2023 / 07

Aperçu of the Week:

"Success has two letters: Do!"

(Johann Wolfgang von Goethe)

Bad News of the Week:

The only serious competition to Silicon Valley is neither in Europe nor in the Far East, but between the Dead, the Red and the Mediterranean Sea: Israel. Unfortunately. Because it's rather frightening innovations that come out of the more than 300 development and research centers around Tel Aviv. And I don't mean the energy that the state puts into cutting-edge technology for the military, surveillance and espionage. But rather the focus that private-sector companies in the region have also chosen.

Three examples: Cellebrite openly advertises that it can crack iDevices. Much to the delight of the FBI, for example, because Apple had refused to crack iPhones for U.S. authorities or to build a backdoor into their encryption. The questionable services are open to any organization, even criminal ones, for a fee, as if it were a normal IT service.

NSO became a global player in commercial spyware. A market that has grown into an industry estimated to be worth twelve billion dollars, estimates The New Yorker. Their tool named Pegasus was found on the phones of politicians, activists, and dissidents under repressive regimes. The suppression of the Catalan independence movement and the murder of Saudi Arabian journalist Jamal Khashoggi with the help of this spyware are documented.

And just last week, investigative media revealed Team Jorge's business model: professional spreading of fake news to influence elections. They were hired for 32 campaigns, 27 of which were verifiably successful, they say. Yes, political success can be bought - at the expense of the opposition.

What these three examples have in common is a perfidious "not giving a fuck" attitude, which goals are pursued and also achieved with their help. For these are clearly directed against such trivialities as free democracy, independent media, functional rule of law or transparent power apparatuses. The main thing is that the money is right. The framework conditions for this seem to be optimal in Israel, of all places. And when I look at the position of Benjamin Netanyahu's newly enthroned right-wing government against an independent judiciary or free media, this will not change.

Good News of the Week:

In mid-February, Munich always hosts the "Munich Security Conference" (MSC), the world's most important meeting of top politicians on international security. While last year appeals to Russia not to attack Ukraine dominated - we all know what happened a few days later - this time it is about the concrete handling of the war that initiated the much-cited "turning point in time":

The unexpectedly dysfunctional NATO is strengthening internally (higher defense budgets) and externally (Sweden and Finland want to join the alliance), new bloc formations are emerging, the arms industry can no longer keep up with demand, Europe is groaning under a wave of refugees, economic sanctions by the West are turning out to be far less effective than expected, Putin is not wavering. War has become the order of the day.

Major strategic news is not to be expected. All countries have already clearly positioned themselves. From clear, even military support for Ukraine (e.g. all NATO members) to an effort of neutrality based on energy policy (e.g. India or Latin America) to support for the Putin course (e.g. Belarus, Syria or Myanmar). All countries have already taken a clear position? No - the elephant in the room is China.

The youngest major security power calls for peace, but does not name Russia as the aggressor. And just yesterday launched "Operation Mosi II," a joint large-scale naval maneuver with Russia and South Africa off the latter's Indian Ocean coast. So there was little hope that the Middle Kingdom - seen by almost all observers as the only power with de facto influence over the Kremlin - would actively do anything to defuse the conflict.

But then Wang Yi, longtime foreign minister of the People's Republic of China, entered the Munich stage - and stunned. By announcing a peace initiative to end Russia's war of aggression against Ukraine, he said, "We will put something forward. And that is the Chinese position on the political settlement of the Ukraine crisis," the Politburo member said Saturday, according to an official translation. "We will stand steadfastly on the side of peace and dialogue." For a safer world, he said, "the principles of the UN Charter are something we must uphold." Good. Very good. Now words just need to be followed by action.

Personal happy moment of the week:

In our countryside, there are plenty of typical Bavarian inns. And, as everywhere, countless Italians and Asians. Rarer are nice cafés where you can have a good breakfast. One we have - thanks to a voucher that I already got last year for my birthday - tried today. Very good coffee, a manageable but balanced menu. With regional products and in a former monastery building. It was worth it. It's always nice to start the Sunday with a delicious breakfast.

I couldn't care less...

