Key Findings
- Ahmed Eltantawy, a former Egyptian MP and presidential candidate, was targeted with Cytrox’s Predator spyware after announcing his bid for the presidency.
- The spyware was delivered through SMS, WhatsApp messages, and network injection attacks, highlighting the advanced tactics used against Eltantawy.
- Researchers obtained an iPhone zero-day exploit chain used to install Predator on iOS devices, affecting versions through 16.6.1.
- The network injection attack was attributed with high confidence to the Egyptian government, as it originated from a device physically located within Egypt.
- This case raises concerns about the lack of controls on the export of spyware technologies and underscores the importance of security updates and lockdown modes on Apple devices.
In a recent investigation by Citizen Lab, alarming findings reveal that former Egyptian Member of Parliament, Ahmed Eltantawy, was the victim of a sophisticated cyber espionage campaign that leveraged Cytrox’s Predator spyware.
This targeting occurred between May and September 2023, shortly after Eltantawy publicly announced his intention to run for President in the 2024 Egyptian elections.
Here, it is worth noting that Cytrox’s Predator spyware was initially discovered targeting Android devices in May 2022. However, in August 2022, Citizen Lab pointed out a connection between the spyware and the European spyware vendor, Intellexa Alliance.
At that time, the spyware was used to target a lawmaker in Greece, and interestingly, the same firm had previously made headlines in November 2019 when Cypriot authorities seized a surveillance van belonging to Intellexa. This surveillance van was equipped with hacking tools capable of intercepting, cracking, and tracking smartphones.
The campaign against Eltantawy utilized various tactics, including SMS and WhatsApp messages containing malicious links. Moreover, Eltantawy’s mobile connection with Vodafone Egypt was persistently selected for targeting via network injection.
When Eltantawy visited non-HTTPS websites, a device within Vodafone Egypt’s network automatically redirected him to a malicious website to infect his phone with Cytrox’s Predator spyware.
Citizen Lab’s investigation uncovered an iPhone zero-day exploit chain designed to install Predator on iOS versions through 16.6.1. They also obtained the first stage of the spyware, which shared notable similarities with a sample of Cytrox’s Predator spyware obtained in 2021. With high confidence, Citizen Lab attributes the spyware to Cytrox’s Predator spyware.
Given Cytrox’s known association with the Egyptian government, which is a customer of the Predator spyware, and the fact that the spyware was delivered via network injection from a device physically located within Egypt, Citizen Lab confidently attributes the network injection attack to the Egyptian government.
This isn’t the first time Eltantawy has been targeted. In November 2021, his phone was infected with Cytrox’s Predator spyware through a text message containing a link to a Predator website.
These revelations raise serious concerns about the use of spyware to target opposition figures in a democratic process. Ahmed Eltantawy’s case underscores the need for strong cybersecurity measures and heightened awareness of potential threats during election campaigns.
Apple Releases Emergency Updates Amid Citizen Lab’s Disclosure
In response to Citizen Lab’s findings, Apple has issued three emergency updates for iOS, iPadOS (1), and macOS Ventura (2). The updates address the following vulnerabilities:
Apple has also acknowledged the researchers’ findings and stated that the company is aware of reports suggesting that this issue may have been actively exploited in versions of iOS prior to iOS 16.7.
Commenting on this, Dr Klaus Schenk, senior vice president of security and threat research at Verimatrix, said “The vulnerabilities discovered in Apple’s platforms are highly concerning due to their potential impact. Privilege escalation, arbitrary code execution, and especially remote exploitable arbitrary code execution rank among the most dangerous issues for any computing system.”
Dr Klaus emphasised that “It’s reassuring that Apple has not yet disclosed technical details of the attack vectors. Keeping that information private significantly reduces the risk of widespread exploits, since threat actors have less information to engineer effective attacks. For remote code execution to occur, a user would need to visit a website specifically crafted to leverage these vulnerabilities and distribute malicious code. With details undisclosed, the number of sites currently capable of mounting such an attack is likely very low.”
“That said, Apple customers should immediately install these emergency security updates to protect themselves against potential targeted attacks. Timely patching is critical, as threat actors will eventually reverse engineer the fixes to understand the underlying flaws. By updating promptly, users ensure their devices cannot be compromised by attacks exploiting these particular zero-day vulnerabilities, he advised.” “Moving forward, it’s essential that Apple continue working diligently to identify and rectify security issues in their software before they can be weaponised against users.”
This marks the second time in a month that Citizen Lab has detected a sophisticated spyware campaign targeting Apple devices. On September 7th, 2023, Apple released a critical security update to address a zero-click vulnerability that was actively delivering NSO Group’s Pegasus spyware to iPhones. These revelations were initially reported by Citizen Lab, which classified the attack as a BLASTPASS operation.
Conclusion
The Citizen Lab’s findings also shed light on the importance of maintaining up-to-date software and enabling security features like Lockdown Mode on Apple devices. They emphasize the critical role that security measures play in safeguarding individuals from cyber threats.
Additionally, the report calls for increased controls on the export of technologies that can be misused to violate human rights. It highlights the need for greater transparency and accountability in regulating dual-use technology exports, especially in cases involving companies headquartered in Canada.
In a world where cyber threats are becoming increasingly sophisticated, these findings serve as a stark reminder of the importance of digital security and the potential consequences of inadequate measures.
RELATED ARTICLES
- QuaDream: Israeli Cyber Mercenary Behind iPhone Hacks
- Apple AirTags can be used as trojan for credential hacking
- Israeli spyware used in hacking phones of journalists globally
- Android Version of Sophisticated Pegasus Spyware Discovered
- Israeli Spyware Vendor Uses Chrome 0day to Target Journalists