THREAD with a couple of interesting bits from @AmnestyTech's new report on what they learned from looking for NSO Group's spyware on phones amnesty.org/en/latest/rese…
@AmnestyTech (1) @AmnestyTech saw an iOS 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. We at @citizenlab also saw 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. All this indicates that NSO Group can break into the latest iPhones.
It also indicates that Apple has a MAJOR blinking red five-alarm-fire problem with iMessage security that their BlastDoor Framework (introduced in iOS 14 to make zero-click exploitation more difficult) ain't solving.
Phone logs show that (at least some of) the iOS 13.x and 14.x zero-click exploits deployed by NSO Group involved ImageIO, specifically the parsing JPEG and GIF images. ImageIO has had more than a dozen high-severity bugs reported against it in 2021.
BlastDoor is a great step, to be sure, but it's pretty lame to just slap sandboxing on iMessage and hope for the best. How about: "don't automatically run extremely complex and buggy parsing on data that strangers push to your phone?!"
(2): @AmnestyTech also found that after @citizenlab's Dec 2020 report mentioning the zero-click hacking of Al Jazeera, NSO Group switched to Amazon's CloudFront to deliver exploits (lololol). @AmnestyTech reported this to Amazon, who took action to try and block the activity.
Also, (3) as @AmnestyTech observed and we @citizenlab can confirm, NSO Group's Pegasus spyware delivered via 0-click exploits is no longer "persistent" in the strict sense of the word (i.e., doesn't come back when you reboot). Persistence is achieved via firing the 0-click again
Because the 0-clicks they're using appear to be quite reliable, the lack of traditional "persistence" is a feature, not a drawback of the spyware. It makes the spyware more nimble, and prevents recovery of the "good stuff" (i.e., the spyware and exploits) from forensic analysis
(4) One of the other interesting bits here is just how much of pain it is to do phone forensics. @AmnestyTech couldn't do much w/ Android (as a lot of logs that are easy-to-access are wiped on device reboot), and the highest-signal iPhone analysis was limited to DataUsage.sqlite
DataUsage.sqlite is a file in an iTunes backup that records process names accessing the mobile data, as well as bytes uploaded and downloaded. Information can persist in here for *years* unless cleaned up. So, in around 2019, NSO Group decided to try their hand at cleaning it up.
Most of the information is in two tables, ZLIVEUSAGE and ZPROCESS. Entries in ZLIVEUSAGE reference an implicit foreign key in ZPROCESS, but there is no formal DB constraint, nor is there an ON DELETE CASCADE. Sooo... NSO deleted entries from ZPROCESS but not ZLIVEUSAGE.
This leaves an implicit inconsistency in the database which can be observed. Oh, and also you can just run "strings" on the DataUsage.sqlite file and find the deleted entries...
Another bit (5), is the fact that @AmnestyTech (and also @citizenlab) were able to trace NSO's "version 4" domain names, which NSO was using for command-and-control thru mid-2020, and for exploit/payload delivery thru early-2021. So how did this mapping work?
I'm not going to burn @citizenlab's exact process here, but I *do* want to relate a really fascinating story. Previously, we used to detect most of these through IP-based Internet scanning. But NSO threw three new major wrenches into our process here in 2018.
Wrench #1: NSO instituted "port-knocking" on their C&C servers. Originally, it looked like this (really freeking bizarre, right?), but then they switched to a much smarter scheme that only uses 80 and 443. This means C&Cs had no open ports to scan.
Wrench #2: NSO appeared to institute "DNS-knocking" on their infection servers. An arbitrary high (or low) numbered port is opened on the infection server when a victim sends a DNS query for a random 4th-level subdomain of an infection domain, like this:
Since NSO (or clients) control the DNS servers for the 3rd-level domain (e.g., *.f15fwd322[.]regularhours[.]net), they respond to the lookup, and have the chance to open the appropriate port on the infection server.