...that Ukraine has requested cluster bombs and chemical weapons on the MSC. These are internationally outlawed because they cause massive collateral damage in violation of international law - including to the civilian population. That Russia is not caring about this may be, is even probable. Nevertheless, this quid pro quo logic is too weak for me. If they go low, you (still should) go high.

As I write this...

...I am mourning a little Lothar Wieler quitting his job. As head of the Robert Koch Institute (RKI) he was the Anthony Fauci of Germany. And yet more than just the side kick of the respective health minister. As a politically independent person, he moderated the pandemic in a serious but calm manner. He analyzed, commented, admonished and annoyed. Far away from the day-to-day political business. Against his will, he became a media star, even though he much preferred to sit in the lab and work on his figures. He did what he thought he had to do. Tormented by the thought that "even one more child must die". Big shoes to fill.

Post Scriptum

To be climate neutral, each person should only emit less than one ton of CO2 or similar greenhouse gases per year - currently the average is 11.6 tons. Far ahead of the consumption of beef or air travel to the South, individual transport is the main polluter: the Germans' favorite child, the car. But the will in this country to rely on electromobility seems to be driven more by financial interests than by actual conviction. When gasoline was expensive and electric cars were tax-subsidized in 2022, there was a boom. That plummeted dramatically over the turn of the year, with 83 percent fewer fully electric cars and 87 percent fewer plug-in hybrids registered in January 2023 compared to the previous month. Sigh...

Zero Click Malware: The Invisible Digital Threat – How to Recognize and Defend Yourself

Estimated reading time: 6 minutes

What is Zero Click Malware

Zero click malware, also known as non-click malware or in-memory malware, is a new type of malware that can infect a device without the user taking any action. Unlike traditional malware that requires the user to click on a link or open an infected attachment, zero click malware is able to install itself on the victim's device completely silently and invisibly, without any interaction on their part.

How Zero Click Malware Works

This type of malware exploits various vulnerabilities in software and operating systems to gain access to the device. Some common infection vectors include: - Zero-day vulnerabilities not yet patched - Bugs in web browsers and messaging apps - Packet sniffers that intercept network traffic - Insecure public WiFi networks - Websites compromised with drive-by exploits Once initial access is gained, zero click malware uses advanced techniques to keep itself hidden and avoid detection. It can disable antivirus software, hide in RAM memory, encrypt communications, and much more.

Why Zero Click Malware is Dangerous

The completely stealth nature of this malware makes it extremely insidious and difficult to identify. Even the most security-conscious users can be infected without knowing it. This allows hackers to: - Monitor all activities performed on the infected endpoint - Collect sensitive data such as credentials, personal information, browser history - Collect sensitive data such as credentials, personal information, browser history - Move laterally within the network to infect other systems - Use the device for ransomware or denial of service attacks Furthermore, since no clicks or actions are required, zero click malware can spread very quickly, affecting a large number of victims.

Case Studies and Technical Analysis

Some real-world cases have recently emerged that illustrate the capabilities of this new category of cyber threats. One of the first zero click exploits to gain attention was Pegasus, developed by cybersecurity firm NSO Group. Used by some governments to spy on journalists and activists, Pegasus exploits zero-day vulnerabilities in iOS and Android to install itself without any user interaction. Another famous case is ForcedEntry, used to hack the iPhones of several employees in Bahrain. ForcedEntry exploits a vulnerability in iMessage to install spyware without clicking on Apple devices. These and other cases demonstrate the severity of the threat and the need for advanced protection solutions capable of detecting and preventing zero-click attacks.

How to Detect and Prevent Zero Click Attacks

Since this type of threat leaves no visible traces, identifying and stopping them requires targeted strategies: - Patching and updates - Always apply the latest security updates to fix known vulnerabilities - EDR Solutions - Endpoint detection and response technologies that analyze memory-based threats and anomalous behavior - Advanced web protection - Secure web gateways capable of inspecting all traffic entering and leaving the network - Network Segmentation - Limit the ability of malware to move laterally by isolating and segmenting critical systems - Strong Authentication - Enable multi-factor authentication to prevent targeted phishing attacks that often precede zero-clicks - Awareness Training - Instruct users to recognize and report suspicious activity that may indicate an infection A layered approach that integrates multiple technologies and policies is essential to defend against this ever-evolving threat.

