Tag Archive for: Spyware

Israel-based Spyware Firm QuaDream Targets High-Risk iPhones with Zero-Click Exploit

/in


Threat actors using hacking tools from an Israeli surveillanceware vendor named QuaDream targeted at least five members of civil society in North America, Central Asia, Southeast Asia, Europe, and the Middle East.

According to findings from a group of researchers from the Citizen Lab, the spyware campaign was directed against journalists, political opposition figures, and an NGO worker in 2021. The names of the victims were not disclosed.

It’s also suspected that the company abused a zero-click exploit dubbed ENDOFDAYS in iOS 14 to deploy spyware as a zero-day in version 14.4 and 14.4.2. There is no evidence that the exploit has been used after November 2021.

ENDOFDAYS “appears to make use of invisible iCloud calendar invitations sent from the spyware’s operator to victims,” the researchers said, adding the .ics files contain invites to two backdated and overlapping events so as to not alert the users.

The attacks are suspected to have leveraged a quirk in iOS 14 that any iCloud calendar invitation with a backdated time received by the phone is automatically processed and added to the users’ calendar without any notification or prompt.

The Microsoft Threat Intelligence team is tracking QuaDream as DEV-0196, describing it as a private sector offensive actor (PSOA). While the cyber mercenary company is not directly involved in targeting, it is known to sell its “exploitation services and malware” to government customers, the tech giant assessed with high confidence.

The malware, named KingsPawn, contains a monitor agent and the primary malware agent, both of which are Mach-O files written in Objective-C and Go, respectively.

While the monitor agent is responsible for reducing the forensic footprint of the malware to evade detection, the main agent comes with capabilities to gather device information, cellular and Wi-Fi data, harvest files, access camera in the background, access location, call logs, and iOS Keychain, and even generate an iCloud time-based one-time password (TOTP).

Other samples support recording audio from phone calls and the microphone, running queries in SQL databases, and cleaning up forensic trails, such as deleting all calendar events from two years prior…

Source…

F Secure Internet Security 2014 BETA test

/in



Hacking campaign exploited zero-day tied to spyware firm

/in


A spyware campaign driven by “mercenary” hackers exploited a zero-day vulnerability in Android devices, reported Amnesty International’s Security Labs.

In its report, released Wednesday, security researchers said they notified Google of the spyware campaign in December, which sparked software updates that prevented the hack from being executed on the “billions of Android, Chrome and Linux users” vulnerable to the zero-day flaw.

The human rights organization did not name the spyware company while it continues to investigate and track its activities. However, Amnesty International said “the attack showed all the hallmarks of an advanced spyware campaign developed by a commercial cyber-surveillance company and sold to governments hackers to carry out targeted spyware attacks.”

Also on Wednesday, Google’s Threat Analysis Group (TAG) detailed the zero-day reported by Amnesty International, as well as a zero-day in iOS devices used in a separate spyware campaign.

The reports of the spyware campaigns that governments are using against dissidents, journalists, human rights workers and political opposition members come the same week that U.S. President Joe Biden issued a ban on federal agencies from using commercial spyware except in certain cases, such as research.

Amnesty International shared its technical findings with Google TAG and other vendors, including Samsung, which released security updates for devices affected by the exploit.

“Unscrupulous spyware companies pose a real danger to the privacy and security of everyone. We urge people to ensure they have the latest security updates on their devices,” said Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab, in a press release. He also called for a global moratorium on the sale, transfer and use of spyware until safeguards are in place for human rights.

Google captured the zero-day exploit chain used to hack Android devices in December. The campaign has been active since at least 2020, according to Amnesty International, and targeted mobile and desktop devices, including Google’s Android OS. The spyware and exploits came from a network of over 1,000 malicious domains, which included spoofed media sites…

Source…

Spyware vendors use exploit chains to take advantage of patch delays in mobile ecosystem

/in


Several commercial spyware vendors developed and used zero-day exploits against iOS and Android users last year. However, their exploit chains also relied on known vulnerabilities to work, highlighting the importance of both users and device manufacturers to speed up the adoption of security patches.

“The zero-day exploits were used alongside n-day exploits and took advantage of the large time gap between the fix release and when it was fully deployed on end-user devices,” researchers with Google’s Threat Analysis Group (TAG) said in a report detailing the attack campaigns. “Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits.”

The iOS spyware exploit chain

Apple has a much tighter grip on its mobile ecosystem being both the sole hardware manufacturer of iOS devices and the creator of the software running on them. As such, iPhones and iPads have historically had a much better patch adoption rate than Android, where Google creates the base OS and then tens of device manufacturers customize it for their own products and maintain their own separate firmware.

In November 2022, Google TAG detected an attack campaign via SMS that targeted both iOS and Android users in Italy, Malaysia, and Kazakhstan using exploit chains for both platforms. The campaign involved bit.ly shortened URLs that, when clicked, directed users to a web page delivering the exploits then redirected them to legitimate websites, such as the shipment tracking portal for Italian logistics company BRT or a popular news site from Malaysia.

The iOS exploit chain combined a remote code execution vulnerability in WebKit, Apple’s website rendering engine used in Safari and iOS, that was unknown and unpatched at the time. The flaw, now tracked as CVE-2022-42856, was patched in January after Google TAG reported it to Apple.

However, a remote code execution flaw in the web browser engine is not enough to compromise a device, because mobile operating systems like iOS and Android use sandboxing techniques to limit the privileges of the browser….

Source…