InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Spyware can collect personal information, such as Internet browsing habits and email addresses, and send it to third parties without the user’s permission.
Paragon Solutions, an Israeli cybersecurity firm co-founded in 2019 by former Israeli Defense Forces Unit 8200 commander and ex-Prime Minister Ehud Barak, has developed advanced spyware capable of infiltrating both Android and iOS devices. This spyware can access encrypted messaging apps, posing significant risks to targeted individuals.
Recent investigations by Citizen Lab have uncovered that Paragon’s spyware has been used to target journalists, humanitarian workers, and activists globally. Notably, WhatsApp notified over 90 individuals about potential spyware attacks linked to Paragon. Collaborations with some victims allowed researchers to trace the spyware’s usage across multiple continents, highlighting its extensive reach.
Specific incidents include the Ontario Provincial Police’s alleged use of Paragon’s spyware, raising concerns about surveillance practices within democratic nations. While the police assert compliance with legal standards, the deployment of such tools against civil society actors has sparked debates over privacy and human rights.
In another case, Libyan activist Husam El Gomati, based in Sweden, was alerted by WhatsApp about a spyware attack while he was sharing information on human rights abuses in Libya. This incident underscores the potential misuse of surveillance technologies against individuals documenting governmental misconduct.
The proliferation of sophisticated spyware like Paragon’s raises pressing questions about the balance between national security and individual privacy. The potential for misuse against non-threatening individuals necessitates robust oversight and regulation to prevent abuses.
As spyware technologies become more advanced, the international community must address the ethical implications of their use. Ensuring that such tools are not employed to suppress dissent or violate human rights is crucial in maintaining democratic principles and protecting civil liberties.
Ronan Farrow Exposes Secrets of High-Tech Spyware in New Film “Surveilled”
Pulitzer Prize-winning journalist Ronan Farrow and filmmaker Matthew O’Neill explore the alarming world of high-tech surveillance in their HBO documentary Surveilled. Farrow’s interest began after being tracked by Black Cube, an Israeli private intelligence firm, during his investigation of Harvey Weinstein’s misconduct. This experience led him to uncover more advanced surveillance technologies, including Pegasus spyware.
The documentary highlights Pegasus’s misuse by authoritarian regimes and democratic states like Greece, Poland, and Spain, targeting journalists and dissidents. Farrow interviews a former NSO Group employee, the makers of Pegasus, revealing its widespread abuse.
Farrow also uncovers that U.S. agencies under both the Biden and Trump administrations considered using such spyware. However, the full extent of its deployment remains unclear, raising concerns about unchecked surveillance practices globally.
Ronan Farrow Exposes Secrets of High-Tech Spyware in New Film “Surveilled”
Mercenary spyware, often employed by authoritarian regimes and criminal groups, poses a significant threat to personal data and device security. These sophisticated tools, such as NSO Group’s Pegasus, exploit zero-click vulnerabilities, enabling complete compromise of devices like smartphones without any user interaction. Victims frequently include journalists, human rights activists, opposition politicians, and other high-risk individuals targeted for their activities or affiliations.
Apple has adopted proactive measures to mitigate these threats, including real-time detection mechanisms within its iOS system. When a potential compromise is identified—often through integrity checks—the company notifies users with targeted alerts. However, the underlying detection methods remain undisclosed to prevent tipping off spyware developers. Apple also encourages affected users to activate “Lockdown Mode,” a feature designed to limit potential attack vectors by disabling specific device functions.
Despite such efforts, the challenge of countering mercenary spyware remains daunting. Companies like NSO invest heavily in discovering zero-day vulnerabilities, creating a continuous cat-and-mouse dynamic between attackers and defenders. The opaque nature of hardware designs, particularly in baseband processors, further complicates defense strategies, as these components can serve as hidden entry points for attackers.
Public awareness and accountability measures are crucial to addressing these threats. Transparency in security practices, ongoing research into vulnerabilities, and the imposition of legal restrictions on spyware developers and clients are essential steps. International cooperation is also critical, given the global nature of spyware deployments.
Ultimately, tackling the menace of mercenary spyware requires a multi-pronged approach involving technology companies, governments, and civil society. Protecting privacy and ensuring digital security for all individuals—not just high-profile targets—must remain a top priority. For more details on recent developments in detecting such spyware, visit sources like HelpNetSecurity, Schneier on Security, and 9to5Mac
Recent research shows that Predator spyware, once believed to be inactive due to U.S. sanctions, has resurfaced with improved evasion tactics. Despite efforts to curtail its usage, Predator is still being used in countries like the Democratic Republic of the Congo (DRC) and Angola, where it targets high-profile individuals. Its updated infrastructure makes it more difficult to track victims, underscoring the need for strong cybersecurity defenses. Risk mitigation strategies include regular software updates, enabling lockdown modes, and deploying mobile device management systems. As spyware becomes more sophisticated, international collaboration is crucial to regulating and limiting its spread.
Predator spyware, once linked to Intellexa, has resurfaced after a period of reduced activity, despite sanctions and exposure. The reactivated spyware infrastructure poses renewed threats to privacy and security, as operators have adopted new techniques to obscure their activities, making it harder to track and attribute attacks. With capabilities like remote device infiltration and data exfiltration, governments can secretly monitor citizens and gather sensitive information. Predator’s operators have strengthened their infrastructure by adding another layer of anonymization to their multi-tiered delivery system, making it more difficult to trace the origin and usage of the spyware. Though the attack methods, including “one-click” and “zero-click” exploits, remain similar, the increased complexity of the infrastructure heightens the threat to high-profile individuals such as politicians, executives, journalists, and activists. The expensive licensing of Predator indicates its use is reserved for strategic targets, raising concerns in the European Union, where investigations have uncovered its misuse against opposition figures and journalists in countries like Greece and Poland. To counter the threat of Predator spyware, individuals and organizations should prioritize security measures like regular software updates, device reboots, and lockdown modes. Mobile device management (MDM) systems and security awareness training are also essential in protecting against social engineering and advanced spyware attacks. As the demand for surveillance tools grows, the spyware market continues to expand, with new companies developing increasingly sophisticated tools. While there are ongoing discussions around stricter regulations, particularly following investigations by Insikt Group, the threat of spyware will persist until meaningful international action is taken.
For more detailed insights, check the full article here.