Increase Prevention with Deception Solutions

One of the most effective strategies against zero-click malware is the use of deception solutions. These solutions create a seemingly attractive environment for malware, but in reality they are traps that detect and isolate threats before they can cause damage. By taking a multi-stage approach to defense, you can dynamically respond to threats as they evolve, defeating attackers with their own techniques.

Continuous Testing and Threat Simulations

Attack simulations and continuous testing of security controls are another key pillar in zero-click malware defense. Services like Posture Guard help organizations verify their security posture by leveraging a vast database of threats, including malware, ransomware, and Advanced Persistent Threats (APTs). These tests help you evaluate the effectiveness of your security tools and optimize your threat prevention and detection capabilities.

Cyber Threat Hunting and Threat Intelligence

Cyber Threat Hunting is crucial to proactively identify threats and sensitive information that may have been compromised. Having a team of experts dedicated to this activity allows you to quickly recover stolen information and organize a more targeted defense. Combined with continuous vulnerability analysis and incident response, this strategy offers significantly improved protection against zero-click attacks.

User training and awareness

While zero-click malware does not require user interaction for infection, a well-informed and aware workforce can still play a crucial role in preventing other types of cyber attacks. Training users on good cybersecurity practices can reduce the risk of malware infections and increase overall security.

Adopt a Dynamic Approach to Security

Taking a dynamic approach to security is essential. Solutions like Active Defense Deception work to respond to attacks during the initial stages, using dynamic techniques to prevent attacks from reaching execution and more advanced stages. This type of proactive defense can deter attackers and make the environment less attractive for malware.

Forecasts and Future Developments

Experts predict that zero-click malware attacks will become one of the most used techniques by hackers in the years to come. As user awareness of malware and phishing grows, cybercriminals will look for new invisible vectors to deliver malicious payloads. Additionally, the continued rise of IoT devices and smart home technologies presents attackers with an ever-increasing number of potential weak and unpatched targets. Operating environments such as 5G and edge computing could also facilitate the spread of zero-click threats. To counter these trends, companies and security vendors will need to invest more in threat intelligence, bug bounties, sandboxing and machine learning-based threat detection techniques. Only in this way will it be possible to unmask the rapidly evolving zero-click attacks in no time.

Conclusions

Clickless malware is emerging as one of the most stealthy and dangerous tactics of modern hackers. Its ability to bypass any human interaction to infect entire systems represents a critical challenge for the world of cybersecurity. To protect individuals and companies from this threat, it is essential to adopt preventive measures at multiple levels, from patching to network monitoring to training. Only by combining awareness and advanced technological solutions will it be possible to combat the phenomenon of zero-click attacks and maintain data integrity and security in the future. - Your virtual machine with Cloud Server Read the full article

Russian journalist Yevgeny Erlikh, who previously served as the editor-in-chief of a Baltic-based news program for the outlet Current Time, revealed in a Facebook post Thursday that he received a notification from Apple that said his iPhone may have been targeted by “state-sponsored attackers.”

Meduza’s publisher and general director Galina Timchenko received a similar message in June, shortly before cybersecurity experts determined that her device had been infected with Pegasus spyware.

According to Erlikh, his phone, like Timchenko’s, had a Latvian SIM card. In an interview with TV Rain, he said that he received the message from Apple in late August and that he was in Germany at the time.

Maria Epifanova, the general director of Novaya Gazeta Europe, and Yevgeny Pavlov, a correspondent for Novaya Gazeta Baltija, also said Thursday that they both received similar alerts from Apple on August 29. Novaya Gazeta Europe noted that Pavlov is a Latvian citizen and has lived in the country his entire life.

Emergency Fix: Google's Response to Chrome Vulnerability

On Monday, Google introduced emergency security updates to address a critical vulnerability in its Chrome web browser, which it announced is being exploited in real-time. Identified as CVE-2023-4863, the problem is characterized as a heap buffer overflow situation within the WebP image format, potentially leading to arbitrary code execution or a system crash.

The discovery and reporting of this flaw, on September 6, 2023, is attributed to Apple’s Security Engineering and Architecture (SEAR) and The University of Toronto’s Munk School’s Citizen Lab. While Google has not yet revealed further information regarding the nature of the attacks, it has confirmed that an exploit for CVE-2023-4863 is indeed being used in real-time.

