Bad Apples: How CNA Attacks Put Everyone At Risk

On September 14, 2021, two unrelated incidents demonstrated not only the vulnerability of users to state-sponsored attacks but the fact that defenders are relegated to playing “cat and mouse” with attackers (including government attackers), and the fact that when we provide computer and network attack (CNA) tools just to the “good guys”—we really don’t know that they are, in fact, “good” and that they’re using the tools only for “good.”

The first incident involves former U.S. intelligence agents who were criminally charged with developing and deploying sophisticated zero-click CNA tools for the UAE government, targeting Apple devices including iPhones. The second incident involves continuing revelations that Israeli company NSO Group’s Pegasus project was doing the same for some of the most repressive regimes in the Middle East and elsewhere. Indeed, the sophistication and capabilities of these exploits to CVE-2021-30860 were so dangerous that Apple sent out an emergency patch and encouraged all users of all connected Apple products to immediately patch their devices.

Hackers for Hire

The UAE case involved several former U.S. intelligence agents who first worked for a U.S. defense contractor, and later were employed by a UAE company that did work for the UAE government. The contractors developed and deployed sophisticated CNA tools, including those called KARMA and KARMA 2, which permitted a zero-click attack on Apple devices, allowing the attacker to steal and exploit user credentials for mail, communications, social networking and cloud access. The whole enchilada.

The relatively modest criminal charges involve a conspiracy to evade U.S. export control requirements on the foreign development and use of CNA tools (without a license from the U.S. government), a conspiracy to exchange “access devices” and to violate the U.S. computer crime laws prohibiting unauthorized access to computers.

Marc Baier, Ryan Adams and Daniel Gericke all worked for the United States intelligence community or the Department of Defense. There, they learned both offensive and defensive cyberwarfare—how to both attack IT systems and how to defend them. When they left the employ of the U.S. government, the three then shopped the skills they developed to other governments—as hackers for hire. They were employed by a U.S. defense contractor which had a contract with the United Arab Emirates (UAE) to provide services approved both under State Department and Treasury Department export control law.

They were specifically prohibited from releasing information regarding “cryptographic analysis and/or computer network exploitation or attack,” or targeting or exploiting U.S. citizens or companies without prior approval by the U.S. government. According to federal criminal information filed in the U.S. District Court in Washington, D.C., the three then left their U.S. employer to work for a UAE company for higher pay and a bigger budget. They began a group called Cyber Intelligence-Operations (CIO), but continued to get information (including information controlled for export) from their prior employer.

While working for the UAE company, they developed hacking techniques—they called them KARMA and KARMA 2—which deployed zero-click exploits on Apple devices (the indictment does not say Apple, but, duh) that enabled the UAE company and any of its customers or third parties to access any Apple device and install spyware or malware on that device without the owner or user of that device having to do anything.

Typical phishing attacks require the user to click something, navigate somewhere or do something. Zero-click exploits—like the Apple exploit—can be perpetrated through apps, messages, texts or other communications and can be configured to give the attacker full control over the device. This includes obtaining access to user credentials on the Apple devices which permit access to the users email, social media, cloud storage and other accounts. Full control.

Baier, Adams and Gericke exploited these credentials for the benefit of their employer and benefactors. When Apple fixed the vulnerability that permitted the exploit used by the KARMA system in September 2016, they found a new vulnerability to exploit—KARMA 2—and again it was off to the races. While Apple updated its OS again in August of 2017 to close the newer vulnerability, devices that were not updated remained (and remain) vulnerable.

The End Result

In a technical sense, what the trio did was fail to apply for and obtain an appropriate license from the U.S. State and Treasury Departments to export, develop and deploy CNA tools to a foreign company and foreign government. In modern warfare, exporting CNA tools is seen as analogous to arms dealing or weapons smuggling. Selling CNA tools can do as much or more damage than selling F-35 Lightning fighter jets or the plans to U.S. Arleigh Burke-class destroyers. These are tools of surveillance and warfare, which can be and are then turned against U.S. citizens and interests.

