Mar 02, 2024NewsroomSpyware / Privacy

A U.S. judge has ordered NSO Group to hand over its source code for Pegasus and other products to Meta as part of the social media giant’s ongoing litigation against the Israeli spyware vendor.

The decision, which marks a major legal victory for Meta, which filed the lawsuit in October 2019 for using its infrastructure to distribute the spyware to approximately 1,400 mobile devices between April and May. This also included two dozen Indian activists and journalists.

These attacks leveraged a then zero-day flaw in the instant messaging app (CVE-2019-3568, CVSS score: 9.8), a critical buffer overflow bug in the voice call functionality, to deliver Pegasus by merely placing a call, even in scenarios where the calls were left unanswered.

In addition, the attack chain included steps to erase the incoming call information from the logs in an attempt to sidestep detection.

Court documents released late last month show that NSO Group has been asked to “produce information concerning the full functionality of the relevant spyware,” specifically for a period of one year before the alleged attack to one year after the alleged attack (i.e., from April 29, 2018, to May 10, 2020).

That said, the company doesn’t have to “provide specific information regarding the server architecture at this time” because WhatsApp “would be able to glean the same information from the full functionality of the alleged spyware.” Perhaps more significantly, it has been spared from sharing the identities of its clientele.

“While the court’s decision is a positive development, it is disappointing that NSO Group will be allowed to continue keeping the identity of its clients, who are responsible for this unlawful targeting, secret,” said Donncha Ó Cearbhaill, head of the Security Lab at Amnesty International.

NSO Group was sanctioned by the U.S. in 2021 for developing and supplying cyber weapons to foreign governments that “used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.”

The development comes as Recorded Future revealed a new multi-tiered delivery infrastructure associated with Predator, a mercenary mobile spyware managed by the Intellexa Alliance.

The infrastructure network is highly likely associated with Predator customers, including in countries like Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago. It’s worth noting that no Predator customers within Botswana and the Philippines had been identified until now.

“Although Predator operators respond to public reporting by altering certain aspects of their infrastructure, they seem to persist with minimal alterations to their modes of operation; these include consistent spoofing themes and focus on types of organizations, such as news outlets, while adhering to established infrastructure setups,” the company said.

Feb 05, 2024NewsroomSpyware / Surveillance

The iPhones belonging to nearly three dozen journalists, activists, human rights lawyers, and civil society members in Jordan have been targeted with NSO Group’s Pegasus spyware, according to joint findings from Access Now and the Citizen Lab.

Nine of the 35 individuals have been publicly confirmed as targeted, out of whom had their devices compromised with the mercenary surveillanceware tool. The infections are estimated to have taken place from at least 2019 until September 2023.

“In some cases, perpetrators posed as journalists, seeking an interview or a quote from victims, while embedding malicious links to Pegasus spyware amid and in between their messages,” Access Now said.

“A number of victims were reinfected with Pegasus spyware multiple times — demonstrating the relentless nature of this targeted surveillance campaign.”

The Israeli company has been under the radar for failing to implement rigorous human rights safeguards prior to selling its cyber intelligence technology to government clients and law enforcement agencies for “preventing and investigating terrorism and serious crimes.”

NSO Group, in its 2023 Transparency and Responsibility Report, touted a “significant decrease” in reports of product misuse during 2022 and 2023, attributing the downturn to its due diligence and review process.

“Cyber intelligence technology enables government intelligence and law enforcement agencies to carry out their basic duties to prevent violence and safeguard the public,” the company noted.

“Importantly, it allows them to counter the widespread deployment of end-to-end encryption applications by terrorists and criminals without engaging in mass surveillance or obtaining backdoor access to the devices of all users.”

It further sought to “dispel falsehoods” about Pegasus, stating it is not a mass surveillance tool, that it’s licensed to legitimate, vetted intelligence and law enforcement agencies, and that it cannot take control of a device or penetrate computer networks, desktop or laptop operating systems.

“It is technologically impossible for Pegasus to add, alter, delete, or otherwise manipulate data on targeted mobile devices, or perform any other activities beyond viewing and/or extracting certain data,” NSO Group said.

Despite these assurances, the invasive spyware attacks targeting Jordan civil society members underscores the continued pattern of abuse that run counter to the company’s claims.

Access Now said the victims’ devices were infiltrated with both zero-click and one-click attacks using Apple iOS exploits like FORCEDENTRY, FINDMYPWN, PWNYOURHOME, and BLASTPASS to breach security guardrails and deliver Pegasus via social engineering attacks.

The attacks were characterized by the propagation of malicious links to victims via WhatsApp and SMS, with the attackers posing as journalists to increase the likelihood of success of the campaign.

The non-profit further said that enabling Lockdown Mode on the iPhones likely prevented some of the devices from being re-infected again with the spyware. It also called on world governments, including Jordan’s, to halt the use of such tools and enforce a moratorium on their sale until adequate countermeasures are adopted.

“Surveillance technologies and cyberweapons such as NSO Group’s Pegasus spyware are used to target human rights defenders and journalists, to intimidate and dissuade them from their work, to infiltrate their networks, and to gather information for use against other targets,” Access Now said.

“The targeted surveillance of individuals violates their right to privacy, freedom of expression, association, and peaceful assembly. It also creates a chilling effect, forcing individuals to self-censor and cease their activism or journalistic work, for fear of reprisal.”

Jan 17, 2024NewsroomSpyware / Forensic Analysis

Cybersecurity researchers have identified a “lightweight method” called iShutdown for reliably identifying signs of spyware on Apple iOS devices, including notorious threats like NSO Group’s Pegasus, QuaDream’s Reign, and Intellexa’s Predator.

Kaspersky, which analyzed a set of iPhones that were compromised with Pegasus, said the infections left traces in a file named “Shutdown.log,” a text-based system log file available on all iOS devices and which records every reboot event alongside its environment characteristics.

“Compared to more time-consuming acquisition methods like forensic device imaging or a full iOS backup, retrieving the Shutdown.log file is rather straightforward,” security researcher Maher Yamout said. “The log file is stored in a sysdiagnose (sysdiag) archive.”

The Russian cybersecurity firm said it identified entries in the log file that recorded instances where “sticky” processes, such as those associated with the spyware, caused a reboot delay, in some cases observing Pegasus-related processes in over four reboot delay notices.

What’s more, the investigation revealed a the presence of a similar filesystem path that’s used by all the three spyware families – “/private/var/db/” for Pegasus and Reign, and “/private/var/tmp/” for Predator – thereby acting as an indicator of compromise.

That said, the success of this approach hinges on a caveat that the target user reboots their device as often as possible, the frequency for which varies according to their threat profile.

Kaspersky has also published a collection of Python scripts to extract, analyze, and parse the Shutdown.log in order to extract the reboot stats.

“The lightweight nature of this method makes it readily available and accessible,” Yamout said. “Moreover, this log file can store entries for several years, making it a valuable forensic artifact for analyzing and identifying anomalous log entries.”

The disclosure comes as SentinelOne revealed information stealers targeting macOS such as KeySteal, Atomic, and JaskaGo (aka CherryPie or Gary Stealer) are quickly adapting to circumvent Apple’s built-in antivirus technology called XProtect.

“Despite solid efforts by Apple to update its XProtect signature database, these rapidly evolving malware strains continue to evade,” security researcher Phil Stokes said. “Relying solely on signature-based detection is insufficient as threat actors have the means and motive to adapt at speed.”