With this latest patch, Google has resolved a total of four zero-day vulnerabilities in Chrome since the beginning of the year, including

CVE-2023-2033 (CVSS score: 8.8) – Type Confusion in V8,

CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in Skia, and

CVE-2023-3079 (CVSS score: 8.8) – Type Confusion in V8.

This development occurred simultaneously with Apple’s extension of fixes to address CVE-2023-41064 for several devices and operating systems, including iOS 15.7.9 and iPadOS 15.7.9 – iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation), as well as macOS Big Sur 11.7.10 and macOS Monterey 12.6.9.

CVE-2023-41064 is associated with a buffer overflow problem in the Image I/O component that could facilitate arbitrary code execution when handling a maliciously crafted image. The Citizen Lab suggests that CVE-2023-41064 was used in combination with CVE-2023-41061, a validation issue in Wallet, as part of a zero-click iMessage exploit chain called BLASTPASS to deploy Pegasus on fully-updated iPhones running iOS 16.6.

Given that both CVE-2023-41064 and CVE-2023-4863 are centered around image processing and that both were reported by Apple and the Citizen Lab, there is a suggestion of a potential link between the two. To counter potential threats, users are advised to update to Chrome version 116.0.5845.187/.188 for Windows and 116.0.5845.187 for macOS and Linux. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also encouraged to implement the fixes as they are released.

https://www.infradapt.com/news/googles-response-to-chrome-vulnerability/

Dogecoin users on Apple iOS devices are being urged to update their Software immediately by prominent members of the community. The warning comes after Citizen Lab, a Cybersecurity research organization, discovered a significant Security vulnerability that allows attackers to compromise iOS devices without any user interaction.The exploit, dubbed BLASTPASS, involves malicious PassKit attachments sent via iMessage and can affect iPhones running the latest iOS version 16.6. Apple has since issued an update to address the issue.BLASTPASS exploit chainThe BLASTPASS exploit chain was discovered while Citizen Lab was investigating the device of an individual associated with a Washington, D.C.-based civil society organization.The exploit allows attackers to deliver NSO Group's Pegasus spyware to the victim's device without even requiring any clicks or interaction on the part of the user.Given the severity of the vulnerability, Apple and Citizen Lab are encouraging users to enable lockdown mode, a Security feature that is believed to block this particular attack effectively.Beyond Dogecoin Of course, the discovery has far-reaching implications not just for Dogecoin users but for the broader iOS community. Cryptocurrency holders are often targeted for their Digital Assets, making the rapid patching of such Vulnerabilities crucial. Patrick Lodder, a member of the crypto community, took to social media to emphasize the importance of lockdown mode, stating, "Lockdown mode...the only mode.

Apple security update flaw iphones iwatches

#Apple security update flaw iphones iwatches pdf

#Apple security update flaw iphones iwatches update

Many apps will automatically create a preview or cache of links in order to improve the user experience," Schless said. "Pegasus is delivered via a malicious link that's been socially engineered to the target, the vulnerability is exploited and the device is compromised, then the malware communicated back to a command-and-control (C2) server that gives the attacker free reign over the device.

#Apple security update flaw iphones iwatches update

Apple releases security update for vulnerability in iPhones, iPads and Macs 03:37. It can now be deployed as a zero-click exploit, which means that the target user doesn't even have to tap a malicious link for the surveillanceware to be installed, Schless explained, adding that while the malware has adjusted its delivery methods, the basic exploit chain remains the same. Apple warns of security flaw for iPhones, iPads and Macs that allows hackers to access devices. Hank Schless, senior manager of security solutions at Lookout, said the tool has continued to evolve and take on new capabilities. In 2016, cybersecurity company Lookout worked with Citizen Lab to discover Pegasus. "End-to-end encryption keeps everyone safe, especially those from vulnerable communities - like journalists, activists, and LGBTQ+ community members in more conservative countries." In a longer report about the vulnerability, Citizen Lab researchers said that it is the "latest in a string of zero-click exploits linked to NSO Group." Their security needs to be a *top* priority." They are on every device and some have a needlessly large attack surface. Popular chat apps are the soft underbelly of device security. Discovery is inevitable byproduct of selling spyware to reckless despots. AppleclosesiphonesiwatchessecurityspywareUpdate. But here we are.again: their exploits got discovered by us because they were used against an activist. spyware company, had infected Apple products without so much as a click. "NSO Group says that their spyware is only for targeting criminals and terrorists. Victim sees *nothing,* meanwhile Pegasus is silently installed and their device becomes a spy in their pocket," Scott-Railton explained.

