NEW @citizenlab joint-report with @MsftSecIntel: "Hooking Candiru," in which we provide an interesting look into the global proliferation of spyware from Candiru: another big player that sells hacking tools to govts, including known surveillance abusers citizenlab.ca/2021/07/hookin…
Our analysis is based on a "patient zero", a Western European politically active individual. We extracted a copy of Candiru's spyware from their computer, after identifying that their computer was communicating with Candiru spyware servers. So how did we find our "patient zero"?
Well, first, @citizenlab found a 2017 OPSEC mistake by Candiru, where six of their supposedly "hidden" spyware servers accidentally returned a TLS certificate (seen here on @censysio) with "candirusecurity[.]com" (oops!!!)
We linked this "candirusecurity[.]com" domain to a spyware vendor "Candiru Ltd", using WHOIS info for a second domain name that was registered with a candirusecurity[.]com email *and also* a phone number belonging to Candiru (per a business directory)
We later saw different weird self-signed TLS certs returned by these servers, and used @censysio and @RiskIQ to uncover 100s of similar certs on 100s of IPs (pointed to by 750+ domains) that we link to Candiru. Here are some @censysio queries we used so you can follow at home!
We then leveraged @teamcymru telemetry for the Candiru servers that we detected, which together with our @citizenlab civil-society connections, led us to our "patient zero." We analyzed their computer, ID'd components that talked to Candiru servers, and extracted the spyware!
@teamcymru@citizenlab We shared the spyware with Microsoft's @MsftSecIntel, who (surprise surprise) found that Candiru's Windows spyware was being used to target 100+ people, including journalists, activists, and other members of civil society. microsoft.com/security/blog/…
Also, @MsftSecIntel landed a pretty substantial blow against Candiru by detecting and patching *TWO* zero-day Windows privilege escalation exploits they were using (CVE-2021-31979 and CVE-2021-33771). Microsoft's patch went live during this week's Patch Tuesday.
Of course, like any spyware company worth its salt, Candiru also offers spyware that can infect mobile devices (according to a Candiru proposal published by @TheMarker), though their mobile spyware has not (yet) been captured and publicly analyzed.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
NEW: Kaspersky releases full details on how they captured the “Triangulation” (suspected US Government) exploits and iPhone spyware targeting their employees. securelist.com/operation-tria…
The way Kaspersky wrote this, it's an interesting case study of defenders working out how to capture a zero-click exploit. I especially like that Kaspersky said what they tried that *didn’t work*, in addition to what did ultimately work. Let’s dive in with a thread!
If you’re a researcher who’s never captured an exploit chain from a threat actor “on the wire” recently, then you might not have run up against several “annoying roadblocks” that face a defender who sets out to complete this task.
) was the mechanism by which it subverts iCloud's two-factor authentication, presumably as part of a scheme to exfiltrate the user's data directly from iCloud.
iCloud's two-factor authentication appears to use a TOTP (time-based one-time-password) scheme, in which two-factor authentication codes valid for any time are entirely determined by applying a function to (1) the time and, (2) some private information present on the phone.
Rather than stealing (2), the way the spyware appears to defeat this scheme is by injecting code into the phone's heavily obfuscated "adid" process (part of the phone's Anisette framework), and hooking the "gettimeofday" syscall to fool "adid" about the current date and time.
Check out our NEW @citizenlab report "Sweet QuaDreams: A First Look at Spyware Vendor QuaDream’s Exploits, Victims, and Customers", in which we uncover traces of a new iOS 14 zero-click deployed against civil society from (at least) Jan through Nov 2021 citizenlab.ca/2023/04/spywar…
The zero-click exploit, which we call ENDOFDAYS, appears to have made use of invisible malformed "Meeting" invitations processed by the iPhone's calendar app. ENDOFDAYS looks to have been deployed as a zero-day against iOS versions 14.4 and 14.4.2, and maybe other versions.
So, who are QuaDream's customers? Based on our Internet scanning and infrastructure analysis, we believe that QuaDream operators are located in AE, BG, CZ, HU, GH, IL, MX, RO, SG, and UZ (unclear if IL is customer or just QuaDream themselves) and potentially other countries too.
NEW REPORT today from @Reuters@JoelSchectman providing more detail about fatal flaws in the CIA's defunct communications network. Iran and China compromised the network in 2011, and killed dozens of CIA assets reuters.com/investigates/s…
The CIA network reportedly consisted of benign looking websites with a hidden communications functionality, used by assets around the world to communicate back and forth with their agency handlers.
We confirmed, through forensic analysis, 35 cases of journalists and civil society members whose phones were successfully hacked with NSO Group's Pegasus spyware from July 2020 through November 2021.
New @citizenlab report "BREAKING THE NEWS", in which we show how New York Times journalist Ben Hubbard was hacked with Pegasus twice (July 2020 and June 2021), both after he complained to NSO about previous hacking attempts against him citizenlab.ca/2021/10/breaki…
We attribute the spyware to NSO Group with high confidence. NSO Group says that it couldn't have been them for "technical and contractual reasons," but it's quite likely they're wrong. We conclude it was their spyware with high confidence, as we show in our report.
Our confidence is bolstered by the fact that Hubbard's case has excellent evidence: he regularly took backups of his iPhones, so we can compare the before-and-after cases, and notice the telltale signs of Pegasus introduced onto (or deliberately cleaned up from) the phone.