In an era where digital connectivity has become ubiquitous, the line between privacy and surveillance has blurred. Nowhere is this more evident than in the proliferation of spy apps – discreet, powerful tools that grant unprecedented access to the lives of unsuspecting individuals. From tracking location and monitoring communications to covertly capturing audio and video, these applications represent a double-edged sword in the realm of technology.
Cybersecurity journalist Joseph Cox, author of the new book Dark Wire, tells us the wild, true story behind secure phone startup Anom.
On today’s episode of Decoder, I sat down with Joseph Cox, one of the best cybersecurity reporters around. Joseph spent a long time working at Vice’s tech vertical Motherboard, but last year, after Vice imploded, he and three other journalists co-founded a new site, called 404 Media, where they’re doing some really great work.
Criminals like drug traffickers represent a market for encrypted, secure communications away from the eyes of law enforcement. In the early mobile era, that gave rise to a niche industry of specialized, secured phones criminals used to conduct their business.
Joseph’s done a ton of reporting on this over the years, and the book ends up telling a truly extraordinary story: After breaking into a few of these encrypted smartphone companies, the FBI ended up running one of these secure phone services itself so it could spy on criminals around the world. And that means the FBI had to actually run a company, with all the problems of any other tech startup: cloud services, manufacturing and shipping issues, customer service, expansion, and scale.
The company was called Anom, and for about three years, it gave law enforcement agencies around the world a crystal-clear window into the criminal underworld. In the end, the feds shut it down in large part because it was too successful — again, a truly wild story. Now, with the rise of apps like Signal, most criminals no longer need specialized hardware, but that, of course, raises a whole new set of issues.
The book is a great read, but it also touches on a lot of things we talk about a lot here on Decoder. There really are bad people out there using tech to help them do bad things, but the same tools that keep their communications private help give everyone else their privacy, too — whistleblowers, dissenters, ordinary people like you and me.
There’s a deep tension between privacy and security that constantly runs through tech, and you’ll hear us really dig into the way tech companies and governments are forever going back and forth on it. There’s a lot here, and it’s a fun one.
A consumer-grade spyware app named pcTattletale has been discovered running on the check-in systems of at least three Wyndham hotels across the United States.
This alarming discovery was made by TechCrunch, which reported that the app stealthily captured screenshots of hotel booking systems, exposing sensitive guest details and customer information.
Due to a security flaw in the spyware, these screenshots were accessible to anyone on the internet, not just the intended users of the spyware.
Sensitive Guest Information Exposed
The spyware, pcTattletale, allows remote viewing of the target’s Android or Windows device and its data from anywhere in the world.
The app runs invisibly in the background, making it undetectable to the user.
However, a significant bug in the app means that anyone who understands the security flaw can download the screenshots directly from pcTattletale’s servers.
Security researcher Eric Daigle, who discovered the compromised hotel check-in systems, attempted to warn pcTattletale of the issue, but the company has not responded, and the flaw remains unfixed.
Screenshots from two Wyndham hotels revealed the names and reservation details of guests on a web portal provided by travel tech giant Sabre.
Additionally, the screenshots displayed guests’ partial payment card numbers.
Another screenshot showed access to a third Wyndham hotel’s check-in system, logged into Booking.com’s administration portal used to manage guest reservations.
Hotel And Corporate Responses
The discovery has raised serious concerns about the security measures in place at these hotels.
The manager of one affected hotel expressed surprise, stating they were unaware that the spyware was taking screenshots of their check-in computer.
The managers of the other two hotels did not respond to TechCrunch’s calls or emails.
Wyndham spokesperson Rob Myers clarified that Wyndham is a franchise organization, meaning all its U.S. hotels are independently owned and operated.
However, Wyndham did not confirm whether it was aware of pcTattletale’s use on the front-desk computers of its branded hotels or if such use was approved by Wyndham’s policies.Booking.com, whose administration portal was accessed by the spyware, stated that its systems were not compromised.
Angela Cavis, a spokesperson for Booking.com, highlighted that this incident seemed to be an example of how cybercriminals target hotel systems through sophisticated phishing tactics.
These tactics often lead to unauthorized access to hotel accounts and attempts to impersonate the hotel or Booking.com to request customer payments.
This incident is the latest example of consumer-grade spyware exposing sensitive information due to security flaws. pcTattletale, marketed for child and employee monitoring, has also been promoted for use against spouses suspected of infidelity.
The app requires physical access to the target’s device for installation and offers a service to help customers install the spyware on the target’s computer.
Despite the serious implications of this security breach, Bryan Fleming, the founder of pcTattletale, did not respond to TechCrunch’s request for comment.
The exposure of sensitive guest information at these hotels underscores the urgent need for more robust cybersecurity measures and regulatory oversight to protect personal data from unauthorized access and misuse.
As investigations continue, the hospitality industry must reassess its security protocols to prevent such breaches in the future.
Spying and surveillance are different but related things. If I hired a private detective to spy on you, that detective could hide a bug in your home or car, tap your phone, and listen to what you said. At the end, I would get a report of all the conversations you had and the contents of those conversations. If I hired that same private detective to put you under surveillance, I would get a different report: where you went, whom you talked to, what you purchased, what you did.
Before the internet, putting someone under surveillance was expensive and time-consuming. You had to manually follow someone around, noting where they went, whom they talked to, what they purchased, what they did, and what they read. That world is forever gone. Our phones track our locations. Credit cards track our purchases. Apps track whom we talk to, and e-readers know what we read. Computers collect data about what we’re doing on them, and as both storage and processing have become cheaper, that data is increasingly saved and used. What was manual and individual has become bulk and mass. Surveillance has become the business model of the internet, and there’s no reasonable way for us to opt out of it.
Spying is another matter. It has long been possible to tap someone’s phone or put a bug in their home and/or car, but those things still require someone to listen to and make sense of the conversations. Yes, spyware companies like NSO Group help the government hack into people’s phones, but someone still has to sort through all the conversations. And governments like China could censor social media posts based on particular words or phrases, but that was coarse and easy to bypass. Spying is limited by the need for human labor.
AI is about to change that. Summarization is something a modern generative AI system does well. Give it an hourlong meeting, and it will return a one-page summary of what was said. Ask it to search through millions of conversations and organize them by topic, and it’ll do that. Want to know who is talking about what? It’ll tell you.
The technologies aren’t perfect; some of them are pretty primitive. They miss things that are important. They get other things wrong. But so do humans. And, unlike humans, AI tools can be replicated by the millions and are improving at astonishing rates. They’ll get better next year, and even better the year after that. We are about to enter the era of mass spying.