#Apple security update flaw iphones iwatches pdf

Thing is, the '.gif' files.were actually Adobe PSD & PDF files.and exploited Apple's image rendering library. A recent a re-analysis yielded something interesting: weird looking '.gif' files. "Back in March my colleague Bill Marczak was examining the phone of a Saudi activist infected with Pegasus spyware. They found that the vulnerability has been in use since at least February. John Scott-Railton, a senior researcher at Citizen Lab, spoke out on Twitter to explain what he and Citizen Lab senior research fellow Bill Marczak found and reported to Apple.

How to Remove Pegasus Spyware From iPhone

How to Remove Pegasus Spyware From iPhone

In recent decades, the fast rise in technology resulted in many innovations and inventions. Many platforms and applications can aid in ongoing communication from all parts of the world. Smartphones have become a gateway to endless opportunities both for people and businesses. With the entire world going in connection and sync, it’s easier to stay connected with people in various methods more than ever. Today we will take detail look into Pegasus spyware download and how to detect it. But there’s always a downside for every opportunity and advantage. Because these connections give rise to other forms of threat: the threat in online security and data protection. If you own any digital device, the term “Pegasus spyware” may be a very familiar or even a common term for you. The term itself serves as a reminder for each person to stay as vigilant as ever with the use of online platforms, applications. Or even a simple web download from an unknown source.  When your personal security becomes compromised by these various software activities, your life may be on the line. Online security is very crucial, and countries spend billions of dollars to keep cyberspaces as safe as possible. The US alone spent around 60B USD on cybersecurity. While spending on additional cybersecurity measures can cost a lot, you can start your online safety by knowing how to detect Pegasus spyware and ensuring that you keep all your devices safe. 

What is Pegasus Spyware?

Pegasus spyware is one of the most powerful hacking software that can get into devices. The Pegasus spyware can turn your iPhone into a surveillance device, enabling other people to access your camera, location, and other surveillance software. The Pegasus spyware has coordinated attacks in various socially engineered messages and phishing mechanisms. Imagine your cellphone streaming access to your camera without your permission and allowing your phone to show other unwanted people everything daily. The Pegasus spyware can quickly turn your phone into a surveillance device. While this may be small for people, imagine government officials and bigger figures in the scenario. Infiltration and data breaches become the primary form of powerful attacks in political warfare. The success of Pegasus spyware to cyber threats has become more prominent over the years.

Removing Pegasus Spyware from an iPhone device

How can you prevent any spyware from infiltrating your phone? The last thing you need is for unknown people to see where you live or gain access to your home layout. Ensure that you practice the best methods in keeping Pegasus spyware download from controlling and transforming your iPhone into a surveillance device. Don’t skip the iOS updates It would help keep your iPhone in the latest iOS update as much as possible. Apple continually releases system updates to boost the current system of your device. These releases include protective measures to keep every iPhone well-protected from the worst cyber threats. Consider every iOS update as an investment in your online safety and device protection. Each update may take up a bigger space in your device, but at least fewer loose ends compromise your devices.  Download the MVT Amnesty International is one of the most prominent organizations that focus on human rights. It’s a non-government organization that has millions of supporters globally. Amnesty International created software that helps in mitigating the persistence of Pegasus spyware. Protection, both in real life and online, is a right everybody should safeguard. The MVT or Mobile Verification Toolkit provides consensual forensic analysis of devices. Firstly, download the MVT to your device and let it run to analyze the presence of Pegasus spyware from your device.   Replace your phone Pegasus spyware infections go beyond the surface level of Operating systems. And it extends towards lower levels of the system code. Hence it is meaning it’s challenging to detect the spyware. It’s best to consider a phone replacement if you think that the spyware persists in your device. Sometimes, running forensics may not be enough to detect the root location of the Pegasus spyware. Hence, it may pose more difficulty to continue using and storing information in your device without compromising your everyday safety. Disadvantages Of Pegasus Spyware   Pegasus Spyware may get unauthorized access to your smartphone and collect personal and sensitive information, which it then sends to spying users. It has used Zero-Click assaults to effectively target various mobile devices. Even a missed call can be used to insert it. It is specifically intended to go through a device's security. According to the firm, this Spyware is marketed to government intelligence agencies to prevent hostile activity. What is Zero-Click Attack and how does it work? Many Spyware assaults need you to click on a link sent to you by SMS or email, or the Spyware may be included in programs or software you download from the Internet. Zero-Click Attacks, on the other hand, are Spyware attacks like Pegasus that do not need the user to take any action. As a result, it is the most dangerous and powerful Spyware that gains "root-level" access to your phone. Because these services are geared for analyzing information and receiving data from untrusted sources, zero-click or remote assaults target applications that provide messaging or phone calling. Conclusion Keeping your iPhone and other devices safe is one of the most crucial responsibilities of any owner. Be vigilant against unknown links by unknown numbers to your phone. But think twice before downloading or answering email forms from unknown senders. So, the moment something feels off, it’s best not to engage. Read the full article

