Pegasus rears its head once again
NSO Group is at the center of a new investigation about the use of its spyware
A powerful spyware tool licensed exclusively to government agencies was used to ensnare mobile phones belonging to human rights activists, journalists, senior officials, business executives, public health experts, and heads of state in a vast surveillance net, according to a bombshell investigation published earlier this week.
Israeli vendor NSO Group, whose invasive Pegasus software was installed on the compromised phones, has consistently claimed that it the tool is used to combat terrorism and other serious crimes. The company said it’s on a “life-saving mission” to “break up pedophilia rings, sex and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones.”
Pegasus is a surveillance toolkit that’s delivered to target devices running Apple iOS or Google Android by exploiting zero-day exploits in the operating systems. Infection chains typically commence with the victims receiving a seemingly harmless iMessage or an SMS that triggers the deployment of the spyware without requiring the recipients to click on a malware link.
In the aftermath of the disclosures, the company blamed its customers, saying pointing fingers at the company is like “criticizing a car manufacturer when a drunk driver crashes.”
“If I am the manufacturer of a car and now you take the car and you are driving drunken and you hit somebody, you do not go to the car manufacturer, you go to the driver.” In a separate interview, Shalev Hulio, the CEO and co-founder of NSO Group, suggested that the Palestinian-led Boycott, Divestment, and Sanctions (BDS) movement or Qatar may have had a hand in investigation.
NSO Group’s Pegasus has long caused alarm among cybersecurity circles, given the cyber weapon’s repeated use by authoritarian governments to target the smartphones of activists, journalists, and political rivals. Forensic evidence presented by Amnesty International has hinted a number of governments worldwide — including Hungary, India, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates — may be customers of the company.
The revelations are from a leaked list of more than 50,000 phone numbers associated with activists, journalists, executives, and politicians who were all potential surveillance targets. At least 67 smartphones are known to have been infected with the Pegasus spyware, or exhibited signs of potential compromise, turning them into portable surveillance devices.
To be sure, it’s still not clear who leaked the list or where it came from, who ordered the hacks, or how many phones had actually been breached.
But a matter of more concern is that the attacks showed the use of so-called “zero-click” exploits by taking advantage of multiple zero-days in iMessage to attack a fully patched iPhone 12 running iOS 14.6, raising eyebrows about the security of Apple’s software, in part because the company has historically offered stronger security protections for its users than the fragmented Android ecosystem and its own repeated emphasis on privacy and security.
“All this indicates that NSO Group can break into the latest iPhones,” Citizen Lab’s Bill Marczak said in a series of tweets. “It also indicates that Apple has a MAJOR blinking red five-alarm-fire problem with iMessage security that their BlastDoor Framework (introduced in iOS 14 to make zero-click exploitation more difficult) ain’t solving.”
But neither Android nor iOS is 100% secure and both platforms are vulnerable to compromise.
Ivan Krstić, head of Apple security engineering and architecture, said in a statement that “Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
It’s a known fact that Apple maintains a tight control of its operating system, as well as the nature of apps offered through its App Store, which improves security. But this also creates a closed-system often referred to as “security by obscurity” that helps keep attackers at bay to a degree.
At the same time, the limited visibility also has the side effect of leaving the security community in the lurch, thwarting their ability to conduct detailed forensic investigations on iOS devices, gain a deeper insight into how such attacks are constructed in the first place, and help detect more intrusions in real time.
Yet, in a surprising twist, Amnesty International researchers said they had an easier time finding and investigating indicators of compromise on Apple devices targeted with Pegasus malware than on those running stock Android.
“In Amnesty International’s experience there are significantly more forensic traces accessible to investigators on Apple iOS devices than on stock Android devices, therefore our methodology is focused on the former," the group wrote in a lengthy technical analysis of its findings on Pegasus. “As a result, most recent cases of confirmed Pegasus infections have involved iPhones.”
But even as calls for more openness reach a new crescendo, there are concerns that granting access to increased number of system indicators and telemetry information could inadvertently give attackers extra leverage. While it’s true that there’s no such thing as perfect security, the recent developments make it essential that Apple and Google erect higher security barriers that raise both the cost and risk of exploitation, making it prohibitive to develop intrusion software.
"The only people who can fix Apple devices are Apple (very much by their own design) and that means Apple has to feel responsible each time an innocent victim gets pwned while using an Apple device,” said Johns Hopkins University cryptographer Matthew Green. “If we simply pat Apple on the head and say “gosh, targeted attacks are hard, it’s not your fault” then this is exactly the level of security we should expect to get — and we’ll deserve it.”
The trick, therefore, is to strike the right balance between offering more system indicators without inadvertently making the jobs of bad actors much easier.
What’s trending in security?
