Apple has recently addressed three significant zero-day vulnerabilities, reported on September 21, 2023. These flaws were exploited to form part of an attack chain targeting former Egyptian parliament member Ahmed Eltantawy. Between May and September 2023, this attack aimed to deliver a spyware variant known as Predator, raising serious concerns about government surveillance efforts.
The Citizen Lab, which investigated this case, suggests that the attack was highly likely executed by agents of the Egyptian government. The timing of the assault coincided with Eltantawy’s announcement of his intention to run for president in the upcoming 2024 Egyptian elections, indicating a deliberate effort to silence critical voices. Previous reports have characterized the Egyptian government as a customer of the commercial spyware tool used in this incident.
A joint investigation by Google’s Threat Analysis Group and Citizen Lab revealed that the spyware was delivered through links sent via SMS and WhatsApp. Eltantawy’s Vodafone Egypt mobile connection was reportedly targeted through network injection techniques. Researchers noted that when Eltantawy accessed non-HTTPS websites, malicious redirections would occur via infrastructure located within Vodafone Egypt’s network, ultimately leading to a phishing site designed to install the Predator spyware.
The exploit leverages three identified vulnerabilities—CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993—enabling adversaries to bypass security protocols, escalate privileges, and execute code remotely on the targeted devices. The FBI has issued warnings relating to such vulnerabilities, which signify critical weaknesses in user security protocols, especially when dealing with web content.
Predator, produced by the firm Cytrox, bears similarities to the infamous Pegasus spyware developed by the NSO Group. Both tools enable clients to monitor targets and harvest sensitive information from compromised devices. This specific spyware vendor was recently sanctioned by the U.S. government, which deemed their technology instrumental in human rights violations and repression efforts.
In this particular case, the attacker employed a sophisticated redirection mechanism via a domain dubbed sec-flare[.]com, facilitated through network poisons engineered by Sandvine’s PacketLogic devices. These devices sit at critical junctures between telecom providers, making them ideal for intercepting and redirecting network traffic. The exploit’s delivery was ingeniously masked within seemingly innocuous content, complicating identification efforts by the target.
Researchers noted an example of an Adversary-in-the-Middle (AitM) attack method. When Eltantawy navigated to HTTP sites, the attackers could silently divert him to a site controlled by malicious actors. If Eltantawy was indeed the intended target, the process would seamlessly redirect him to the exploit server, establishing a critical bridge for malware installation.
Further analysis indicated that he received SMS and WhatsApp messages masquerading as security alerts from WhatsApp itself, suggesting an ongoing effort to increase the likelihood of successful exploitation through social engineering techniques. This included identifying vulnerabilities associated with the Chrome web browser and employing one-time links, which fall within the broader tactics of initial access and exploitation as categorized by MITRE ATT&CK.
The assault on Eltantawy is a vivid reminder of the vulnerabilities that exist within the telecommunications ecosystem, particularly concerning drive-by download techniques and the risks posed by using unsecured networks. In a landscape where surveillance technology is becoming more accessible, it is crucial for all users—especially those in vulnerable positions—to prioritize device security. Keeping devices up to date and enabling advanced security measures, such as Lockdown Mode on Apple devices, are critical steps toward mitigating the risks associated with such threats.
As this story unfolds, it accentuates the pressing need for heightened awareness around cybersecurity practices, especially for users at risk due to their public roles or activism. Businesses and individuals alike must remain vigilant in maintaining robust security measures to guard against an ever-evolving array of cyber threats.