But the trio did more. As a result of their actions, the UAE—a “friendly” nation—was able to use the sophisticated tools in violation of U.S. anti-hacking laws. Which points out one of the issues with espionage. As a former U.S. espionage prosecutor during the Cold War (remember the Cold War?) we noted that almost everything the intel community does is a crime—that is, it violates the law of the country it is targeting. Hacking, trespass, surveillance, theft, break-ins—all the stuff you see in spy movies—are illegal in the targeted country and yet, they are all part of “tradecraft.” But you don’t turn these tools against your own people and country.

What’s surprising about the case is the fact that the U.S. government entered into a “deferred prosecution” agreement with the trio, so that at the end of a three-year probationary period, the charges against them will be dismissed (they do have to give up their top-secret clearances, though). They have to quit their current jobs with the UAE and notify the FBI of their new jobs. They are to cooperate with the government about their activities and pay a fine that can’t be reimbursed by their employer without the consent of the government. Oh, and they agree not to hack for foreign governments, spy on U.S. persons or illegally export sophisticated CNA tools.

It’s not clear why the DOJ went along with what is essentially a slap on the wrist. No prosecution, no jail time and the payment of a fine with the possibility that it will be reimbursed. This hardly treats developing and selling CNA exploits like weapons of mass destruction. More like selling alligator clips to listen in on phone calls. No big deal.

But these zero-day and zero-click exploits are a big deal. Huge. The fact and the knowledge that they exist undermine any sense of security for the entire infrastructure. Not only are iPhones, iPads and Macs vulnerable, but the entire authentication infrastructure is rendered moot by these exploits. Cryptocurrency authentication, MFA, social media, email, access to the cloud are all undermined. That’s kinda the point.

Of course this isn’t an “Apple” thing—its just an “Apple this time” thing. While we understand that exploits are being developed and used by intelligence communities worldwide, we really want to make sure that they are used “appropriately.” Unfortunately, we have no standards for what is “appropriate.”

NSO, Pegasus and Repressive Regimes

The announcement of the deferred prosecution agreement by DOJ coincides with additional revelations about the activities of the Israeli NSO Group, which finds and sells (to “selected” customers) various zero-click exploits which enable the same ability to take over devices.

While NSO’s Pegasus program claims to vet both the entities to which the service is provided and the targets against which they are deployed, human rights and journalist organizations have found NSO software and exploits on the devices of human rights activists and journalists—targeted by their governments for surveillance.

In one case, a security researcher examined the iTunes backup files of a prominent Saudi dissident and found some mysterious .gif files in places that they should not have been found. They were photoshop .psd files saved with a .gif extension, which turned out to be a 748-byte Adobe PSD file. As the researchers discovered, the file was designed to cause an IMTranscoderAgent crash on the device into which it was injected, which would then lead to an exploit which was nicknamed “FORCEDENTRY.”

Similar exploits were used to obtain zero-click access to devices belonging to journalists, protesters, activists and human rights advocates. Among the more than 50,000 leaked targets of these exploits included political dissidents, human rights activists, 180 journalists in nearly two dozen countries, a Dubai princess escaping her father, the fiancée of slain Saudi journalist Jamal Khashoggi and 14 heads of state, including French president Emmanuel Macron.

Both the United States and Israel purportedly control the export of certain cyber weapons, including CNA tools. But even when this control is exercised effectively, it means that commercial entities and individuals subject to these regulations (typically U.S. companies, citizens, residents or, in Israel, Israeli companies or citizens) cannot export technology of U.S. or Israeli origin without permission. This means that their respective governments decide whether the export is in its national security interest. Moreover, once exported, the entity that now has the tool can use it in ways that may be beyond the control of the exporter.

The nature of security exploits are that they can be used to spy on terrorists, pedophiles and insurrectionists. The nature of security exploits are that they can be used to spy on dissidents, journalists and political adversaries. The nature of security exploits are that they can be used to spy on competitors, commercial companies and others in the marketplace. And they can be used by terrorists, hackers, spies and others. The idea is to keep the technology out of the hands of the wrong people. And who is to say who the “right” people are?

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark