CSC News Table of Contents
Apple Zero-Day Exploits Target Egyptian Ex-MP with Predator Spyware: Apple’s recent zero-day vulnerabilities have been used in a targeted spyware attack on Ahmed Eltantawy, a former Egyptian member of parliament.
This news item unveils the details of this cyber-espionage operation and the implications it carries.
Key Takeaways to Apple Zero-Day Exploits Target Egyptian Ex-MP with Predator Spyware:
- Apple’s zero-day vulnerabilities were exploited to deliver Predator spyware to an Egyptian ex-MP.
- The attack was attributed to the Egyptian government due to its use of commercial spying tools.
- The incident highlights the risks of non-HTTPS websites and the need for device security.
Zero-Day Exploits and Targeted Attack
Apple addressed three zero-day vulnerabilities in September 2023. These vulnerabilities were used as part of an iPhone exploit chain, aiming to deliver the Predator spyware to Ahmed Eltantawy, a former Egyptian member of parliament.
Government’s Involvement and Targeting
The Citizen Lab, in cooperation with Google’s Threat Analysis Group, confidently attributes this attack to the Egyptian government. The attack coincided with Eltantawy’s public announcement of his presidential candidacy in the 2024 Egyptian elections.
Spyware Delivery via Links
The spyware, known as Predator, was delivered to the target through links sent via SMS and WhatsApp. In August and September 2023, Eltantawy’s Vodafone Egypt mobile connection was persistently selected for targeting through network injection.
When he visited non-HTTPS websites, he was redirected to a malicious site infecting his device with Cytrox’s Predator spyware.
Exploiting Vulnerabilities
The exploit chain leveraged three vulnerabilities (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993), allowing attackers to bypass certificate validation, elevate privileges, and execute code remotely by manipulating web content.
Predator Spyware and its Controversy
Predator, developed by Cytrox, functions similarly to NSO Group’s Pegasus spyware. It enables surveillance and data harvesting from compromised devices.
Notably, the U.S. government blacklisted it in July 2023 for its role in human rights abuses.
Sophisticated Exploit
The attack was hosted on the domain sec-flare[.]com. Eltantawy was redirected to a website named c.betly[.]me via a sophisticated network injection attack using Sandvine’s PacketLogic middlebox.
An Adversary-in-the-Middle Attack
This was an adversary-in-the-middle (AitM) attack that took advantage of non-HTTPS websites. It intercepted and redirected users to an Intellexa site, c.betly[.]me, and further to the exploit server, sec-flare[.]com.
Additional Messages and Exploits
Eltantawy received three SMS messages in September 2021, May 2023, and September 2023, urging him to click on links to address suspicious login sessions.
While these links didn’t match the aforementioned domain, the investigation revealed that Predator spyware was installed on his device shortly after reading the September 2021 message.
Chrome Browser Exploit
Google TAG also detected an exploit chain that used a remote code execution flaw in the Chrome web browser (CVE-2023-4762) to deliver Predator on Android devices.
This was achieved through AitM injection and one-time links sent directly to the target.
Addressing the Issue
The incident underscores the need for vigilance against spyware threats, especially for individuals who may be targeted due to their activities. Keeping devices updated and enabling security features like Lockdown Mode on Apple devices is recommended to fend off such attacks.
Conclusion
This news item sheds light on a targeted cyber-espionage operation using Apple zero-day vulnerabilities. It emphasizes the significance of cybersecurity and the evolving threats individuals and organizations face in today’s digital landscape.
About Predator and the Intellexa Alliance: Predator is a surveillance tool developed by Cytrox, akin to NSO Group’s Pegasus. It’s part of the Intellexa Alliance, a consortium of spyware vendors. The U.S. government blacklisted Predator for its involvement in human rights abuses.
