The malware was spread to the victims’ phones when the operators of the spyware, who are thought to be government customers, sent them an invitation to an iCloud calendar. The cyberattacks took place between the years 2019 and 2021, and the term “Reign” is given to the hacking program that was used.

A phone that has been infected with Reign can, similar to a phone that has been infected with Pegasus, record conversations that are taking place near the phone, read messages that are stored on encrypted apps, listen to phone conversations, track the location of a user, and generate two-factor authentication codes on an iPhone in order to break into a user’s iCloud account.

Apple, which has been marketing its security measures as being among the finest in the world, has taken yet another hit as a result of the recent disclosures. It would seem that Reign poses an unprecedented and significant danger to the security of the company’s mobile phones.

The spyware that was built by QuaDream attacks iPhones by having the operators of the malware, who are believed to be government customers, issue an invitation to an iCloud calendar to the mobile users of the iPhones. Since the calendar invites were issued for events that had been recorded in the past, the targets of the hacking were not made aware of them because they were sent for activities that had already occurred.

Since users of the mobile phone are not required to click on any malicious link or do any action in order to get infected, these kind of attacks are referred to as “zero-click” attacks.

When a device is infected with spyware, it is able to record conversations that are taking place nearby by taking control of the recorder on the device, reading messages sent via encrypted applications, listening in on phone calls, and monitoring the position of the user.

The malware may also produce two-factor authentication tokens on an iPhone in order to enter a user’s iCloud account. This enables the spyware operator to exfiltrate data straight from the user’s iCloud, which is a significant advantage. In contrast to NSO Group, QuaDream maintains a modest profile among the general population. The firm does not have a website and does not provide any additional contact information on its page. The email address of Israeli attorney Vibeke Dank was included on the QuaDream business registration form; however, she did not respond to a letter asking for her opinion.

Citizen Lab did not name the individuals who were discovered to have been targeted by clients while they were using Reign. However, the organization did say that more than five victims were located in North America, Central Asia, south-east Asia, Europe, and the Middle East. These victims were described as journalists, political opposition figures, and an employee of an NGO. In addition, Citizen Lab said that it was able to identify operator sites for the malware in the countries of Bulgaria, the Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, the United Arab Emirates, and Uzbekistan.

In a security report that was published in December 2022 by Meta, the corporation that owns Facebook, the name of the firm was mentioned briefly. The report defined QuaDream as being an Israeli-based startup that was created by former NSO personnel.

At the time, Meta stated that it had removed 250 accounts on Facebook and Instagram that were linked to QuaDream. The company believed that the accounts were being used to test the capabilities of the spyware maker using fake accounts. These capabilities included exfiltrating data such as text messages, images, video files, and audio files.

The discovery of Reign underscores the continuous spread of very powerful hacking tools, even as NSO Group, the developer of one of the world’s most sophisticated cyberweapons, has received intensive investigation and been banned by the Biden administration, likely limiting its access to new clients. NSO Group is the maker of one of the most advanced cyberweapons in the world.

The post New spyware QuaDream is a replacement of Pegasus software used to hack iPhones remotely appeared first on Information Security Newspaper | Hacking News.

The spyware’s software included various capabilities  ranging from listening to any phone call on a victim phone, reading text messages, to remotely listen via microphone and start the camera without the victim’s knowledge. The spyware also allowed get location, contacts list, SMS, WhatsApp messages, emails, instant messaging, outgoing and incoming calls, calendar, remote recordings and  remote camera use

Earlier, the former Israeli police commissioner said that “The Police don’t have Pegasus”. In response, an investigative committee led by Courts for checking whether police used the spyware to hack into people’s phones without permission found out that the police had Seifan.

Court discovered that even though there had been no eavesdropping without court orders, the spyware was deployed in 2016. The phone data collected was more than what was legally allowed by court orders and the organization still holds the information in the databases of its cyber department.

According to Israel newspaper Haaretz, the leaked presentation highlighted the screenshots of the  spyware, which included covertly monitoring “protected messages” as well as voice and text chats on advanced cell phones. Police had complete control of the victim’s cell phone after infecting it. 

The spyware and capabilities of the police-implemented system, were ever presented to the cabinet ministers. Screenshots from the prototype of the system the police intended to use were included in the presentation and show the NSO logo and the product name Pegasus itself. 