Mass surveillance fundamentally changed the nature of surveillance. Because all the data is saved, mass surveillance allows people to conduct surveillance backward in time, and without even knowing whom specifically you want to target. Tell me where this person was last year. List all the red sedans that drove down this road in the past month. List all of the people who purchased all the ingredients for a pressure cooker bomb in the past year. Find me all the pairs of phones that were moving toward each other, turned themselves off, then turned themselves on again an hour later while moving away from each other (a sign of a secret meeting).
Similarly, mass spying will change the nature of spying. All the data will be saved. It will all be searchable, and understandable, in bulk. Tell me who has talked about a particular topic in the past month, and how discussions about that topic have evolved. Person A did something; check if someone told them to do it. Find everyone who is plotting a crime, or spreading a rumor, or planning to attend a political protest.
There’s so much more. To uncover an organizational structure, look for someone who gives similar instructions to a group of people, then all the people they have relayed those instructions to. To find people’s confidants, look at whom they tell secrets to. You can track friendships and alliances as they form and break, in minute detail. In short, you can know everything about what everybody is talking about.
This spying is not limited to conversations on our phones or computers. Just as cameras everywhere fueled mass surveillance, microphones everywhere will fuel mass spying. Siri and Alexa and “Hey Google” are already always listening; the conversations just aren’t being saved yet.
Knowing that they are under constant surveillance changes how people behave. They conform. They self-censor, with the chilling effects that brings. Surveillance facilitates social control, and spying will only make this worse. Governments around the world already use mass surveillance; they will engage in mass spying as well.
Corporations will spy on people. Mass surveillance ushered in the era of personalized advertisements; mass spying will supercharge that industry. Information about what people are talking about, their moods, their secrets—it’s all catnip for marketers looking for an edge. The tech monopolies that are currently keeping us all under constant surveillance won’t be able to resist collecting and using all of that data.
In the early days of Gmail, Google talked about using people’s Gmail content to serve them personalized ads. The company stopped doing it, almost certainly because the keyword data it collected was so poor—and therefore not useful for marketing purposes. That will soon change. Maybe Google won’t be the first to spy on its users’ conversations, but once others start, they won’t be able to resist. Their true customers—their advertisers—will demand it.
We could limit this capability. We could prohibit mass spying. We could pass strong data-privacy rules. But we haven’t done anything to limit mass surveillance. Why would spying be any different?
Researchers in the field of information security at Horizon3 have made public the proof-of-concept (PoC) code for a major privilege escalation vulnerability (CVE-2023-26067) found in Lexmark printers. On a device that has not been patched, this vulnerability, which has a CVSS score of 8.0, might enable an attacker to get elevated access if the device is not updated.
Incorrect validation of user-supplied information is what led to the vulnerability in the system. This vulnerability might be exploited by the attacker by having the attacker make a specially crafted request to the printer. Once the vulnerability has been exploited, the attacker has the potential to get escalated rights on the device, which might give them the ability to execute arbitrary code, spill credentials, or obtain a reverse shell.
Configurations prone to vulnerability An initial Setup Wizard is shown on the display of the user’s Lexmark printer the very first time it is turned on by the user. This wizard walks the user through the process of configuring several system settings, such as the language, as well as giving them the opportunity to setup an administrative user. If the user makes the selection “Set Up Later,” the printer will provide “Guest” users access to all of the features and pages available through the web interface of the printer. If the user selects “Set up Now,” the printer will prevent them from accessing a significant portion of their accessible capability until they have authenticated themselves.
Even if the user chooses to “Set Up Later,” they still have the option of configuring their credentials using the web interface if they so want. On the other hand, a credential that is set up in this way will not, by default, impose any limits on the “Guest” account. This indicates that several critical functions, such as access to the vulnerable endpoint /cgi-bin/fax_change_faxtrace_settings, are still available to the public.
He looked at devices that were listed on Shodan as well as those that were in our client base when we were trying to determine what configuration was the one that was used in the real world the most. When you search “Lexmark 3224” on Shodan, it will display all of the printers that have the online interface accessible. The vast majority of these accessible printers were configured in a way that made them susceptible to attack. The similar pattern was seen with each of customers that integrate Lexmark printers into their own corporate networks.
Horizon3 has conducted extensive research on this vulnerability and discovered many different ways that it may be chained by cunning and smart adversaries. A article on Horizon3’s blog that was written on Friday and published on Friday gives insight on the layered complexity of this vulnerability. Take a look at the following to get an idea of what prospective attackers may do:
Credential Dumping: By exploiting this weakness, attackers are able to obtain sensitive credentials, which is the first step that might lead to more extensive and destructive breaches.
Gain Access to Reverse Shells Attackers are able to build a reverse shell after they have gained control of a device. This allows them to further extend the extent of their control and access inside a network.
Surprisingly, this vulnerability even gives attackers the ability to play music on the devices that are afflicted by the issue. Despite the fact that this may appear little, it serves to highlight the degree of power that might be achieved by exploiting this vulnerability.
Horizon3 has taken things a step further by posting a Proof-of-Concept (PoC) code on their website, which illustrates how the CVE-2023-26067 vulnerability may be exploited maliciously. The disclosure of the proof-of-concept code is a double-edged sword, despite the fact that there have been no efforts made publically known or reported to exploit this in the wild.
Firmware upgrades have been made available by Lexmark in order to fix this issue. If you own a Lexmark printer, you need to check the firmware version and make sure it is updated to the most recent version as soon as you can. On the Lexmark website, you’ll be able to discover the most recent firmware update for your printer. The vulnerability posed by this issue poses a significant risk to Lexmark printers. It is quite possible that threat actors who are resourceful and motivated will move fast to exploit this vulnerability. If you want to keep your printers safe from harm, it is essential to keep the firmware on them up to date as quickly as possible.
In the first half of 2023, Mandiant Managed Defense has observed a threefold increase in the number of attacks using infected USB drives to steal secrets. Mandiant tracked all of the cases and found that the majority of the incidents could be attributed to several active USB-based operation campaigns affecting both the public and private sectors globally.
Previously, we covered one of the campaigns that leverages USB flash drives as an initial infection vector and concentrates on the Philippines. In this blog post, we are covering two additional USB-based cyber espionage campaigns that have been observed by Managed Defense:
SOGU Malware Infection via USB Flash Drives Across Industries and Geographies
This is the most prevalent USB-based cyber espionage attack using USB flash drives and one of the most aggressive cyber espionage campaigns targeting both public and private sector organizations globally across industry verticals. It uses USB flash drives to load the SOGU malware to steal sensitive information from a host.
