NEW @citizenlab joint-report with @MsftSecIntel: "Hooking Candiru," in which we provide an interesting look into the global proliferation of spyware from Candiru: another big player that sells hacking tools to govts, including known surveillance abusers citizenlab.ca/2021/07/hookin…
Our analysis is based on a "patient zero", a Western European politically active individual. We extracted a copy of Candiru's spyware from their computer, after identifying that their computer was communicating with Candiru spyware servers. So how did we find our "patient zero"?
Well, first, @citizenlab found a 2017 OPSEC mistake by Candiru, where six of their supposedly "hidden" spyware servers accidentally returned a TLS certificate (seen here on @censysio) with "candirusecurity[.]com" (oops!!!) Image
We linked this "candirusecurity[.]com" domain to a spyware vendor "Candiru Ltd", using WHOIS info for a second domain name that was registered with a candirusecurity[.]com email *and also* a phone number belonging to Candiru (per a business directory) ImageImage
We later saw different weird self-signed TLS certs returned by these servers, and used @censysio and @RiskIQ to uncover 100s of similar certs on 100s of IPs (pointed to by 750+ domains) that we link to Candiru. Here are some @censysio queries we used so you can follow at home! ImageImage
We then leveraged @teamcymru telemetry for the Candiru servers that we detected, which together with our @citizenlab civil-society connections, led us to our "patient zero." We analyzed their computer, ID'd components that talked to Candiru servers, and extracted the spyware!
@teamcymru @citizenlab We shared the spyware with Microsoft's @MsftSecIntel, who (surprise surprise) found that Candiru's Windows spyware was being used to target 100+ people, including journalists, activists, and other members of civil society. microsoft.com/security/blog/…
Also, @MsftSecIntel landed a pretty substantial blow against Candiru by detecting and patching *TWO* zero-day Windows privilege escalation exploits they were using (CVE-2021-31979 and CVE-2021-33771). Microsoft's patch went live during this week's Patch Tuesday. Image
Of course, like any spyware company worth its salt, Candiru also offers spyware that can infect mobile devices (according to a Candiru proposal published by @TheMarker), though their mobile spyware has not (yet) been captured and publicly analyzed. Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Bill Marczak

Bill Marczak Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @billmarczak

18 Jul
THREAD with a couple of interesting bits from @AmnestyTech's new report on what they learned from looking for NSO Group's spyware on phones amnesty.org/en/latest/rese…
@AmnestyTech (1) @AmnestyTech saw an iOS 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. We at @citizenlab also saw 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. All this indicates that NSO Group can break into the latest iPhones.
It also indicates that Apple has a MAJOR blinking red five-alarm-fire problem with iMessage security that their BlastDoor Framework (introduced in iOS 14 to make zero-click exploitation more difficult) ain't solving.
Read 8 tweets
18 Jul
BREAKING: Major new investigation from @FbdnStories into a leaked list of 50,000+ phone numbers that are said to have been looked up by NSO Group's customers, perhaps as a prelude to the customers hacking into the phones washingtonpost.com/investigations…
The leaked number lists show data going back to 2016, and are believed to come from a subset of NSO clients in 10 countries (Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and the UAE).
.@FbdnStories worked with @AmnestyTech to investigate 67 phones on the leaked list, and discovered that 37 showed signs of hacking. We @citizenlab peer-reviewed the forensic methodology, and also examined four of the phones four of the phones: citizenlab.ca/2021/07/amnest…
Read 4 tweets
20 Dec 20
🚨BIG @citizenlab report on an NSO Group hacking bonanza. In late 2019 and in July 2020, NSO Group clients appear to have used an invisible 0-click exploit in iMessage to break into the latest, up-to-date iPhones. Some of the first target were journalists citizenlab.ca/2020/12/the-gr…
At least 36 personal phones belonging to journalists, producers, executives, and presenters at Al Jazeera, and one journalist at Al Araby, were hacked in July by four operators, two of which we attribute to the UAE and Saudi. One journalist hacked was @AJArabic's @TamerMisshal.
Tamer's hard-hitting investigative programs have focused on possible UAE Gov linked financial corruption (), the Khashoggi killing (), and Bahrain's alleged hiring of Al Qaeda to kill opposition members ().
Read 5 tweets
1 Dec 20
We've got a neat new @citizenlab report out, looking at NSO Group affiliate company Circles, the we-spy-without-hacking-your-phone guys, who reportedly exploit flaws in mobile phone networks themselves. We ID'd a bunch of likely customers! citizenlab.ca/2020/12/runnin…
The essence of the report is simple. The firewalls of Circles systems are configured using a management server with the domain name "tracksystem[.]info." Thanks to some leaked documents filed in a lawsuit in Israel, we can see that this domain name is used by Circles for email ImageImage
There's some dodgy customers, including spyware abuser UAE (apparently UAE Supreme Council for National Security, Sh. Tahnoon's Royal Group, and Dubai Police). The Royal group case is interesting, because there also seems to be a nexus with Mohammed Dahlan. Image
Read 6 tweets
19 May 20
Uh oh. It looks like the US state of Nevada has partnered with a UAE intelligence-linked company (Group 42) on COVID19 testing. It seems that Group 42 will get access to test data from US Citizens, which they will use for an "innovative genomic study." nvc19.org/united-arab-em…
A little background on Group 42: they were the ones behind the ToTok chat app. ToTok was banned from both the Apple Store and the Google Play Store after US intelligence sources told the New York Times that ToTok was a front for UAE intelligence. nytimes.com/2019/12/22/us/…
Also, ToTok (formerly "Group 42 IM") is linked to Sheikh Tahnoon bin Zayed al-Nahyan, a senior UAE intelligence official. Sheikh Tahnoon's adopted son and PR manager were both apparently directors & investors of holding companies linked to ToTok medium.com/@billmarczak/h…
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

:(