More iOS Zero-Days, More Mercenary Spyware — This Time: Cytrox Predator
Egyptian opposition presidential candidate Ahmed Eltantawy targeted “by the government.”
Would-be president pwned by President: Former Egyptian politician Ahmed Tantawy (pictured) had his phone hacked and Citizen Lab says the Egyptian government is responsible.
Also fingered as complicit: Vodafone Egypt and Sandvine, Inc.—not forgetting Cytrox itself. In today’s SB Blogwatch, we rethink our vacation plans to see the pyramids.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Side Sidemi.
Apple Scrambled to Fix 3 More CVEs
What’s the craic? Sergiu Gatlan reports—“Zero-days exploited in spyware attacks”:
“16 zero-days”
Three zero-days patched by Apple on Thursday were abused as part of an exploit chain to install Cytrox’s Predator spyware. Between May and September 2023, the attackers exploited the bugs … in attacks using decoy SMS and WhatsApp messages to target former Egyptian MP Ahmed Eltantawy after announcing plans to join the Egyptian presidential election in 2024.
…
The … exploit used CVE-2023-41993 for initial remote code execution (RCE) in Safari using maliciously crafted web pages, the CVE-2023-41991 bug to bypass signature validation, and CVE-2023-41992 for kernel privilege escalation. … Since January 2023, Apple has addressed a total of 16 zero-days exploited in attacks targeting its customers. … Google TAG also observed the attackers using a separate exploit chain to drop Predator spyware on Android devices in Egypt, exploiting CVE-2023-4762—a Chrome bug patched on September 5th.
WTH is going on in Egypt? James Reddick explains—“Egyptian opposition politician hacked with Predator spyware”:
“Blacklist”
The phone of Egyptian opposition politician Ahmed Eltantawy was recently targeted with Predator spyware … between May and September of this year. … Eltantawy was targeted with SMS and WhatsApp messages carrying malicious links that would trigger installation of the spyware if clicked.
…
The attempted surveillance began after Eltantawy, a former member of Parliament, announced that he would run for president. … Twelve members of his family and his supporters have been arrested.
…
In July, the U.S. Commerce Department added Predator’s maker, Cytrox, to a blacklist for “threatening the privacy and security of individuals and organizations worldwide.” [Predator’s] victims include Greek journalist Thanasis Koukasis, former Meta employee Artemis Seaford and a member of European Parliament.
Horse’s mouth? Bill Marczak, John Scott-Railton, Daniel Roethlisberger, Bahr Abdul Razzak, Siena Anstis and Ron Deibert—“Predator in the Wires”:
“Interference in free and fair elections”
Eltantawy became suspicious about the safety of his phone and reached out to the Citizen Lab. … Our forensic analysis showed numerous attempts to target Eltantawy with Cytrox’s Predator spyware.
…
When Eltantawy visited certain websites without HTTPS … using his Vodafone Egypt mobile data connection, he was silently redirected to a website … via network injection. … We were able to localize the injection to a link between Telecom Egypt and Vodafone Egypt … we suspect that it is within Vodafone Egypt’s network. … We attribute the spyware injection in Egypt to Sandvine’s PacketLogic product. … This is not the first time we have identified the abuse of Sandvine’s products.
…
It is highly unlikely that this targeting occurred and that this setup was established outside of the purview of Egyptian authorities. … We attribute the network injection attack to the Egyptian government with high confidence. … The use of mercenary spyware to target a senior member of a country’s democratic opposition … is a clear interference in free and fair elections.
Cytrox? shmatt waxes pedagogical:
Another company founded by ex-Israeli intelligence. The funny thing about exploits is, once hundreds of employees or soldiers have access to the exploit, they don’t need to physically copy the code. They just need to understand how it works, to then open 10 other companies that use the same exploit.
…
Although the IDF is great at stopping people from copying files outside of their networks, it can’t stop people from remembering what they did during their service.
What would you do? jhodge is stoic about it:
If you’re targeted by a patient, well-resourced adversary, you’re going to be hacked. If you’re in a position where that’s part of your threat model, accept it, layer your defenses, and adjust your behaviors.
…
It must be ****ing exhausting.
Examples of one of these layers? ashen—@vanityfeline—has two for us:
High-risk individuals really should be using a VPN, particularly when connecting via a mobile network. It wouldn’t make them immune to these state-sponsored, targeted attacks, but it’d surely make it more difficult.
…
The only sophisticated part detailed in the report is the 0day chain—the actual distribution of the payload just required http webserver traffic to MITM (which is simple to do when you own the ISP). … Attack surface reduced with a VPN. … Alternatively, only allow HTTPS traffic.
iOS considered to have weak security? A plague on all their houses, thinks Veserv:
Just your regular reminder that for the only security certification that Apple advertises on their website for iOS, Apple only achieved the lowest possible level of security assurance, EAL1 … only fit for products where “some confidence in the correct operation is required, but the threats to security are not viewed as serious,” [and] does not even require “demonstrating resistance to penetration attackers with a basic attack potential.”
…
Apple has never once, over multiple decades of failed attempts, demonstrated “resistance to penetration attackers with a moderate attack potential” for any of their products. To be fair, neither have Microsoft, Google, Amazon, Cisco, Crowdstrike, etc.
…
It is generally viewed as impossible to fix the structural defects in products that failed a EAL5 certification without a total rewrite. [Even] EAL4 is certainly inadequate. Any product in commercial use targeting that level or lower is doomed to be … useless against commercial threats. … We know this from experience where EAL4 systems are routinely defeated [and] are certifiably useless.
What have we learned? Danathar confuses Israel with Japan:
If Ninja hackers are after you, there is literally nothing you can do. You might be able to carry around a flip phone—maybe.
Meanwhile, KirillPanov eyerolls furiously:
One of these days people will wake up and realize that carrying a networked GPS tracker with a microphone in their pocket is a really dumb idea.
And Finally:
Zoë Medcraft and Felix Colgrave having fun
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