⚫ MITRE has released its rundown of the most widespread and critical vulnerabilities in software using data from 2019 and 2020 obtained from the National Vulnerability Database (NVD). [MITRE]
💬 After over two years, Facebook-owned WhatsApp has figured out a way to turn on multi-device support without compromising on encryption protections. End-to-end encryption — the foundational idea that data is unreadable at all times except to the sender and receiver — prevents WhatsApp from seeing the message contents, and they are not stored in its servers after delivery. This is also the reason why the desktop client mirrors your phone. The only caveat with the new setup is that those other four need to be “non-phone” devices and your smartphone will still be the first device where you set up WhatsApp.
As WhatsApp explains in detail on the technical and cryptographic concepts underlying this multi-device scheme, making it all work seamlessly across devices involves two components: instead of having a single identity key for each user (which is tied to the smartphone associated with the account), each of the connected device will have its own identity key, all of which are tied to a person’s account. So when a message is sent, WhatsApp’s server routes the message to all the devices in question. Also in place is a mechanism by which updates made in a device — say, adding a new contact, or muting a group — are synced elsewhere by storing an encrypted version of this information on its server, which can then be read by other devices connected to the account. [Facebook]
🇨🇳 The U.S. and its key allies officially pinned the massive Microsoft Exchange server attacks on China. Separately, the U.S. Department of Justice unsealed an indictment that alleges four Chinese nationals part of he threat group known as APT40, three of whom are state intelligence officers, have conducted broad cyberespionage campaigns that targeted companies in more than a dozen countries.
The indictment and the attribution for the Microsoft Exchange server hacks are part of a broader set of actions the U.S. government has taken to expose cyberespionage and ransomware activities that it says are sponsored and encouraged by the Chinese government.
The U.S. allegations also bear out what security vendors have long described as a strong nexus between the Chinese government, academic institutions, and criminal hacker groups around cyber-espionage activity, but China rejected accusations that it was behind the global cyber hacking campaign targeting Microsoft Exchange servers and accused the U.S. of being the world’s largest source of attacks in cyberspace. [The Hacker News]
🔑 Kaseya, which fell victim to a massive ransomware attack three weeks ago, said it obtained a decryption key that could release files still locked down by malicious software produced by the criminal gang REvil. It’s not publicly known if Kaseya paid the ransom or received it for free from REvil, a law enforcement agency, or a private security company.
But CNN reported that the announcement may have been a little too late as the affected organizations recovered the data "either by paying off the ransomware gang weeks ago or by painstakingly restoring from backups.” Additionally, Kaseya is requiring that businesses sign a non-disclosure agreement in order to access the decryptor. [The Hacker News / CNN]
🔢 Twitter revealed a surprisingly low two-factor adoption rate, with just 2.3% of all users, roughly 4.7 million, opting for an additional layer of security on their accounts. Of those, close to 80% use SMS-based two-factor authentication and 30% use an authenticator app. Only 0.5% of all users use a security key, or 1.03 million users. [Twitter]
⚙️ Researchers demonstrated a new form of steganography by slipping malware past automated detection tools by hiding it inside a neural network without altering the function of the model. The study found that replacing up to around 50% of the neurons in the AlexNet model with malware still kept the model’s accuracy rate above 93.1%, with the research authors noting that a 178MB AlexNet model can have up to 36.9MB of malware embedded into its structure without being detected. [EvilModel via arXiv]
❌ A fascinating lookback at the the 2010 attempted takedown of the notorious crime and hacking group behind the Zeus banking trojan under the codename “Operation Trident Breach”. [MIT Technology Review]
⚠️ Discord’s own content delivery network (CDN) is becoming an increasingly popular malware distribution channel, with much of the malware focused on data theft. [Sophos]
🔢 Mobile advertising identifiers, such as Apple’s IDFA or Google’s MAID, are supposed to be anonymous, although third-parties can use this unique identifier to track users’ activities across apps as part of a new industry that offers what’s called “identity resolution” services. But in a twist, VICE’s Joseph Cox found a data broker that links these anonymous IDs to real people, proving that nothing that’s done online is fully anonymous. The CEO of the company told that they have “one of the largest repositories of current, fresh MAIDS<>PII in the USA.” [Vice]
🗄️ The past week in data breaches, leaks, and ransomware: Campbell Conroy & O’Neil, Cloudstar, Guntrader.uk, Northern Trains, Saudi Aramco, and Tokyo Olympics ticket portal.
740
That’s the number of organizations that were attacked with ransomware and had their data posted to data leak sites in the second quarter of 2021, according to a new research report from cybersecurity firm Digital Shadows, representing a 47% increase compared to Q1. The retail sector saw the biggest increase in ransomware attacks, marking a significant 183% increase between Q1 and Q2. Of all the victims of ransomware that were named to data leak sites in Q2 2021, over 350 of them were entities based in the U.S., followed by France (46), the U.K. (39), and Italy (35).
Tips, Comments, Ideas?
Send them my way by writing replying to this email.
Thanks again for reading. See you in the next edition!