Apple's New Lockdown Mode for iPhone Fights Hacking

Apple’s New Lockdown Mode for iPhone Fights Hacking

This story is part of Focal Point iPhone 2022, CNET’s collection of news, tips and advice around Apple’s most popular product. What’s happening Apple is developing a new “Lockdown Mode” for its iPhones, iPads and Mac computers. It’s designed to fight industrial-strength hacking like the NSO Group’s Pegasus. Why it matters Though these attacks happen to a small group of people, the threat is…

View On WordPress

Apple's New Lockdown Mode

Apple’s New Lockdown Mode

Apple will be offering a new “Lockdown Mode” for its iPhones, iPads and Mac computers. It’s designed to fight advanced hacking and targeted spyware like the NSO Group’s Pegasus. Though these attacks happen to a small group of people, the threat is growing. Pegasus was used by repressive governments to spy on human rights activists, lawyers, politicians and journalists. Apple says it’s identified…

View On WordPress

iPhone Lockdown Mode could benefit those of us who will never use it

iPhone Lockdown Mode could benefit those of us who will never use it

Apple had big security news yesterday, announcing that iOS 16 will introduce a new iPhone Lockdown Mode designed to protect users from even the most sophisticated cyber attacks like those carried out by NSO’s Pegasus spyware. Apple says that the mode offers an “extreme” level of security that will be needed only by the tiny percentage of people who might be targeted by state-sponsored attacks.…

View On WordPress

Apple Introduces 'Lockdown Mode' to Prevent Targeted Cyberattacks

Apple Inc. unveiled a security tool for iPhone, iPad, and Mac devices aimed at preventing targeted cyberthreats on high-profile users such as activists, journalists, and government officials. The optional Lockdown Mode feature will provide "extreme" protection for a "very small amount of people who face grave, targeted attacks," Apple said in a statement on Wednesday. The tool drastically reduces the number of print and virtual ways an attacker can compromise a user's device. According to Apple, the feature is primarily intended to combat attacks from "spyware" sold by NSO Group and other companies, especially to state-sponsored organisations. State-sponsored entities have managed to hack high-profile users in recent years by gaining remote access to data on their iPhones. According to Bloomberg News, a number of US State Department employees were hacked and made aware by Apple last year. Apple sued NSO Group in November, alleging that the Israel-based company creates tools such as Pegasus spyware to misuse and harm Apple users. According to Apple, such attacks have targeted a small number of its users in 150 countries. The iPhone maker recently implemented a feature that alerts users when they are the target of state-sponsored cyberattacks. According to Apple, the notification system will be updated to notify those individuals about the new Lockdown Mode. Read the full article

Apple’s Lockdown Mode for iPhone, iPad, and Mac adds ‘extreme’ protection against threats like Pegasus

Apple’s Lockdown Mode for iPhone, iPad, and Mac adds ‘extreme’ protection against threats like Pegasus