Mandiant attributes this campaign to TEMP.Hex, a China-linked cyber espionage actor. TEMP.Hex likely conducted these attacks to collect information in support of Chinese national security and economic interests. These operations pose a risk to a variety of industries, including construction and engineering, business services, government, health, transportation, and retail in Europe, Asia, and the United States.
SNOWYDRIVE Malware Infection via USB Flash Drives, Targets Oil and Gas Organizations in Asia
This campaign uses USB flash drives to deliver the SNOWYDRIVE malware. Once SNOWYDRIVE is loaded, it creates a backdoor on the host system, giving attackers the ability to remotely issue system commands. It also spreads to other USB flash drives and propagates throughout the network.
Mandiant attributes this campaign to UNC4698, a threat actor that has targeted oil and gas organizations in Asia. Once the actor has gained access to the system, they execute arbitrary payloads using the Windows Command Prompt, use removable media devices, create local staging directories, and modify the Windows registry.
SOGU Malware Infection via USB Flash Drives Across Industries and Geographies
Keeping track of your most vital belongings, such as your keys, wallet, remote controls, and even motorcycles, may be made easier with the assistance of an Apple AirTag. Yet, allegations that they were utilized to monitor individuals without first obtaining their permission threw an unfavorable light on the utilization and implementation of these technologies. It’s possible that your iPhone will warn you before you have to take any action if you have reason to believe that someone is monitoring your whereabouts via an AirTag. If you believe that you may be in danger because someone is following you without your permission and you feel that you should call law authorities, Apple may provide further information about the owner of the AirTag.
You will be notified of this
If you have an iPhone and you are being tracked by an AirTag, your phone may send you a notification that says “AirTag discovered moving with you.” This will occur if all of the following conditions are met:
The AirTag has been detached from its rightful owner. iPhone of yours is awake. When you move the AirTag, it will make a sound. This may also occur with other accessories that are compatible with Find My Network, such as AirPods, AirPods Pro, or AirPods Max. When you move any of these goods when they are not being handled by their owners, each of them will make a sound.
Verify that the Tracking Notifications feature is turned on. In the event that you do not get an alert, it is possible that you will need to complete the following procedures in order to guarantee that your tracking alerts are activated:
Go to the Settings menu, and then pick Privacy. To activate Location Services, choose Location Services from the menu. Go to the System Services menu. Put your iPhone in find mode and activate the Notable Places feature. Return to the Settings menu, and then choose Bluetooth. Bluetooth must be on. Last but not least, open the Locate My app and choose yourself. Activate the Tracking Alerts on your browser.
Try out the app called “Find My.” When AirTags get separated from their owners, they will produce a sound whenever they are moved in order to assist others in locating them. After confirming that Step 2 has finished, you may open the Locate My app and check to see if the AirTag is located if you think you may have heard an AirTag or another sound that you are unable to identify and suspect it may be an AirTag.
Make AirTag produce a sound. If you have been notified that an AirTag was traveling with you and are checking the Find My app, you have the option to play a sound on the device in order to locate it more quickly. You can monitor other people’s AirTags by using the Find My app, which you may access by touching on the alert, selecting continue, and then tapping Locate Nearby.
Check all the details about AirTag When you have the AirTag in your line of sight, you may access the information it contains on your iPhone or any other smartphone that supports NFC. You will need to bring the top of your iPhone close to the white side of the AirTag that you have located and wait for it to identify it. A notice displays beside a webpage that contains the owner’s last four digits of their phone number in addition to the AirTag’s serial number. If this is a lost AirTag, the owner may have included their contact information so that the person who found it may get in touch with them.
Inactivate the AirTag. If the owner of an AirTag disables it, they will no longer be able to see its current position or get updates about it. Just removing the battery is all that is required to deactivate the AirTag. You may do this by first opening the AirTag by depressing the button on top and then removing the battery by turning the lid counterclockwise.
You will be able to determine the position of another person’s iPhone so long as your AirTag is in close proximity to that device. And with Apple’s recent release of an official app for monitoring AirTags on Android devices, you don’t even need an iDevice to accomplish that anymore! Yet, there is one very significant exception to this rule.
With Apple Music, the Beats app, and an application for transitioning to iOS, Tracker Detect is one of the few Apple applications that can be downloaded and used on Android devices. If you wish to zero in on a specific rogue AirTag, you can use the app to play a sound on it, and you can also use the app to monitor neighboring rogue AirTags using it. From that point on, you have the option of scanning the AirTag using an NFC reader or turning it off by removing its battery. The functionality is really fundamental, despite the fact that it is rather cool looking. Since it does not have an auto-scan feature, you will not get alerts about nearby missing AirTags as you would on an iPhone. This means that in order to look for a tag, you will need to manually launch the application first. One may argue that this renders the Tracker Detect app rather worthless since a large number of individuals in the reviews part of the app believe that it ought to be able to auto-scan. Spending your day manually searching your immediate environment for AirTags every five minutes is not the most effective use of your time.
It’s not even like there are roadblocks in the way of making that happen on Android phones; all you need is Bluetooth Low Energy (BLE). And enabling auto-scanning for AirTags on non-Apple devices and having those devices participate to Apple’s Find My network would also considerably increase the success of finding AirTags in general. Download the application from the Google Play Store right now if you have an Android device and want to be able to scan AirTags with it.
The phrase Office macros is a harmless-sounding, low-tech name that refers, in real life, to program code you can squirrel away inside Office files so that the code travels along with the text of a document, or the formulas of a spreadsheet, or the slides in a presentation…
…and even though the code is hidden from sight in the file, it can nevertheless sneakily spring into life as soon as you use the file in any way.
Those hidden macros, indeed, can be configured (by the sender, not by the recipient, you understand!) to trigger automatically when the file is opened; to override standard items in Office’s own menu bar; to run secondary programs; to create network connections; and much more.
Almost anything, in fact, that you could do with a regular .EXE file, which is the sort of file that few of us would willingly accept via email at all, even from someone we knew, and that most of us would be deeply cautious about downloading from a website we didn’t already know and trust.
Fighting back against cybercriminals
Thanks to macros and the hidden programming power they provide, Office documents have been widely used by cybercriminals for implanting malware since the 1990s.
