High-End Spyware und Regierungen – Match Made in Heaven?

Complion supports Voice – Bundesverband der IT-Anwender e.V. with the weekly preparation of IT security situation reports as part of the Cyber Security Competence Center (CSCC). In September, these situation reports contained an increasing number of reports on actively exploited vulnerabilities in Apple operating systems and common web browsers. The exploitation was carried out by relevantly known, highly complex malware used by government agencies – high-end state Trojans. The names: Pegasus and Predator. In this blog post we will chronologically summarize the last calendar weeks. The series started with a news item on 7 September.

Canada's Citizen Lab reported an iOS exploit chain in early September, discovered in the cell phone of a person working for a civil society organization based in Washington DC and with several international branches. The exploit chain, nicknamed "BLASTPASS" (CVE-2023-41064 & CVE-2023-41061), was executed without a single action by the victim (i.e., not clicking on a phishing link or the like,). At the end of the compromise chain was the multifunctional Trojan "Pegasus", developed by the Israeli company "NSO Group". Such so-called "zero-click" exploits are particularly dangerous because no interaction on the part of the user is required. In the specific case of BLASTPASS, the attacker only needed to send a malicious image file to the victim via iMessage.

The following week, the Voice CSCC reported the vulnerability CVE-2023-4861, which affects the popular browsers Chrome and Firefox and has already been exploited by malicious actors with a government background. It quickly became clear that this was also the BLASTPASS vulnerability, only with a separate CVE number. The exploited vulnerability was located in a library called "libwebp", which was developed by Google and can be found in a variety of products – not only in all common browsers, but also in Apple devices and Android phones.

September 13, 2023 – Citizen Lab reports again, this time in cooperation with Access Now. The cell phone of journalist Galina Timchenko is said to have been spied on with Pegasus malware. The infection occurred in the GMT+1 time zone – Timchenko was staying in Germany. Again, the infection of the device occurred via a zero-click exploit. The attackers used an attack nicknamed "PWNYOURHOME," which exploited gaps in Apple HomeKit as well as iMessage.

In calendar week 38, Apple again closes three zero-day vulnerabilities that are already actively exploited by messaging services. This time, the vulnerabilities are not zero-click exploits, so they require the victim to interact with a link sent to him. Attackers therefore need to run phishing campaigns. One such campaign affected Ahmed Eltantawy, an Egyptian opposition figure and former member of parliament. He was repeatedly sent links via SMS and WhatsApp – if he had clicked on these links, his terminal would have been infected with the Predator malware from the developer Intellexa. Eltantawy's phishing awareness saved him from this fate. However, the attackers still managed to compromise the opposition politician's phone. While browsing a website without HTTPS protection, Eltantawy was redirected to a third-party website, presumably through a device installed specifically for him at his mobile carrier, where he was infected via drive-by download, i.e. downloading without consent or notification. The redirection seemed suspicious enough for the politician to contact Citizenlab, which has already been mentioned here several times. They were able to detect the infection and make the case public.

We are now almost in the present – week 39. It's Friday afternoon, a few hours ago the CSCC community met for their weekly meeting. Among the issues discussed was vulnerability CVE-2023-5129 – a vulnerability rated a 10 out of 10 on the CVSS scale. The libwebp library, which had already become conspicuous in week 37, is affected. This is integrated in countless products – in addition to Apple and Google, various Linux distributions, the desktop version of the messenger Signal as well as Microsoft Teams, Slack, Skype and Discord are also affected. All of these are very sensitive products – either they are end devices through which information flows, or they are messenger services, which are of course particularly interesting for intelligence services. The full extent of the libwebp vulnerability will become apparent in the next few weeks – those who are particularly alarmed are already warning about "Log4J 2.0".

Users are usually helpless against these exploits, especially zero-click exploits. The only thing that helps is stringent patching of endpoints and applications, as well as extreme caution when receiving suspicious media content and hyperlinks. Intelligence agencies of the world have discovered their wonder weapons in exploits, as discussed in this blog post. It is not surprising that Russian exploit brokers now offer up to $20 million US for a fully conceptualized and functional zero-click attack against iOS.

The Voice CSCC will continue to provide situational awareness and vulnerability assessments to its members while providing you with a protected discussion forum. If you are interested in the services of the CSCC, click here.

Author: Tobias Philipsen