NSO ‘Pegasus’ Hacking Tool Targets Journalists Again - Security Boulevard

NSO ‘Pegasus’ Hacking Tool Targets Journalists Again

The NSO Group sells malware and other hacking paraphernalia to oppressive regimes around the globe. This time, its Pegasus tool set has been caught hacking journalists.

At the same time, a bunch of big tech companies have joined forces with Facebook’s fight against NSO Group. But NSO simply dismisses the criticism as fake news.

Apple also deserves criticism, according to commentators. In today’s SB Blogwatch, we deck the halls.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: ****ing 2020.

Winged Stallion Sadly Not a Myth

What’s the craic? Raphael Satter reports—“legal battle against hacking company NSO”:

 Cisco, Dell … Microsoft and Google on Monday joined Facebook’s legal battle against hacking company NSO, filing an amicus brief in federal court that warned that the … firm’s tools were “powerful, and dangerous.” [It] opens up a new front in Facebook’s lawsuit … filed last year after it was revealed that [NSO] had exploited a bug in … WhatsApp to help surveil more than 1,400 people worldwide.

Awarding sovereign immunity to NSO would lead to a proliferation of hacking technology and “more foreign governments with powerful and dangerous cyber surveillance tools.” That in turn “means dramatically more opportunities for those tools to fall into the wrong hands,” … the brief argues.

Human rights defenders and technologists at … Citizen Lab and … Amnesty International have documented cases in which NSO technology has been used to target reporters, lawyers and even nutritionists lobbying for soda taxes. Citizen Lab [recently alleged] NSO’s phone-hacking technology had been deployed to hack three dozen phones belonging to [staff of] broadcaster Al Jazeera as well as a device belonging to a reporter at London-based Al Araby TV.

O RLY? Microsoft’s Tom Burt doesn’t hold back—“Cyber Mercenaries Don’t Deserve Immunity”:

 A growing industry of companies … is creating and selling cyberweapons that enable their customers to break into people’s … devices. Now, one of these 21st-century mercenaries, called the NSO Group, is attempting to cloak itself in the legal immunity afforded its government customers, which would shield it from accountability when its weapons inflict harm on innocent people. … We believe companies like NSO Group selling tools like Pegasus are concerning for three reasons:

First, their presence increases the risk that the weapons they create fall into the wrong hands. … Additionally, targets of these weapons can observe, reverse-engineer and then use these tools for their own purposes.

Second, private-sector companies creating these weapons are not subject to the same constraints as governments. … Private actors like the NSO Group are only incented to keep these vulnerabilities to themselves so they can profit from them.

Third, companies like the NSO Group threaten human rights whether they seek to or not. … Foreign governments are using those surveillance tools … to spy on human rights defenders, journalists and others, including U.S. citizens. … These tools threaten their rights and their lives.

Private companies should remain subject to liability when they use their cyber-surveillance tools to break the law, or knowingly permit their use for such purposes.

But what’s this about journalists? Zack Whittaker expands—“Dozens of journalists’ iPhones hacked”:

 For more than the past year … reporter Rania Dridi and at least 36 journalists, producers and executives working for the Al Jazeera news agency were targeted with a so-called “zero-click” attack that exploited a now-fixed vulnerability in Apple’s iMessage. The attack invisibly compromised the devices.

the researchers say they believe the journalists’ iPhones were infected with the Pegasus spyware, developed by [the] NSO Group. … Logs from the phone show that the spyware was likely able to secretly record the microphone and phone calls, take photos using the phone’s camera, access the victim’s passwords and track the phone’s location.

Citizen Lab said the bulk of the hacks were likely carried out by at least four NSO customers, including the governments of Saudi Arabia and the United Arab Emirates. … The researchers said Dridi was likely targeted by the UAE government. … Saudi Arabia allegedly used the surveillance technology to spy on the communications of columnist Jamal Khashoggi shortly before his murder.

NSO said it was unable to comment on the allegations as it had not seen the report. [It] declined to say … if Saudi Arabia or the UAE were customers or describe what processes — if any — it puts in place to prevent customers from targeting journalists. … “When we receive credible evidence of misuse … we take all necessary steps in accordance with our product misuse investigation procedure to review the allegations. … We do know that CitizenLab regularly publishes reports based on inaccurate assumptions and without a full command of the facts, and this report will likely follow that theme,” … said a spokesperson.

Pull the other one, it’s got bells on. Bill Marczak, John Scott-Railton, Noura Al-Jizawi, Siena Anstis and Ron Deibert tag-team thuswise—“The Great iPwn”:

 The phones were compromised using an exploit chain that we call KISMET, which appears to involve an invisible zero-click exploit in iMessage. … We believe that NSO Group customers also successfully deployed KISMET or a related zero-click, zero-day exploit between October and December 2019. … In July 2020, KISMET was a zero-day against at least iOS 13.5.1.

We suspect that the infections that we observed were a minuscule fraction of the total attacks leveraging this exploit. Infrastructure used in these attacks included … cloud providers Aruba, Choopa, CloudSigma, and DigitalOcean.

We have seen no evidence that the KISMET exploit still functions on iOS 14 and above. … Although we believe that NSO Group is constantly working to develop new vectors of infection, if you own an Apple iOS device you should immediately update to iOS 14.

Oh crikey. filmgirlcw has seen this movie before:

 The circumstances we know in this case make me question if any individual outside of the most security paranoid could have prevented being hacked in this way. This was an iOS 0-day that … worked via zero-click, meaning user interaction wasn’t necessary. … The initial vector appears to be Apple’s own servers.

So you’ve got people with modern (if not the latest) phones running the latest software on what is considered to be the most secure mobile operating system and you have highly-targeted attacks that appear to be state-sponsored, with high precision. … Literally every single person I know—and this includes some extremely sophisticated security experts—would have been victims here too.

None of which appears to surprise Cyberax:

 iOS basically is an insecure leaking sieve. The only reliable security mechanism in iOS is its prohibition of dynamic code generation (this of course means that no third-party JIT compilers are possible on iOS) and statically checked API usage.

However if you exploit one of the available system APIs and gain ability to use private Apple APIs, you can easily gain root access to the device. That’s why there’s been no real problem with finding jailbreaks – the attack surface is huge.

On the other hand, Android developers have been investing a lot of time and effort on true code sandboxing. Applications are run under restrictive SELinux policies, with all kinds of anti-malware measures and kernel-level self-defense features.

Or, to put it another way, diebeforei485 Google keeps doing Apple favors:

 A lot of the teams inside Apple who create first-party apps like iMessage are understaffed. … They should really hire more security folks. A lot of Apple’s product security work seems to be outsourced to Google Project Zero.

The U.S. government should do something! But Brandano can see an oint in the flyment:

 It would … be very difficult for an opposing state agent to claim foul play, while at the same time requiring state mandated backdoors in encryption.

So what can we learn from the malware’s C&C traffic IoC? vasuki isn’t impressed:

 Interesting to see that the malicious hosts are not in any standard blacklist or safe browsing databases for browsers while Turkey’s CERT has been sink-holing them.

Meanwhile, phantomfive sounds slightly sarcastic:

 Good thing Apple has a walled garden that keeps their users safe from being hacked. This kind of thing could never happen.

And Finally:

“Take care, stay strong and I will see you on the other side.”

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Paige Alonso (cc:by)

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 304 posts and counting.See all posts by richi