Another capability of Seifan is “volume listening” and is considered much more intrusive. It means listing calls in real time via activating a phone microphone remotely and listening to real time calls vai it. Rather than hacking into a cell phone sim card. This type of wiretapping requires an order from a district court president or their deputy.

The post Seifan: See the version of Pegasus spyware software designed just for Police appeared first on Information Security Newspaper | Hacking News.

The main attack method, employed by this group between 2012 and 2015, involves Microsoft Office documents specially crafted for the exploitation of known vulnerabilities such as CVE-2012-0158 and CVE-2010-3333. This tactic was first detected in 2014, in a phishing campaign associated with the Advanced Persistent Threat (APT) operation known as Naikon.

SentinelLabs identified a second hacking method associated with Aoqin Dragon, based on hiding malicious executables in icons of fake antivirus products. After execution, a malware sample was delivered to the affected systems.

Starting in 2018, hackers left these tactics behind to resort to using a removable disk shortcut file; clicking this icon triggers a DLL hijack and loads an encrypted payload to deliver a backdoor. This malware runs under the name “Evernote Tray Application” and is executed at system startup; if any removable drives are detected, a copy of the payload will be created to expand the infection.

At least two backdoor variants used by this group have been identified. Known as Mongall, the first backdoor is a DLL injected into memory, protected with encryption and in constant maintenance since its launch in 2013.  This backdoor profiles the host and sends the details to the C&C using an encrypted channel.

Moreover, Heyoka is an open source exfiltration tool that uses spoofed DNS requests to create a two-way communication tunnel. Hackers employ Heyoka by copying files from compromised devices to prevent affected system administrators from detecting malicious activity in its early stages.

Aoqin Dragon is an unusual case, as it managed to go unnoticed for almost ten years. This has been possible due to the continuous evolution of its strategies and the periodic change of tactics, so it is highly likely that this cybercriminal group will change its behavior again in the near future.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Education and telecommunication organizations based in Singapore, Hong Kong, Vietnam, Cambodia, and Australia were being spied on since 2013 appeared first on Information Security Newspaper | Hacking News.

In total, the analysis revealed the detection of 200 malicious applications that hide code from dangerous malware variants, capable of putting users of the affected devices in serious trouble.

Simple tools, complex issues

One of the main threats identified is Facestealer, a spyware variant capable of stealing Facebook access credentials, allowing subsequent phishing campaigns, social engineering, and invasive advertising. Facestealer is constantly updated and there are multiple versions, making it easy for them to get into the Play Store.

Daily Fitness OL is described as a fitness tool, offering exercise routines and demonstration videos. Although there doesn’t seem to be anything wrong with this app, an in-depth analysis shows that the app’s code hides a load of The Facestealer spyware.

When a user opens this app, a request is sent to hxxps://sufen168.space/config to download their encrypted settings. This setting sends the user a message requesting to log in to Facebook, after which the app launches a WebView to load a malicious URL. Subsequently, a snippet of JavaScript code is injected into the loaded website, allowing the theft of the user’s credentials.

Once the user logs into their Facebook account, the app collects the cookies and the spyware encrypts the collected information to send it to a remote server.

Other malicious apps, such as Enjoy Photo Editor or Panorama Camera, also hide Facestealer loads and have a very similar attack process, although they may vary in some stages or methods.

Risk for crypto investors

Experts have also identified more than 40 fraudulent cryptocurrency apps disguised as legitimate tools, even taking their image or using similar names. The developers of these tools seek to get affected users to buy supposed Premium versions at high costs with fake ads.

Tools like “Cryptomining Farm Your Own Coin” do not demonstrate invasive behaviors even in test environments, so they effectively evade security mechanisms in the Play Store. However, when trying to connect a Bitcoin wallet to this application, a message appears asking the user to enter their private keys, a clear red flag alerting that something’s wrong.

A sample of the code was developed using Kodular, a free online suite for mobile app development. Trend Micro notes that most fake cryptocurrency apps use the same framework.

The analyzed app only loads a website and does not even have capabilities to simulate mining processes or cryptocurrency transactions.