Curiously, though, it took Microsoft 20 years (actually, closer to 25, but we’ll be charitable and round it down to two decades) to block Office macros by default in files that arrived over the internet.
As regular Naked Security readers will know, we were as keen as mustard about this simple change of heart, proclaiming the news, back in February 2022, with the words, “At last!”
To be fair, Microsoft already had an operating system setting that you could use to turn on this safety feature for yourself, but by default it was off.
Enabling it was easy in theory, but not straightforward in practice, especially for small businesses and home users.
Either you needed a network with a sysadmin, who could turn it on for you using Group Policy, or you had to know exactly where to go and what to tweak by yourself on your own computer, using the policy editor or hacking the registry yourself.
So, turning this setting on by default felt like an uncontroversial cybersecurity step forward for the vast majority of users, especially given that the few who wanted to live dangerously could use the aforementioned policy edits or registry hacks to turn the security feature back off again.
Apparently, however, these “few” turned out [a] to be more numerous than you might have guessed and [b] to have been more inconvenienced by the change than you might have expected:
Notably, many people using cloud servers (including, of course, Microsoft’s own online data storage services such as SharePoint and OneDrive) had got used to using external servers, with external servernames, as repositories that their friends or colleagues were expected to treat as if they were internal, company-owned resources.
Remember that old joke that “the cloud” is really just shorthand for “someone else’s computer”? Turns out that there’s many a true word spoken in jest.
Organisations that relied on sharing documents via cloud services, and who hadn’t taken the appropriate precautions to denote which external servers should be treated as official company sources…
…found their macros blocked by default, and voiced their displeasure loudly enough that Microsoft officially relented around the middle of 2022.
Within 20 weeks, a change that cybersecurity experts had spent 20 years hoping for had been turned off once more:
What to do?
The hows, whys and wherefores of Office macro security are now officially explained in two Microsoft documents:
NSO Group, notorious makers of the notorious Pegasus spyware, has been in acquisition talks with a huge U.S. government defense contractor you’ve never heard of: L3Harris Technologies, Inc. Doesn’t that give you a warm, tingly feeling inside?
Pictured is Christopher E. “Call Me Chris” Kubasik, L3Harris’s chairman and CEO. He’s no doubt disappointed that the White House put the kibosh on the deal—especially as other bits of the government gave tacit approval (or so we’re told).
But is everything quite as it seems? In today’s SB Blogwatch, we pay attention to the man behind the curtain.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: WINBOOT.AVI
“L3Harris and NSO declined to comment” A team of executives from an American military contractor quietly … in recent months [attempted] a bold but risky plan: purchasing NSO Group, the cyber hacking firm that is as notorious as it is technologically accomplished. … They started with the uncomfortable fact that the United States government had put NSO on a blacklist just months earlier [because it] had acted “contrary to the national security or foreign policy interests of the United States,” the Biden administration said. … But five people familiar with the negotiations said that the L3Harris team had brought with them a surprising message: … American intelligence officials, they said, quietly supported its plans to purchase NSO, whose technology over the years has been of intense interest to … the F.B.I. and the C.I.A. [But news of the] talks to purchase NSO seemed to blindside White House officials, [who] said they were outraged … and that any attempt by American defense firms to purchase [NSO Group] would be met by serious resistance. … While not a household defense industry name … L3Harris earns billions each year from American government contracts. … The company once produced a surveillance system called Stingray. … L3Harris and NSO declined to comment. … A spokeswoman for Avril Haines, the director of national intelligence, declined to comment. … The Commerce Department declined to give specifics about any discussions.
One arm of the government doesn’t know what another is doing? Say it ain’t so! Stephanie Kirchgaessner says it’s so—“US defence firm ends talks to buy NSO”:
“Definitive pushback” A person familiar with the talks said L3 Harris had vetted any potential deal for NSO’s technology with its customers in the US government and had received some signals of support from the American intelligence community. [But,] sources said, L3Harris had been caught off guard when a senior White House official expressed strong reservations about any potential deal. … Once L3Harris understood the level of “definitive pushback”, a person familiar with the talks said, “there was a view … that there was no way L3 was moving forward with this. … If the government is not aligned, there is no way for L3 to be aligned,” the person said.
“Could have resulted in the blacklisting being lifted” A deal for all or part of NSO would not be as simple as the two companies agreeing to terms, requiring permission from both the U.S. and Israeli governments. … NSO Group, with its Pegasus spyware, has been one of the most controversial cybersecurity companies of recent times. Pegasus is a form of software that uses zero-day or unpatched exploits to infect mobile devices. … The deal falling apart may also leave NSO in a difficult situation: With the blacklisting in place, the company is limited in whom it can sell Pegasus to and what technology it can purchase. In contrast, an acquisition by an American company could have resulted in the blacklisting being lifted.
“NSO spent years pretending they changed” WHOA: Deal … tanked. … [It] helps explain recent signs of desperation from the spyware company. [An] American defense contractor acquiring a demonstrably-uncontrollable purveyor of insecurity would be … atrocious for human rights [and] bad for … counterintelligence. … This is not a company that prioritizes America’s national security. And it doesn’t play well with our tech sector. … NSO spent years pretending they changed … while using all available tricks to hide the fact that they kept doing … risky biz and dictator deals.
ELI5? Look on u/Ozymandias606’s words, ye mighty, and despair:
“Biden visits Israel tomorrow” Pegasus is a hacking tool [that] can turn anyone’s phone into a tracking and recording device without the owner clicking a link. [It] has been sold to governments over the past several years [who] used Pegasus to spy on journalists and activists. … The Commerce Department added Pegasus’ creator to a blacklist that has been slowly choking the company. … A US defense contractor later offered to buy Pegasus – and claims they had explicit permission from US intelligence agencies to do so under a number of conditions, [which] include turning over the software’s source code to the “Five Eyes” cybersecurity alliance. … So, a handful of Western nations … were trying to control access to a cyber weapon that appears to take control of any phone in the world. … Biden visits Israel tomorrow – his first visit to the country.
Are you hinting what I think you’re hinting? This Anonymous Coward rents the curtain (but is behind on the payments): [You’re fired—Ed.]
Unfortunately, many Americans are still in denial about what the US govt routinely do. … This is simply Tiktok 2.0 (or Alstrom 3.0). … Anyone who looked at history will recognise the same pattern had happened many times already, including Alstrom in France. US will buy out any company, by force or by trickery, that took lead in any area the US deemed important.
