{"id":21711,"date":"2023-04-12T10:30:04","date_gmt":"2023-04-12T18:30:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/04\/12\/news-15442\/"},"modified":"2023-04-12T10:30:04","modified_gmt":"2023-04-12T18:30:04","slug":"news-15442","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2023\/04\/12\/news-15442\/","title":{"rendered":"Yet more digital spies targeting iPhones exposed by security researchers"},"content":{"rendered":"

<\/p>\n

Just weeks after President Biden signed an executive order designed to prevent the US government from purchasing commercial spyware used to subvert democracies<\/a>, researchers have identified yet another shameful zero-click, zero-day exploit that targeted iPhone users. This spy-for-hire \u2018solution\u2019 was sold by an Israeli firm called QuaDream.<\/p>\n

QuaDream\u2019s attacks have been exposed by security researchers at Microsoft<\/a> and Citizen Lab<\/a>. QuaDream is a more secretive entity than NSO Group<\/a> but shares much of the same pedigree, including being founded by ex-NSO Group employees and having connections to Israeli intelligence. Its attacks were first exposed<\/a>\u00a0last year, but the researchers have since found more about how these digital mercenaries<\/a> worked.<\/p>\n

The company sold a spooky surveillance platform called Reign to governments, ostensibly for law enforcement. Reign provides malware, exploits, and infrastructure to steal data from compromised devices, including iPhones running iOS 14.<\/p>\n

Apple was made aware of these exploits in 2021 when it notified individuals targeted by the spooks and hardened its own security protections.<\/p>\n

The researchers claim QuaDream now exclusively focuses on iOS attacks.<\/p>\n

The newly identified malware is called KingsPawn<\/a> and was proliferated by a ghastly exploit christened EndOfDays, a zero-click attack which appeared to make use of invisible iCloud calendar invites to infect machines \u2014 users didn\u2019t even need to do anything to be attacked.<\/p>\n

The researchers report it to be in active use in Mexico, and Citizen Lab has identified victims situated in the US, Europe, the Middle East, and Central and Southeast Asia. Victims include politicians, journalists, and one NGO worker.<\/p>\n

When installed on an iPhone, the spy software can record audio from calls or the microphone, take pictures, steal and remover keychain items, generate 2FA iCloud passwords, track location, search files, and search databases, all while masking its presence. It even has a self-destruct feature.<\/p>\n

To support these attacks, CitizenLab has identified over 600 servers located in at least 10 nations operated by QuaDream customers. Those servers perform a range of tasks, including storage of stolen data and exploit distribution\/targeting.<\/p>\n

Nations in which the servers are based include Israel, United Arab Emirates, Uzbekistan, Singapore, Hungary, Czech Republic, Romania, Bulgaria, Mexico, and Ghana. At least three (Hungary, Mexico, and the UAE) are known to use spyware to target human rights defenders (HRDs), journalists, and others involved in civil society.<\/p>\n

\u201cWe cannot determine if the systems operated from Israel are operated by the Israeli government or QuaDream itself. Nevertheless, the Israeli government is also suspected to have abused mercenary spyware to target Palestinian HRDs, as well as domestic political activists,\u201d the researchers said.<\/p>\n

With names like KingsPawn, ForcedEntry, EndOfDays, and Pegasus, the exploits used by these firms share some features, principally sophisticated attack vectors and a tendency to proliferate into wider use<\/a>.<\/p>\n

No surprise, then, to learn that two of the co-founders of QuaDream include people who previously worked for the NSO Group and that the company itself is allegedly led by a former Israeli military official<\/a>.<\/p>\n

\u201cNumerous key individuals associated with both companies have prior connections with another surveillance vendor, Verint, as well as Israeli intelligence agencies,\u201d Citizen Lab said. \u201cUntil the out-of-control proliferation of commercial spyware is successfully curtailed through systemic government regulations, the number of abuse cases is likely to continue to grow, fuelled both by companies with recognizable names, as well as others still operating in the shadows.\u201d<\/p>\n

Microsoft is scathing about such attacks. It describes the growth of mercenary spyware companies as a threat to democracy and human rights and warns that the attacks used by these shady players will inevitably leak into wider criminality, with extreme effects.<\/p>\n

\u201cThis poses real risk to human rights online, but also to the security and stability of the broader online environment,\u201d warned\u00a0Amy Hogan-Burney, Microsoft\u2019s associate general counsel for cybersecurity policy and protection. That\u2019s not just because of the threats themselves, but also the culture they create.<\/p>\n

\u201cThe services they offer require cyber mercenaries to stockpile vulnerabilities and search for new ways to access networks without authorization,\u201d she said.<\/p>\n

Apple has made no secret that it agrees with this Microsoft assessment. Filing suit against NSO Group<\/a> in 2021, it called these people \u201c21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse.\u201d<\/p>\n

Ivan Krsti\u0107, head of Apple Security Engineering and Architecture, has said, \u201cOur threat intelligence and engineering teams work around the clock to analyze new threats, rapidly patch vulnerabilities, and develop industry-leading new protections in our software and silicon. Apple runs one of the most sophisticated security engineering operations in the world, and we will continue to work tirelessly to protect our users from\u00a0<\/em>abusive state-sponsored actors\u00a0like NSO Group.\u201d<\/p>\n

While the kind of attacks developed by such shadowy groups may cost a great deal to mount at first, that cost declines. For Apple, the challenge is to continue to make it hard enough<\/a> to crack device security that the cost of those attacks remains too high for casual attackers. But over time exploits do leak, and those using older devices that no longer receive security patches are at increased risk.<\/p>\n

It is extremely hard to protect against hitherto unknown zero-click attacks, but there are some approaches that may help limit the attack surface:<\/p>\n

An iPhone user who believes they may be a target of attack should enable LockDown Mode<\/a>, which enhances existing security protection by dramatically shrinking the available attack surface, at the cost of some iPhone functionality. But one thing everyone can do is insist this industry is bought to heel<\/a> \u2014 particularly as generative AI machines get ready to combine with the profound computational power of Quantum computing.<\/p>\n

Please follow me on\u00a0Mastodon<\/a>, or join me in the\u00a0AppleHolic\u2019s bar & grill<\/a>\u00a0and\u00a0Apple\u00a0Discussions<\/a>\u00a0groups on MeWe.<\/em><\/strong><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

\n
\n

Just weeks after President Biden signed an executive order designed to prevent the US government from purchasing commercial spyware used to subvert democracies<\/a>, researchers have identified yet another shameful zero-click, zero-day exploit that targeted iPhone users. This spy-for-hire \u2018solution\u2019 was sold by an Israeli firm called QuaDream.<\/p>\n

Making everyone less safe<\/h3>\n

QuaDream\u2019s attacks have been exposed by security researchers at Microsoft<\/a> and Citizen Lab<\/a>. QuaDream is a more secretive entity than NSO Group<\/a> but shares much of the same pedigree, including being founded by ex-NSO Group employees and having connections to Israeli intelligence. Its attacks were first exposed<\/a>\u00a0last year, but the researchers have since found more about how these digital mercenaries<\/a> worked.<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[10462,2211,8826,10554,714,24580],"class_list":["post-21711","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-android","tag-apple","tag-iphone","tag-mobile","tag-security","tag-small-and-medium-business"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21711","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21711"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21711\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21711"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21711"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21711"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}