Share this page!

Maybe Scrolly?
John Scott-Railton Profile picture
Twitter logo
13 Sep, 6 tweets, 5 min read
🚨 UPDATE YOUR APPLE DEVICES NOW🚨

We caught a zero-click, zero day iMessage exploit used by NSO Group's #Pegasus spyware.

Target? Saudi activist.

We reported the #FORCEDENTRY exploit to @Apple, which just pushed an emergency update.

THREAD 1/
citizenlab.ca/2021/09/forced…
2/ Here's the story of the #FORCEDENTRY exploit:

Back in Mach my colleague @billmarczak was examining the phone of a Saudi activist infected w/#Pegasus spyware. Bill did a backup at the time.

A recent a re-analysis yielded something interesting: weird looking ".gif" files.
3/ Thing is, the ".gif" files...were actually Adobe PSD & PDF files...and exploited Apple’s image rendering library.

Result? Silent exploit via iMessage.

Victim sees *nothing,* meanwhile #Pegasus is silently installed & their device becomes a spy in their pocket.
4/ NSO Group says that their spyware is only for targeting criminals & terrorists.

But here we are... again: their exploits got discovered by us because they were used against an activist.

Thesis: discovery is inevitable byproduct of selling spyware to reckless despots.
5/ #FORCEDENTRY exploit bigger picture:

Popular chat apps are the soft underbelly of device security.

They are on every device, & some have a needlessly large attack surface.

Their security needs to be a *top* priority.
6/Less than a week from notification to patching #FORCEDENTRY.

@Apple can move fast. Great stuff. Herculean effort by teams there.

Company is obviously fed up with NSO & the mercenary spyware industry. Like Google, Facebook, and the rest of the legit tech industry.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with John Scott-Railton

John Scott-Railton Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jsrailton

John Scott-Railton Profile picture
7 Sep
Why I'm paying attention to #Brazil.

☑️ Thousands broke past capitol police barriers at urging of...
☑️ Bolsonaro, who is stoking 'stolen election' narrative
☑️ Journalists chased out 👇
☑️ Trumpland figures flew in

Sound familiar?

2/ Bolsonaro is doing a paint-by-numbers version of TRUMP 2020.

Meanwhile, progressives dismiss the seriousness of the danger.

This is so viscerally familiar.

Story by @tomphillipsin
theguardian.com/world/2021/sep…
3/ They even have a discount Q Shaman.

Do I need to keep drawing parallels? 👇

Photos: Guilherme Gandolfi (l) Win McNamee (r)
Read 4 tweets
John Scott-Railton Profile picture
7 Sep
BREAKING: Germany's Federal Police #BKA secretly bought notorious #Pegasus mercenary spyware.

They'd have been aware of the growing list of abuses. Clearly they chose to ignore them.

Embarrassing retreat from cyberspace leadership by Germany.

LINK (DE)
zeit.de/politik/deutsc…
2/ Germany secretly spent tax revenues to join the dictator-filled #Pegasus spyware club.

Are these the actions of an accountable security service?

Germans have a right to be upset. So do German lawmakers.
3/ Despite their problematic past, Germany has shown a puzzling lack of leadership on surveillance abuses.

The revelation that they secretly bought #Pegasus is clarifying.

Chancellor Merkel would have known that when she said this.

Source: reuters.com/article/israel…
Read 5 tweets
John Scott-Railton Profile picture
4 Sep
NEW: we found a substantial & ongoing oil spill in the Gulf of Mexico...

Then spotted a company quietly & feverishly trying to clean up the #TALOSSPILL

THREAD on the collaborative investigation w/ @HirokoTabuchi & @BlackiLi
Story: nytimes.com/2021/09/04/cli…
2/ After #Ida hit, @NOAA published an amazing website of detailed aerial imagery of some impacted areas.

I became curious about the scope of environmental impact & began compiling spills, leaks & slicks, starting with facilities on land.

LINK storms.ngs.noaa.gov/storms/ida/ind…
3/ There were also slicks in the Gulf, south of the heavily-impacted Grand Isle, LA.

@NOAA imagery was limited in that area, so I mostly used @planet labs satellite imagery.

Pretty quickly I found a slick that I named SPILL1 (#TALOSSPILL). I started hunting for an origin.
Read 14 tweets
John Scott-Railton Profile picture
11 Aug
Just normal American things...

Pic: GETTY
Source: koin.com/news/protests/…
It sure looks to me like that finger is hovering on the trigger.

Maybe an expert can weigh in on this supersoldier's trigger discipline?
Sounds like right wing militant was brandishing... an airsoft gun.

People he pointed it at believed it was real.

Thanks to all who chased & shared the info!
oregonlive.com/crime/2021/08/…
Read 4 tweets
John Scott-Railton Profile picture
18 Jul
BREAKING: massive, global leak of the targets of NSO Group's Pegasus spyware. *huge deal.*

Forensic investigation by @AmnestyTech
in collaboration with @FbdnStories reporters.

We @citizenlab conducted peer review.

Here's an explainer THREAD.
washingtonpost.com/investigations… Image
2. Background: the already-notorious NSO Group makes mercenary spyware to silently & remotely hack iPhones & Androids.

Many of their government customers are authoritarians.

Most cannot resist the temptation to target their critics, reporters, human rights groups etc. Image
3. More about leaked numbers & targets in a sec, but first you need to know:

@AmnestyTech just released a report with technical analysis of NSO's infrastructure... & analysis validating w/forensics that some phones were infected with Pegasus.

amnesty.org/en/latest/rese…
Read 37 tweets
John Scott-Railton Profile picture
15 Jul
🚨MAJOR REPORT in collaboration with @MsftSecIntel
exposing spyware company Candiru.

Websites serving their spyware include fake #BlackLivesMatter & fake human rights groups.

Targets: journalists, human rights defenders, around world.

THREAD

Report: citizenlab.ca/2021/07/hookin…
2. We @citizenlab identified a Candiru-infected, politically active individual in Western Europe.

We extracted the infection & worked with @MsftSecIntel who found two Windows 0-day exploits CVE-2021-31979 and CVE-2021-33771.

@Microsoft has now patched.
microsoft.com/security/blog/…
3. The @MsftSecIntel team found over 100 victims of Candiru (SOURGUM) malware, which they call *Devil's Tongue*.

Targets include:
- Academics
- Human rights activists
- Journalists
- Politicians
- Dissidents
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @jsrailton has new unrolls!

Check out other threads from @jsrailton!

Read all threads by @jsrailton

:(