The uploaded website mentions users who can participate in a cloud mining project in order to lure them to the true start of the attack. Next, threat actors ask users to link a digital wallet to this website, in an attempt to collect private keys, which are further processed with no encryption at all.

Although the malicious applications were reported to Google and have already been removed from the official store, the researchers believe that the company must considerably improve security measures in the Play Store, as many developers of malicious applications continue to find methods to evade the security of the app repository, putting millions of users at risk.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post More than 200 apps on Play Store with millions of downloads are stealing users’ passwords and sensitive information appeared first on Information Security Newspaper | Hacking News.

Borat RAT, dubbed after the character played by comedian Sacha Baron Cohen, is sold to all kinds of threat actors through hacking forums on the dark web, according to experts from cybersecurity firm Cyble Research.

The researchers mention that the Trojan is packaged with a constructor, function modules, and a server certificate. The malware has extensive capabilities, including keylogger function, ransomware encryption and decryption component, plus an option feature for attackers to create their own ransom notes and a function for deploying denial of service (DoS) attacks.

In addition, Borat RAT can remotely record audio from an affected machine by taking control of the microphone, capturing webcam images and other remote control functions, including mouse/keyboard hijacking, screenshots, modifying settings and deleting files.

After installation, the malware will start collecting data from the affected environment and then sending it to a C&C server under the control of the attackers. Apparently, Borat RAT focuses on browser information, including cookies, browsing histories, bookmarks, favorites, and users’ credentials. Tools like Chrome, Microsoft Edge, and Discord tokens are especially exposed to this attack variant.

The researchers add that Borat can cause inconvenience to victims in many other ways, as it allows hackers to perform all sorts of annoying tasks such as playing audio, altering mouse settings, hiding the taskbar, manipulating a computer’s LED lights and even turning it off unexpectedly, although the main risk is its advanced functions,  uncommon for a RAT tool.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post This new malware has a keylogger, ransomware and can perform DDoS attacks appeared first on Information Security Newspaper | Hacking News.

The defendant marketed all sorts of tools and software solutions, including WiFi blockers and interceptors, IMSI receivers, spyware and other tools to hack messaging services such as WhatsApp to sell to potential customers in Mexico and the United States. According to the DOJ, many of its clients were politically and financially motivated.

In addition to the sale of these solutions, the defendant himself used some of the tools he purchased to intercept phone calls and spy on the emails of a rival trade consortium from Baja California, Mexico, in a deal costing nearly $25,000 USD.

U.S. Attorney Randy Grossman said, “This guilty plea will help stop the proliferation of digital tools used to compromise the safety of U.S. and Mexican citizens.” The prosecutor also reiterated his commitment to the detection and interruption of any cybercriminal operation in collaboration with the rest of government agencies.

So far it is unknown which companies and government agencies bought the software sold by Guerrero and which are the companies that sold these tools to the defendant. More information could be revealed when the case is closed. Guerrero is still waiting to hear his sentence.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post This Mexican businessman was charged for selling phone interception tools and spyware to companies and government agencies in Latin America appeared first on Information Security Newspaper | Hacking News.

A dispute in the royal family of the United Arab Emirates (UAE) became a cybersecurity and privacy issue after a member of Citizen Lab accused Sheikh Mohammed bin Rashid al-Maktoum of infecting the smartphones of his wife and her lawyers with the controversial Pegasus spyware, developed by NSO Group.

The sheikh and Princess Haya bint al-Hussein are in the midst of a legal dispute over custody of their two children, which is why the ruler would have ordered a UAE intelligence agent to infect the woman’s smartphone with Pegasus, in addition to infecting the British lawyers who advised her in the case. The case has already reached the ears of the British government, which called this intrusion a severe infraction.

As some will recall, Pegasus is a spy tool capable of collecting any log from the affected system, mainly smartphones. The Israeli firm NSO Group sells this tool to all kinds of state clients, mainly intelligence agencies of repressive governments.

William Marczak, a senior researcher at Citizen Lab, was called to testify in Princess Haya’s case, claiming that UAE agents had no qualms about obeying Sheikh Mohammed’s orders and infecting the princess’s smartphone.

The investigator explained that it was he himself who confirmed the use of Pegasus by forensic analysis of infected smartphones, although he began to have suspicions of this after identifying the IP address of the law firm Payne Hicks Beach among a set of IP addresses of possible victims when Citizen Lab was conducting an analysis of Pegasus.