Lockdown mode is nothing. It can’t work. If the software is compromised, letting software be the security can’t work. Every cell phone really needs to have 3 mechanical switches and a removable battery. 1 switch for power, 1 for the mic and 1 for the camera.
What next? The Combat Desert Penguin—@wolverine_salty—ponders alternative buyers:
Is Thiel interested?
Meanwhile, with a similarly snarky stance, here’s kmoser:
The Israeli surveillance firm NSO Group revealed that its Pegasus spyware was used by at least five European countries.
The controversial Israeli surveillance vendor NSO Group told the European Union lawmakers that its Pegasus spyware was used by at least five countries in the region.
NSO Group’s General Counsel Chaim Gelfand admitted that the company had “made mistakes,” but that after the abuses of its software made the headlines it has canceled several contracts.
“We’re trying to do the right thing and that’s more than other companies working in the industry,” Gelfand told members of the PEGA committee. “Every customer we sell to, we do due diligence on in advance in order to assess the rule of law in that country. But working on publicly available information is never going to be enough.”
In April, the Parliament set up a new inquiry committee investigating the use of Pegaus spyware and equivalent surveillance software used to spy of phones belonging to politicians, diplomats, and civil society members. The spyware was used to target several European leaders, including Spain’s Prime Minister Pedro Sánchez, and Spanish political groups, Hungary, and Poland.
In February, the European Data Protection Supervisor (EDPS) authority called for a ban on the development and the use of surveillance software like the Pegasus spyware in the EU.
The abuse of this kind of solution poses a serious threat to fundamental rights, particularly on the rights to privacy and data protection.
“It comes from the EDPS’ conviction that the use of Pegasus might lead to an unprecedented level of intrusiveness, which threatens the essence of the right to privacy, as the spyware is able to interfere with the most intimate aspects of our daily lives.” states the European Data Protection Supervisor (EDPS).
“Pegasus constitutes a paradigm shift in terms of access to private communications and devices, which is able to affect the very essence of our fundamental rights, in particular the right to privacy.”
Privacy advocated and cybersecurity experts demonstrated the use of the Pegasus in surveillance campaigns worldwide targeting journalists, political figures, dissidents, and activists.
The bad news is that the business of digital surveillance is growing in scaring and uncontrolled way. Recently, experts spotted other surveillance malware infecting systems worldwide, such as the HERMIT spyware that was linked to an Italian firm.
If you want to read more info on the Pegasus spyware give a look at a report investigating Pegasus spyware impacts on human rights has been launched by the Council of Europe on the occasion of the summer session of the Parliamentary Assembly.
The report was prepared by the Information Society Department with contributions from Tamar Kaldani the former Personal Data Protection Inspector and the State Inspector of Georgia, currently serving as the first Vice-chair of the Consultative Committee of Convention 108 and Zeev Prokopets – an Israeli executive, product designer, software developer and entrepreneur.
“An investigation report released by a global consortium26 revealed that 200 journalists worldwide had been targeted using Pegasus spyware. The Office of the UN Special Rapporteur for Freedom of Expression also noted the number of victims of attempted spying through Pegasus, including Mexican journalists, human rights defenders and opposition leaders.27 “The numbers vividly show the abuse is widespread, placing journalists’ lives, those of their families and associates in danger, undermining freedom of the press and shutting down critical media,” – said Secretary-general of Amnesty International.” concludes the report. “The right to freedom of expression and information, as guaranteed by Article 10 of the Convention, constitutes one of the essential foundations of a democratic society and one of the basic conditions for its progress and the development of every individual.”
Researchers reported that threat actors leveraged a new zero-click iMessage exploit to install NSO Group Pegasus on iPhones belonging to Catalans.
Researchers from Citizen Lab have published a report detailing the use of a new zero-click iMessage exploit, dubbed HOMAGE, to install the NSO Group Pegasus spyware on iPhones belonging to Catalan politicians, journalists, academics, and activists.
The previously undocumented zero-click iMessage exploit HOMAGE works in attacks against iOS versions before 13.2.
The experts speculate the HOMAGE exploit was used since the last months of 2019, and involved an iMessage zero-click component that launched a WebKit instance in the com.apple.mediastream.mstreamd process, following a com.apple.private.alloy.photostream lookup for a Pegasus email address.
The experts at the Citizen Lab, in collaboration with Catalan civil society groups, have identified at least 65 individuals targeted or infected with spyware. 63 of them were targeted or infected with the Pegasus spyware, and four others with the spyware developed by another surveillance firm named Candiru. The researchers reported that at least two of them were targeted or infected with both surveillance software.
Victims included Members of the European Parliament, Catalan Presidents, legislators, jurists, and members of civil society organisations, the threat actors also targeted family members.
The researchers also noticed that the content used in the bait SMS messages suggests access to targets personal information, including the Spanish governmental ID numbers.
“With the targets’ consent, we obtained forensic artefacts from their devices that we examined for evidence of Pegasus infections. Our forensic analysis enables us to conclude with high confidence that, of the 63 people targeted with Pegasus, at least 51 individuals were infected.” reads the report published by Citizen Lab.
“We are not aware of any zero-day, zero-click exploits deployed against Catalan targets following iOS 13.1.3 and before iOS 13.5.1.”
This isn’t the first time that Catalans were targeted by the NSO Group Pegasus Spyware, Citizen Lab has previously reported “possible cases of domestic political espionage” after detecting infections with the popular surveillance software. Multiple Catalans were targeted with Pegasus through the 2019 WhatsApp attack, at the time the spyware leveraged exploits for the
CVE-2019-3568
vulnerability.
The Citizen Lab doesn’t explicitly attribute the attacks to a specific threat actor, but the nature of the targets suggests a link with Spanish authorities. All the targets were of interest to the Spanish government and experts pointed out that the specific timing of the targeting matches events of specific interest to the Spanish government.
“While we do not currently attribute this operation to specific governmental entities, circumstantial evidence suggests a strong nexus with the government of Spain, including the nature of the victims and targets, the timing, and the fact that Spain is reported to be a government client of NSO Group.” concludes the report.
An espionage attempt was made by an NSO Group customer to hack the phones of senior EU officials. Although there’s some suggestion that it might have been QuaDream—a similar Israeli spyware firm.
Commissioner for Justice Didier Reynders (pictured) seems to have been the main target, along with several of his staffers at the Directorate-General for Justice and Consumers. They were warned of the attack five months ago—by Apple.