Illustration by Alex Castro / The Verge Apple is taking steps to increase security for people like journalists, activists, and politicians with a new setting in iOS 16, iPadOS 16, and macOS Ventura called Lockdown Mode. This setting hardens an iPhone, iPad, or Mac’s defenses in ways that interrupt methods we’ve seen used to compromise devices for highly targeted attacks. Lockdown Mode blocks many…

View On WordPress

Apple sues Pegasus-maker NSO Group, says US citizens were the target

Apple sues Pegasus-maker NSO Group, says US citizens were the target

Apple Inc. on Tuesday said it has filed a lawsuit against Israeli cyber firm NSO Group and its parent company OSY Technologies for alleged surveillance of US Apple users and targeting them with its Pegasus spyware. The iPhone maker said it is also seeking NSO Group a ban on the use of any Apple software, services or devices to prevent further misuse. Apple is the latest in a series of companies…

View On WordPress

WASHINGTON, Feb 17 (Reuters) - A single activist helped turn the tide against NSO Group, one of the world’s most sophisticated spyware companies now facing a cascade of legal action and scrutiny in Washington over damaging new allegations that its software was used to hack government officials and dissidents around the world.

It all started with a software glitch on her iPhone.

An unusual error in NSO’s spyware allowed Saudi women’s rights activist Loujain al-Hathloul and privacy researchers to discover a trove of evidence suggesting the Israeli spyware maker had helped hack her iPhone, according to six people involved in the incident. A mysterious fake image file within her phone, mistakenly left behind by the spyware, tipped off security researchers.

The discovery on al-Hathloul's phone last year ignited a storm of legal and government action that has put NSO on the defensive. How the hack was initially uncovered is reported here for the first time.

Al-Hathloul, one of Saudi Arabia’s most prominent activists, is known for helping lead a campaign to end the ban on women drivers in Saudi Arabia. She was released from jail in February 2021 on charges of harming national security. read more

Soon after her release from jail, the activist received an email from Google warning her that state-backed hackers had tried to penetrate her Gmail account. Fearful that her iPhone had been hacked as well, al-Hathloul contacted the Canadian privacy rights group Citizen Lab and asked them to probe her device for evidence, three people close to al-Hathloul told Reuters.

After six months of digging through her iPhone records, Citizen Lab researcher Bill Marczak made what he described as an unprecedented discovery: a malfunction in the surveillance software implanted on her phone had left a copy of the malicious image file, rather than deleting itself, after stealing the messages of its target.

He said the finding, computer code left by the attack, provided direct evidence NSO built the espionage tool.

“It was a game changer,” said Marczak “We caught something that the company thought was uncatchable.”

The discovery amounted to a hacking blueprint and led Apple Inc (AAPL.O) to notify thousands of other state-backed hacking victims around the world, according to four people with direct knowledge of the incident.

Citizen Lab and al-Hathloul’s find provided the basis for Apple’s November 2021 lawsuit against NSO and it also reverberated in Washington, where U.S. officials learned that NSO’s cyberweapon was used to spy on American diplomats.

In recent years, the spyware industry has enjoyed explosive growth as governments around the world buy phone hacking software that allows the kind of digital surveillance once the purview of just a few elite intelligence agencies.

Over the past year, a series of revelations from journalists and activists, including the international journalism collaboration Pegasus Project, has tied the spyware industry to human rights violations, fueling greater scrutiny of NSO and its peers.

But security researchers say the al-Hathloul discovery was the first to provide a blueprint of a powerful new form of cyberespionage, a hacking tool that penetrates devices without any interaction from the user, providing the most concrete evidence to date of the scope of the weapon.

In a statement, an NSO spokesperson said the company does not operate the hacking tools it sells – “government, law enforcement and intelligence agencies do.” The spokesperson did not answer questions on whether its software was used to target al-Hathloul or other activists.

But the spokesperson said the organizations making those claims were “political opponents of cyber intelligence,” and suggested some of the allegations were “contractually and technologically impossible.” The spokesperson declined to provide specifics, citing client confidentiality agreements.

Without elaborating on specifics, the company said it had an established procedure to investigate alleged misuse of its products and had cut off clients over human rights issues.

DISCOVERING THE BLUEPRINT

Al-Hathloul had good reason to be suspicious - it was not the first time she was being watched.