The testimony of the researcher is another example of how powerful the spyware developer has become, since it counts among its clients the rulers of all kinds of countries, from very poor territories to the richest areas of the world. Marczak added that he couldn’t think of another case where forensics would confirm that Pegasus was used in this way, though there certainly must be.

Moreover, NSO Group claims to have cancelled its contract with the UAE after discovering how Pegasus was being used, although no one actually believes a word of this claim.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How the king of Dubai used money from his country to spy on his ex-wife and her lawyers appeared first on Information Security Newspaper | Hacking News.

Marc Baier (49), Ryan Adams (34), and Daniel Gericke (40) will pay a total of $1.6 million as a fine after acknowledging their participation in Project Raven, a UAE government plan aimed at spying on activists, dissidents and political opponents using hacking tools implemented on the smartphones of persons of interest. With this agreement, developers will avoid spending time in federal prison.

After one of the developers of these tools expressed concern about the kind of activities the UAE government required them to perform, investigative and journalism agencies began digging into Project Raven.

According to the DOJ, the three individuals were part of the board of an Arab company, from where they developed hacking tools similar to Pegasus and organized the attacks: “Their functions included the direction, deployment and supervision of advanced intelligence work and ‘zero-click’ hacking,” the report states. As some users will recall, a zero-click cyberattack allow attackers to compromise an affected system without the need for interaction with the target, so it is considered a very dangerous hacking variant.

Inside Project Raven, the hacking tools developed by the defendants were known as KARMA and KARMA 2. This tool was capable of obtaining login credentials, messages, call history, and authentication tokens issued by email providers, cloud storage services, and social media platforms.

The defendants also ignored a U.S. government order and violated export control laws because they failed to notify the disclosure of information and deployment of cryptographic analysis, and their targets of attack included some U.S. citizens.

While Baier must pay $750,000 USD, Adams was fined $600,000 USD and Gericke will pay $335,000 USD, in addition to cooperating with the Federal Bureau of Investigation (FBI) in subsequent investigations potentially related to his participation in Project Raven. The agreement also prohibits the defendants from seeking any work related to national security, computer infrastructure development and defense issues in the U.S.

Although some consider this to be an excessive penalty, the settlement has already been recognized by the DOJ, making the decision irreversible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Unjustified: Former NSA employees who created Pegasus-like tools for UAE will pay $1.6 million to avoid jail time appeared first on Information Security Newspaper | Hacking News.

A recent report by security firm Citizen Lab points to the discovery of a new zero-day attack on Apple iMessage exploited to infect affected devices with the dangerous Pegasus spyware, developed by NSO Group. This wave of attacks was detected in Bahrain and at least 9 targets have already been spotted, all identified as activists and users of iPhone devices.

The spy tool was installed on these devices after successfully exploiting two zero-click failures in iMessage; the term “zero click” means that exploiting the vulnerabilities requires no interaction from the target user. The exploits employed in this campaign have been identified as FORCEDENTRY and 2020 KIMSET.

The researchers tested a Pegasus infection using an iPhone Pro Max with iOS 14.6, the latest version of the iOS system, finding that these zero-click attacks are fully functional even on the latest Apple devices.

As you may recall, NSO Group sells Pegasus spyware primarily to state actors, regardless of whether they are governments characterized by their constant violations of the human rights of political opponents, activists and journalists.

Anyone would think that the risk of infection can be mitigated by simply disabling iMessage and Facetime, however, it is important to remember that NSO Group can compromise many other functions or applications on the infected device, including the popular messaging app WhatsApp.

Considering the lines above, the only method that could eliminate this risk definitively is for Apple to address the flaws exploited by FORCEDENTRY and 2020 KIMSET. In the meantime, NSO Group could continue to rack up successful attacks.

This is just one more report in the long list of scandals involving NSO Group. A couple of years ago, Facebook sued the Israel-based company over the sale of a zero-day exploit to compromise smartphones via WhatsApp; this attack would have involved people of interest such as diplomats, journalists and activists.

