![](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/spyware-vendor-targets-egyptian-orgs-with-rare-ios-exploit-chain.jpg?w=640&ssl=1\")
<\/p>\n<\/p>\n
![](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/spyware-vendor-targets-egyptian-orgs-with-rare-ios-exploit-chain-1.jpg?w=640&ssl=1\")
<\/div>\nAn Israeli surveillanceware company used the three Apple zero-day vulnerabilities disclosed last week to develop an exploit chain for iPhones, and a Chrome zero-day to exploit Androids \u2014 all in a novel attack on Egyptian organizations.<\/p>\n
According to a recent report<\/a> from Google’s Threat Analysis Group (TAG), the company \u2014 which calls itself “Intellexa”<\/a> \u2014 used the special access it gained through the exploit chain to install its signature “Predator” spyware against unnamed targets in Egypt.<\/p>\n Predator was first developed by Cytrox, one of a number of spyware developers that have been absorbed under the umbrella of Intellexa in recent years, according to TAG. The company is a known threat: Intellexa had previously deployed Predator<\/a> against Egyptian citizens back in 2021.<\/p>\n Intellexa’s iPhone infections in Egypt began with man-in-the-middle (MITM) attacks, intercepting users as they attempted to reach http sites (encrypted https requests were immune).<\/p>\n “The use of MITM injection gives the attacker a capability where they don’t have to rely on the user to take a typical action like clicking a specific link, opening a document, etc.,” TAG researchers note via email. “This is similar to zero-click exploits, but without having to find a vulnerability in a zero-click attack surface.”<\/p>\n They added, “this is yet another example of the harms caused by commercial surveillance vendors and the threats they pose not only to individuals, but society at large.”<\/p>\n Using the MITM gambit, users were redirected to an attacker-controlled site. From there, if the ensnared user was the intended target \u2014 each attack being aimed only at specific individuals \u2014 they would be redirected to a second domain, where the exploit would trigger.<\/p>\n Intellexa’s exploit chain involved three zero-day vulnerabilities, which have been patched<\/a> as of iOS 17.0.1. They’re tracked as CVE-2023-41993<\/a> \u2014 a remote code execution (RCE) bug in Safari; CVE-2023-41991<\/a> \u2014 a certificate validation issue allowing for PAC bypass; and CVE-2023-41992<\/a> \u2014 which enables privilege escalation in the device kernel.<\/p>\n After all three steps were complete, a small binary would determine whether to drop the Predator malware.<\/p>\n “The finding of a full zero-day exploit chain for iOS is typically novel in learning what’s currently cutting edge for attackers. Each time a zero-day exploit is caught in-the-wild, it’s the failure case for attackers \u2014 they don’t want us to know what vulnerabilities they have and how their exploits work,” the researchers noted in the email. “As a security and tech industry, it’s our job to learn as much as we can about these exploits to make it that much harder for them to create a new one.”<\/p>\n In addition to iOS, Intellexa targeted Android phones via MITM and one-time links sent directly to targets. <\/p>\n This time only one vulnerability was needed: CVE-2023-4762<\/a>, high-severity but rating 8.8 out of 10 on the CVSS vulnerability-severity scale. The flaw exists in Google Chrome<\/a> and enables attackers to execute arbitrary code on a host machine via a specially crafted HTML page. Independently reported by a security researcher and patched as of Sept. 5, Google TAG believes Intellexa was previously using the vulnerability as a zero-day.<\/p>\n The good news is the findings will send would-be attackers back to the drawing board, according to Google TAG. <\/p>\n “The attackers will now have to replace four of their zero-day exploits, which means they have to buy or develop new exploits to maintain their ability to install Predator on iPhones,” the researchers emailed. “Each time their exploits are caught in the wild, it costs attackers money, time, and resources.”<\/p>\n Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" An Israeli surveillanceware company used the three Apple zero-day vulnerabilities<\/p>\n","protected":false},"author":12,"featured_media":1801,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-1800","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/spyware-vendor-targets-egyptian-orgs-with-rare-ios-exploit-chain.jpg?fit=881%2C923&ssl=1",881,923,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/spyware-vendor-targets-egyptian-orgs-with-rare-ios-exploit-chain.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/spyware-vendor-targets-egyptian-orgs-with-rare-ios-exploit-chain.jpg?fit=286%2C300&ssl=1",286,300,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/spyware-vendor-targets-egyptian-orgs-with-rare-ios-exploit-chain.jpg?fit=640%2C671&ssl=1",640,671,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/spyware-vendor-targets-egyptian-orgs-with-rare-ios-exploit-chain.jpg?fit=640%2C671&ssl=1",640,671,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/spyware-vendor-targets-egyptian-orgs-with-rare-ios-exploit-chain.jpg?fit=881%2C923&ssl=1",881,923,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/spyware-vendor-targets-egyptian-orgs-with-rare-ios-exploit-chain.jpg?fit=881%2C923&ssl=1",881,923,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/spyware-vendor-targets-egyptian-orgs-with-rare-ios-exploit-chain.jpg?fit=881%2C923&ssl=1",881,923,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/spyware-vendor-targets-egyptian-orgs-with-rare-ios-exploit-chain.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/spyware-vendor-targets-egyptian-orgs-with-rare-ios-exploit-chain.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/10\/spyware-vendor-targets-egyptian-orgs-with-rare-ios-exploit-chain.jpg?fit=881%2C923&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1800","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=1800"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1800\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/1801"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=1800"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=1800"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=1800"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}3 Zero-Days in iOS, 1 Attack Chain<\/h2>\n
A Singular Vulnerability in Android<\/h2>\n