A 2019 Reuters investigation revealed that she was targeted in 2017 by a team of U.S. mercenaries who surveilled dissidents on behalf of the United Arab Emirates under a secret program called Project Raven, which categorized her as a “national security threat” and hacked into her iPhone.

She was arrested and jailed in Saudi Arabia for almost three years, where her family says she was tortured and interrogated utilizing information stolen from her device. Al-Hathloul was released in February 2021 and is currently banned from leaving the country.

Reuters has no evidence NSO was involved in that earlier hack.

Al-Hathloul’s experience of surveillance and imprisonment made her determined to gather evidence that could be used against those who wield these tools, said her sister Lina al-Hathloul. “She feels she has a responsibility to continue this fight because she knows she can change things.”

The type of spyware Citizen Lab discovered on al-Hathloul’s iPhone is known as a “zero click,” meaning the user can be infected without ever clicking on a malicious link.

Zero-click malware usually deletes itself upon infecting a user, leaving researchers and tech companies without a sample of the weapon to study. That can make gathering hard evidence of iPhone hacks almost impossible, security researchers say.

But this time was different.

The software glitch left a copy of the spyware hidden on al-Hathloul’s iPhone, allowing Marczak and his team to obtain a virtual blueprint of the attack and evidence of who had built it.

“Here we had the shell casing from the crime scene,” he said.

Marczak and his team found that the spyware worked in part by sending picture files to al-Hathloul through an invisible text message.

The image files tricked the iPhone into giving access to its entire memory, bypassing security and allowing the installation of spyware that would steal a user's messages.

The Citizen Lab discovery provided solid evidence the cyberweapon was built by NSO, said Marczak, whose analysis was confirmed by researchers from Amnesty International and Apple, according to three people with direct knowledge of the situation.

The spyware found on al-Hathloul’s device contained code that showed it was communicating with servers Citizen Lab previously identified as controlled by NSO, Marczak said. Citizen Lab named this new iPhone hacking method "ForcedEntry." The researchers then provided the sample to Apple last September.

Having a blueprint of the attack in hand allowed Apple to fix the critical vulnerability and led them to notify thousands of other iPhone users who were targeted by NSO software, warning them they had been targeted by “state-sponsored attackers.”

It was the first time Apple had taken this step.

While Apple determined the vast majority were targeted through NSO’s tool, security researchers also discovered spy software from a second Israeli vendor QuaDream leveraged the same iPhone vulnerability, Reuters reported earlier this month. QuaDream has not responded to repeated requests for comment. read more

The victims ranged from dissidents critical of Thailand's government to human rights activists in El Salvador.

Citing the findings obtained from al-Hathloul’s phone, Apple sued NSO in November in federal court alleging the spyware maker had violated U.S. laws by building products designed “to target, attack, and harm Apple users, Apple products, and Apple.” Apple credited Citizen Lab with providing "technical information" used as evidence for the lawsuit, but did not reveal that it was originally obtained from al-Hathloul's iPhone.

NSO said its tools have assisted law enforcement and have saved "thousands of lives." The company said some of the allegations attributed to NSO software were not credible, but declined to elaborate on specific claims citing confidentiality agreements with its clients.

Among those Apple warned were at least nine U.S. State Department employees in Uganda who were targeted with NSO software, according to people familiar with the matter, igniting a fresh wave of criticism against the company in Washington.

In November, the U.S. Commerce Department placed NSO on a trade blacklist, restricting American companies from selling the Israeli firm software products, threatening its supply chain. read more

The Commerce Department said the action was based on evidence that NSO’s spyware was used to target “journalists, businesspeople, activists, academics, and embassy workers.”

In December, Democratic Senator Ron Wyden and 17 other lawmakers called for the Treasury Department to sanction NSO Group and three other foreign surveillance companies they say helped authoritarian governments commit human rights abuses.

“When the public saw you had U.S. government figures getting hacked, that quite clearly moved the needle,” Wyden told Reuters in an interview, referring to the targeting of U.S. officials in Uganda.

Lina al-Hathloul, Loujain’s sister, said the financial blows to NSO might be the only thing that can deter the spyware industry. “It hit them where it hurts,” she said.