An Israeli surveillanceware company known as “Intellexa” has been found to have used three zero-day vulnerabilities in Apple’s iOS and a zero-day vulnerability in Google Chrome to carry out a targeted attack on organizations in Egypt, according to a recent report from Google’s Threat Analysis Group (TAG). The company used these exploits to install its signature spyware, called “Predator,” on iPhones and Android devices.
Predator was originally developed by Cytrox, a spyware developer that has since been absorbed into Intellexa. This is not the first time Intellexa has used Predator against Egyptian targets. In 2021, the company deployed the spyware against Egyptian citizens. The recent attacks on iPhones in Egypt involved man-in-the-middle (MITM) attacks, where users were intercepted as they attempted to access http sites. Encrypted https requests were immune to this type of attack.
The use of MITM injection allowed the attackers to gain access to the targeted individuals’ devices without requiring them to click on a specific link or open a document. This approach is similar to zero-click exploits, but without the need to find vulnerabilities in a zero-click attack surface. According to TAG researchers, this highlights the dangers posed by commercial surveillance vendors and the threats they pose to both individuals and society as a whole.
Intellexa’s exploit chain for iPhones involved three zero-day vulnerabilities, all of which have been patched in the latest version of iOS (17.0.1). These vulnerabilities are tracked as CVE-2023-41993, CVE-2023-41991, and CVE-2023-41992. They allow for remote code execution, certificate validation bypass, and privilege escalation in the device kernel, respectively. Once all three steps were completed, a small binary file would determine whether to drop the Predator malware onto the device.
The use of a full zero-day exploit chain for iOS is considered novel and provides valuable insight into the cutting-edge techniques employed by attackers. Each time a zero-day exploit is discovered, it represents a failure for the attackers, as they prefer to keep their vulnerabilities and exploits hidden. By studying these exploits, the security and tech industry can better defend against future attacks and make it more difficult for attackers to develop new exploits.
In addition to targeting iPhones, Intellexa also targeted Android phones using MITM attacks and one-time links sent directly to the targets. In this case, only one vulnerability was needed, tracked as CVE-2023-4762. This vulnerability exists in Google Chrome and allows attackers to execute arbitrary code on a host machine through a specially crafted HTML page. While this vulnerability was independently reported by a security researcher and patched on September 5, Google TAG believes Intellexa had previously been using it as a zero-day.
The discovery of these exploits will force attackers to find new vulnerabilities to maintain their ability to install Predator on iPhones. Each time their exploits are detected, it costs the attackers money, time, and resources. This will hopefully serve as a deterrent and push attackers to seek alternative methods.
This incident highlights the ongoing threats posed by surveillanceware companies and the importance of maintaining strong security measures on smartphones and other devices. It also emphasizes the need for prompt patching and updates to ensure that known vulnerabilities are addressed before they can be exploited. Both Apple and Google have taken steps to address these vulnerabilities, but it is crucial for users to stay vigilant and keep their devices up to date with the latest security patches.