But who ordered the hack? Might it have been the French government? In today’s SB Blogwatch, we’re shocked—SHOCKED—to discover un peu d’espionnage fratricide.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Shrimp can lobster.
“Remotely and invisibly take control of iPhones” Among them was Didier Reynders, a senior Belgian statesman who has served as the European Justice Commissioner since 2019. … At least four other [Justice and Consumers] commission staffers were also targeted. … The commission became aware of the targeting following messages issued by Apple to thousands of iPhone owners in November telling them they were “targeted by state-sponsored attackers.” … The warnings triggered immediate concern at the commission. … A senior tech staffer sent a message to colleagues with background about Israeli hacking tools: … “Given the nature of your responsibilities, you are a potential target.” … Recipients of the warnings were targeted between February and September 2021 using ForcedEntry, an advanced piece of software that was used by Israeli cyber surveillance vendor NSO Group to help foreign spy agencies remotely and invisibly take control of iPhones. A smaller Israeli spyware vendor named QuaDream also sold a nearly identical tool.
“Comes at potentially the worst possible time” It’s not totally clear why these officials were targeted or who used the malware against them. … NSO has denied that it had any involvement. … Reuters also reached out to QuaDream … but did not get any sort of comment or response. … The claims that EU officials were targeted with NSO Group software comes at potentially the worst possible time for the company as it continues to battle both legal and financial troubles, as well as multiple government investigations. … NSO is now appealing to the U.S. Supreme Court in a new effort to rid itself of a hefty lawsuit filed by … WhatsApp, [which] sued NSO in October of 2019 after the surveillance firm’s malware was allegedly discovered on some 1,400 users’ phones. … The company is also currently battling another lawsuit from Apple filed last November on similar grounds.
“Use of surveillance software” The discovery of the misuse of NSO Group’s tools certainly doesn’t help the company’s profile following the Pegasus scandal, when it was found the tool was used by governments to spy on journalists, activists, and government opponents, instead of for fighting crime. The adoption of Pegasus and other tools by government agencies led to lawmakers in the U.S. asking Apple and the FBI about the latter’s acquisition of NSO Group tools. … Meanwhile, the European Parliament will be launching a committee on April 19 to investigate the use of surveillance software in European member states.
The European Union, huh?FOHEng thinks this should be a teachable moment:
Many of these same EU people think The App Store should be forced to open, increasing the vectors for … exploits to make it into devices. They’re as stupid as some US Senators, who aren’t allowed to sideload Apps on their devices over security concerns, yet want to force Apple to allow this. They are truly delusional. … Third party stores with Apps being vetted for security? An oxymoron if ever there was one. … You think iOS third party stores are going to somehow be secure and Apps checked?
“No big deal until it happens to me.” This story has been unfolding slowly for years, yet these EU officials didn’t seem too bothered until Apple notified them about their phones being hacked. … Thanks for all the concern.
But what of Apple in all this? Heed the prognostications of Roderikus:
More fines for offering a platform that is basically compromised while being marketed as “safe.”
However,mikece is triggered by a certain word in the Reuter hed:
Throwing the adjective “Israeli” into the title is misleading as it suggest the state of Israel is somehow involved. … Blaming Israel for this is like blaming Japan for all of the Toyota Hiluxes converted into gun platforms around the world.
Yet we’ve still not dealt with the “who” question. For this, we turn to Justthefacts:
CitizenLab did some clever geographic fingerprinting, and have a list of which countries are doing this. … Out of these, the credible list is: France, Greece, Netherlands, Poland, UK, USA.
The target was the European Justice Minister from 2019 onwards. He doesn’t have military or external trade secrets. Neither the UK nor USA are impacted in any way by what goes on in his office. So it’s either France, Greece, Netherlands, Poland.
If you have a look at the heat-map produced by CitizenLab, it’s the French government snooping on the EU. What were you expecting?
Nor the “why”: What else do we know about the named victim? ffkom ffills us in: [You’re ffired—Ed.]
Didier Reynders is [one of] those politicians who have continuously undermined EU data protection laws by agreeing to sham contracts like “Safe Harbour” and “Privacy Shield,” … knowing those were contradicting EU law … and not worth the paper they were written on. He, personally, is also responsible for not enforcing … GDPR. … It serves Mr. Reynders right that his data is exposed, just as much as he has helped to expose EU citizen’s data.
The European Data Protection Supervisor authority called for a ban on the development and the use of Pegasus-like commercial spyware.
The European Data Protection Supervisor (EDPS) authority this week called for a ban on the development and the use of surveillance software like the Pegasus spyware in the EU.
Pegasus is a surveillance malware developed by the Israeli surveillance NSO Group that could infect both iPhones and Android devices, it is sold exclusively to the governments and law enforcement agencies.
The abuse of this kind of solution poses a serious threat to fundamental rights, particularly on the rights to privacy and data protection.
“It comes from the EDPS’ conviction that the use of Pegasus might lead to an unprecedented level of intrusiveness, which threatens the essence of the right to privacy, as the spyware is able to interfere with the most intimate aspects of our daily lives.” states the European Data Protection Supervisor (EDPS).
“Pegasus constitutes a paradigm shift in terms of access to private communications and devices, which is able to affect the very essence of our fundamental rights, in particular the right to privacy.”
Privacy advocated and cybersecurity experts demonstrated the use of the Pegasus in surveillance campaigns worldwide targeting journalists, political figures, dissidents, and activists.
Pegasus was used by governments with dubious human rights records and histories of abusive behaviour by their state security services.
The surveillance software allows to completely take over the target device and spy on the victims. Developers of surveillance solutions leverage zero-click zero-day exploits to silently compromise the devices without any user interaction. Pegasus is known to have used KISMET and FORCEDENTRY exploits to infect the devices of the victims.
NSO Group has repeatedly claimed that its software is sold exclusively to law enforcement and intelligence agencies to fight crime and terrorism, in so-called “life-saving mission.”
According to a series of disclosures by the business publication Calcalist in recent weeks, dozens of citizens in the country were targeted by Israel Police with the NSO Group’s spyware to gather intelligence without a search warrant authorizing the surveillance.
“National security cannot be used as an excuse to an extensive use of such technologies nor as an argument against the involvement of the European Union.” continues EDPS.
EDPS urges tight control over the use of surveillance and hacking tools to prevent and disincentive unlawful use.