Wrench #3: The infection servers' domain names no longer appeared in SMSes. Instead, NSO created "URL shortener servers" hosted on shared-IP hosting that redirected to these bizarre 4th-level subdomains. Shared-IP hosting means scanning by IP will *not hit* the infection servers.
These three wrenches were a direct challenge to the IP-based Internet scanning methodology we used in 2018. However... what NSO taketh away, NSO also giveth :).
Because NSO infection servers used TLS, and because they were using 4th-level subdomains for infection, NSO needed to register *wildcard 3rd-level* TLS certs. Just look at these.. they look really weird, right? I'm sure you can imagine how to find a bunch more in public data 🤔
• • •
Missing some Tweet in this thread? You can try to
force a refresh
NEW: Kaspersky releases full details on how they captured the “Triangulation” (suspected US Government) exploits and iPhone spyware targeting their employees. securelist.com/operation-tria…
The way Kaspersky wrote this, it's an interesting case study of defenders working out how to capture a zero-click exploit. I especially like that Kaspersky said what they tried that *didn’t work*, in addition to what did ultimately work. Let’s dive in with a thread!
If you’re a researcher who’s never captured an exploit chain from a threat actor “on the wire” recently, then you might not have run up against several “annoying roadblocks” that face a defender who sets out to complete this task.
) was the mechanism by which it subverts iCloud's two-factor authentication, presumably as part of a scheme to exfiltrate the user's data directly from iCloud.
iCloud's two-factor authentication appears to use a TOTP (time-based one-time-password) scheme, in which two-factor authentication codes valid for any time are entirely determined by applying a function to (1) the time and, (2) some private information present on the phone.
Rather than stealing (2), the way the spyware appears to defeat this scheme is by injecting code into the phone's heavily obfuscated "adid" process (part of the phone's Anisette framework), and hooking the "gettimeofday" syscall to fool "adid" about the current date and time.
Check out our NEW @citizenlab report "Sweet QuaDreams: A First Look at Spyware Vendor QuaDream’s Exploits, Victims, and Customers", in which we uncover traces of a new iOS 14 zero-click deployed against civil society from (at least) Jan through Nov 2021 citizenlab.ca/2023/04/spywar…
The zero-click exploit, which we call ENDOFDAYS, appears to have made use of invisible malformed "Meeting" invitations processed by the iPhone's calendar app. ENDOFDAYS looks to have been deployed as a zero-day against iOS versions 14.4 and 14.4.2, and maybe other versions.
So, who are QuaDream's customers? Based on our Internet scanning and infrastructure analysis, we believe that QuaDream operators are located in AE, BG, CZ, HU, GH, IL, MX, RO, SG, and UZ (unclear if IL is customer or just QuaDream themselves) and potentially other countries too.
NEW REPORT today from @Reuters@JoelSchectman providing more detail about fatal flaws in the CIA's defunct communications network. Iran and China compromised the network in 2011, and killed dozens of CIA assets reuters.com/investigates/s…
The CIA network reportedly consisted of benign looking websites with a hidden communications functionality, used by assets around the world to communicate back and forth with their agency handlers.
We confirmed, through forensic analysis, 35 cases of journalists and civil society members whose phones were successfully hacked with NSO Group's Pegasus spyware from July 2020 through November 2021.
New @citizenlab report "BREAKING THE NEWS", in which we show how New York Times journalist Ben Hubbard was hacked with Pegasus twice (July 2020 and June 2021), both after he complained to NSO about previous hacking attempts against him citizenlab.ca/2021/10/breaki…
We attribute the spyware to NSO Group with high confidence. NSO Group says that it couldn't have been them for "technical and contractual reasons," but it's quite likely they're wrong. We conclude it was their spyware with high confidence, as we show in our report.
Our confidence is bolstered by the fact that Hubbard's case has excellent evidence: he regularly took backups of his iPhones, so we can compare the before-and-after cases, and notice the telltale signs of Pegasus introduced onto (or deliberately cleaned up from) the phone.