for online services and finally, Apple warns not to click on links or attachments from unknown senders.

That last one is particularly important when it comes to Pegasus. One of the main ways attackers deliver spyware is by sending links or files to targets. When clicked, these links or files can install Pegasus without the target’s knowledge.

It might also be wise to avoid clicking links or files sent by people in your contacts too. It’s entirely possible for attackers to spoof sender details to make it look like something’s coming from a familiar source.

All that said, most people probably don’t need to worry about Pegasus on their phones. The tool is often deployed against journalists, activists, politicians and other public or important figures, not average people. Still, at least now there’s some reassurance that if an attacker used Pegasus against you, Apple might be able to warn you about it.

Those interested can learn more about Apple’s threat notifications here.

Source: Apple Via: 9to5Mac