Finland Ministry for Foreign Affairs revealed that devices of Finnish diplomats have been infected with NSO Group’s Pegasus spyware.
Finland’s Ministry for Foreign Affairs revealed that the devices of some Finnish diplomats have been compromised with the infamous NSO Group’s Pegasus spyware.
The diplomats were targeted with the popular surveillance software as part of a cyber-espionage campaign.
“Finnish diplomats have been targets of cyber espionage by means of the Pegasus spyware, developed by NSO Group Technologies, which has received wide publicity. The highly sophisticated malware has infected users’ Apple or Android telephones without their noticing and without any action from the user’s part. Through the spyware, the perpetrators may have been able to harvest data from the device and exploit its features.” reads a statement published by the Ministry.
According to the statement, threat actors have stolen data from the infected devices belonging to employees working in Finnish missions abroad. The attacks were spotted following an investigation that started in the autumn of 2021, anyway, according to the government experts the campaign is no longer active.
The announcement pointed out that the data transmitted or stored on diplomats’ devices are either public or classified at the lowest level of classified information (level 4).
Finland’s Ministry for Foreign Affairs warns that even if the information is not directly classified, the information itself and its source may be subject to diplomatic confidentiality.
“The Ministry for Foreign Affairs is continually monitoring events and activities in its operating environment and assessing related risks. The Ministry for Foreign Affairs monitors its services and strives to prevent harmful activities. The preparation of and decisions on foreign and security policy, in particular, are matters that attract much interest, which may also manifest itself as unlawful intelligence.” concludes the Ministry. “The Ministry responds to the risk by various means, but complete protection against unlawful intelligence is impossible.”
In December, Apple warned that the mobile devices of at least nine US Department of State employees were compromised with NSO Group ‘s Pegasus spyware.
Pegasus spyware was allegedly used by governments to spy upon prominent journalists, politicians and activists.
A Google blog has revealed how the sophisticated software was used to attack iPhone users.
The software used a vulnerability in iMessages to hack into iPhones without the user’s knowledge.
The Pegasus spyware, developed by Israel’s NSO group, made headlines for being used by governments and regimes across the world including India to spy on journalists, activists, opposition leaders, ministers, lawyers and others. The spyware is accused of hacking into the phones of at least 180 journalists around the world, of which 40 are notable Indian personalities.
Now, a Google blog from the Project Zero team called the attacks technically sophisticated exploits and assessed the software to have capabilities rivalling spywares previously thought to be accessible to only a handful of nations.
The company has also faced multiple lawsuits including one in India where the Supreme Court (SC) set up a three-member panel headed by former SC judge RV Raveendran to probe whether the software was used by the government to spy on journalists and other dissidents.
Apart from India, Apple has also sued the Israeli firm after having patched its security exploit. The company was also banned in the United States after the details of the spyware were revealed. Let’s take a look at how this advanced snooping technology discretely worked on iPhones.
According to the Project Zero blog, a sample of the ForcedEntry exploit was worked upon by the team and Apple’s Security Engineering and Architecture (SEAR) group. Pegasus attacks on iPhones were possible due to the ForcedEntry exploit.
Pegasus is a spyware (Trojan/Script) that can be installed remotely on devices running on Apple ‘ s iOS & Google ‘ s Android operating systems. It is developed and marketed by the Israeli technology firm NSO Group. NSO Group sells Pegasus to ” vetted governments ” for ” lawful interception ” , which is understood to mean combating terrorism and organized crime, as the firm claims, but suspicions exist that it is availed for other purposes. Pegasus is a modular malware that can initiate total surveillance on the targeted device, as per a report by digital security company Kaspersky. It installs the necessary modules to read the user’s messages and mail, listen to calls, send back the browser history and more, which basically means taking control of nearly all aspects of your digital life. It can even listen in to encrypted audio and text files on your device that makes all the data on your device up for grabs.
A group of hackers compromised a popular London-based news website that focuses on the Middle East with the goal of hacking its visitors, according to researchers.
IMAGE: JUSTIN SETTERFIELD/GETTY IMAGES
On Tuesday, cybersecurity firm ESET published a report detailing the hacking campaign, which spanned from March 2020 until August of this year. During this time, according to the report, hackers compromised around 20 websites, including Middle East Eye, a popular independent news site that covers the Middle East and Africa and is based in the UK.
The hackers compromised these websites in what are technically known as watering hole attacks, a type of cyberattack where hackers use legitimate websites to target people who visit them. In this case, the hackers did not target all visitors of the websites, but only specific ones, according to ESET.
“We were never able to get the final payload. So it shows that attackers are very careful in the selection of the targets,” Matthieu Faou, a researcher at ESET, told Motherboard in a phone call.
Because the researchers could not retrieve the malware, “we don’t know who are the final targets,” Faou said.
ESET researchers explained in the report that the hackers also compromised several government websites in Iran, Syria, and Yemen, as well as the sites of an Italian aerospace company and a South African government owned defense conglomerate—all websites with links to the Middle East. The hackers, according to ESET, may have been customers of the Israeli spyware vendor Candiru, a company that was recently put on a denylist by the US Government.
Candiru is one of the most mysterious spyware providers out there. The company has no website, and it has allegedly changed names several times. Candiru offers “high-end cyber intelligence platform dedicated to infiltrate PC computers, networks, mobile handsets,” according to a document seen by Haaretz. The Israeli newspaper was the first one to report Candiru’s existence in 2019. Since then, several cybersecurity companies and groups such as Kaspersky Lab, Microsoft, Google, and Citizen Lab, have tracked its malware.
There are a range of security policies for dealing with users’ smartphones, from the most restrictive approach – no smartphone access allowed – to an open approach that allows personal phones to connect to the internal corporate network. We suggest that the right solution is somewhere in between.
You may have read about the Pegasus spyware in the news; the NSO Group’s software exploits flaws in iOS (iPhones) to gain access to data on an unsuspecting target’s phone. NSO sells Pegasus to governments, ostensibly to track criminals, but it’s often used by repressive regimes to spy on their opponents, political figures, and activists.
In the past, Pegasus infections were primarily achieved by sending a link to the victim’s phone; when the target clicked on it, they would trigger an exploit that would allow attackers to gain root access to the phone. Once the spyware obtains root access, it can read messages on apps like iMessage, WhatsApp, Telegram, Gmail and others. A sophisticated command and control network can report back to the operator and control the phone as well.
