Recently patched Apple and Chrome zero-days exploited to infect devices in Egypt with Predator spyware

Citizen Lab and Google’s TAG revealed that the three recently patched Apple zero-days were used to install Cytrox Predator spyware.

Researchers from the Citizen Lab and Google’s Threat Analysis Group (TAG) revealed that the three Apple zero-days addressed this week were used as part of an exploit to install Cytrox Predator spyware.

Apple this week released emergency security updates to address three new zero-day vulnerabilities (CVE-2023-41993, CVE-2023-41991, CVE-2023-41992) that have been exploited in attacks in the wild.

The three flaws were discovered by Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group. The two research teams have already discovered multiple actively exploited zero-days in Apple products that were exploited in targeted attacks against high-profile individuals, such as opposition politicians, dissidents, and journalists.

CVE-2023-41993 is an arbitrary code execution issue that resides in the Webkit.

An attacker can trigger the flaw by tricking the victim into visiting specially crafted web content that may lead to arbitrary code execution. The IT giant addressed the flaw with improved checks.

The second zero-day flaw, tracked as CVE-2023-41991, resides in the Security framework. An attacker can exploit this vulnerability to bypass signature validation using malicious apps. The company fixed the vulnerability by fixing a certificate validation issue.

The third zero-day, tracked as CVE-2023-41992, resides in the Kernel Framework. A local attacker can trigger the flaws to elevate their privileges. Apple fixed the flaw with improved checks.

“Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.” reads the advisory published by the company.

According to Citizen Lab and Google’s Threat Analysis Group (TAG) researchers, threat actors exploited the zero days to target former Egyptian MP Ahmed Eltantawy after he announced his candidacy in the presidential election in 2024.

Threat actors attempted to hack Eltantawy’s device between May and September 2023. The attackers sent decoy SMS and WhatsApp messages to the victim.

“In August and September 2023, Eltantawy’s Vodafone Egypt mobile connection was persistently selected for targeting via network injection; when Eltantawy visited certain websites not using HTTPS, a device installed at the border of Vodafone Egypt’s network automatically redirected him to a malicious website to infect his phone with Cytrox’s Predator spyware.” reads the report published by Citizen Lab. “During our investigation, we worked with Google’s Threat Analysis Group (TAG) to obtain an iPhone zero-day exploit chain (CVE-2023-41991, CVE-2023-41992, CVE-2023-41993) designed to install Predator on iOS versions through 16.6.1. We also obtained the first stage of the spyware, which has notable similarities to a sample of Cytrox’s Predator spyware we obtained in 2021. We attribute the spyware to Cytrox’s Predator spyware with high confidence.”

Google TAG researchers provided details about the iOS exploit chain that was executed by the attackers after the target was redirected to specially crafted web pages. The CVE-2023-41993 flaw is exploited to gain initial remote code execution (RCE) in the Safari browser, then the CVE-2023-41991 issue is used to bypass signature validation, and the vulnerability CVE-2023-41992 is used to escalate privilege to Kernel.

The exploit chain allows attackers to run a small binary to determine whether or not to install the full Predator implant. TAG experts explained that they were unable to capture the full Predator implant.

“The attacker also had an exploit chain to install Predator on Android devices in Egypt. TAG observed these exploits delivered in two different ways: the MITM injection and via one-time links sent directly to the target. We were only able to obtain the initial renderer remote code execution vulnerability for Chrome, which was exploiting CVE-2023-4762.” reads the analysis published by Google TAG. “We assess that Intellexa was also previously using this vulnerability as a 0-day.”

Citizen Lab linked the attacks to the Egyptian government, which is known to be Cytrox’s customer. The researchers also noticed that the surveillance software was delivered via network injection from a device located physically in Egypt.

It was not the first time that the Eltantawy’s phone was infected with Cytrox’s Predator spyware. The first time that Eltantawy’s iPhone was infected with the Cytrox spyware was in November 2021.

Citizen Lab urged all Apple users to update their devices immediately and enable Lockdown Mode.

“This campaign is yet another example of the abuses caused by the proliferation of commercial surveillance vendors and their serious risk to the safety of online users.” concluded the popular TAG researchers Maddie Stone.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)