Although Pegasus’ existence and purposes have been known for years, this spyware was again in the news due to a report published by the non-governmental organization (NGO) Amnesty International, which revealed details such as NSO Group’s government clients and possible targets of the infection.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post This is how you can infect with Pegasus spyware an iPhone or iPad without even touching it. Published evidence appeared first on Information Security Newspaper | Hacking News.

Although this was massive news a few years ago, Israeli tech firm NSO Group and its sophisticated spying software Pegasus have once again grabbed headlines after Amnesty International published a report claiming that the governments of dozens of countries around the world had purchased the company’s services in order to maintain strict vigilance against political rivals, journalists, activists and dissidents.

One of the main revelations in this case relates to the leak of a list of 50,000 phone numbers identified as potential targets of Pegasus spyware since 2016. While not all of these users of interest were infected, the information contained in this list shows that countries such as Nigeria, Saudi Arabia, India or Morocco are among NSO Group’s top customers worldwide.

In the past, state intelligence organizations such as the U.S. National Security Agency (NSA) had developed advanced systems to gather information for specific purposes and using all kinds of resources, primarily online search logs and social media activity. Nonetheless, NSO Group raised the bet by developing Pegasus, a powerful spyware capable of extracting all kinds of information from a compromised device, including text messages, documents, images, videos and system information.

This tool had been developed for national security purposes, although this did not prevent the rulers of multiple countries from beginning to use Pegasus for purposes unrelated to national security. In the case of Nigeria, this tool was used for years to compile lists of people upset with the government, going so far as to harass multiple activists and political opponents.

In this regard, the company issued a statement categorically denying that the solutions developed by its teams have the specific purpose of spying on people of interest, adding that these allegations are based on unconfirmed theories and that they come from sources of questionable veracity.

Still, NSO Group seems to enter into a serious contradiction by not denying the possible abuses in this technology and pledging to investigate these allegations: “We will analyze the credible allegations about the abusive use of our solutions and act according to the results obtained. Among the possible consequences is the interruption of access provided to certain customers; we have done this in the past and we will not hesitate to implement it again,” says a brief statement from the company.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Nigeria spends more than any other African country in spying its citizens appeared first on Information Security Newspaper | Hacking News.

This emergency update addresses a total of 40 flaws, of which 37 are iPhone-only. The most severe of these vulnerabilities would allow remote threat actors to execute arbitrary code with root user privileges on the affected devices.

As of now Apple considers that there are no reports of active exploitation, although the risk to government agencies is considered critical, so it is necessary to update as soon as possible.

Some of the major security patches address flaws that reside in WebKit, the Safari browser engine. All four vulnerabilities (CVE-2021-30758, CVE-2021-30795, CVE-2027-30797, and CVE-2021-30799) exist due to type confusion errors, use-after-free errors, and memory corruption flaws.

Apple’s report includes a list of the 40 flaws addressed in this emergency update.

Beside the updates, Apple issued a list of security recommendations to mitigate exploitation risk, which includes:

• Run any tool as non privileged user
• Avoid downloading files or applications from unknown sources
• Do not visit platforms of suspicious appearance or dubious reputation

While the update was released earlier this week, the company kept technical details about these flaws undisclosed due to the risk of latent exploitation. It should be remembered that this is a standardized technique in the cybersecurity community to prevent the massive exploitation of zero-day flaws.

For the cybersecurity community, this is a network flag that Apple should seriously consider and not just fix the flaws detected to iMessage. Dirk Schrader, cybersecurity specialist, believes: “No device or operating system is 100% free from failures; this is a clear example that Apple needs to rethink its current approach to security, which researchers, manufacturers and users often consider more secure than their counterparts.”

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post New urgent iPhone update can’t protect you from Pegasus spy software appeared first on Information Security Newspaper | Hacking News.

Amnesty International, in collaboration with the non-profit project Forbbiden Stories, announced the publication of a report on the discovery of spyware developed by the Israeli firm NSO Group. Apparently, this tool is capable of intercepting information on iPhone devices with the latest version of iOS using zero-day iMessage exploits.

The report mentions that this spyware was detected on an activist’s iPhone X with iOS v14.6 on June 24. The device would have been infected by a zero-click attack on a completely updated system.

Representatives of the nongovernment organization (NGO) also reported their finding to Apple: “These attacks are highly sophisticated, require an investment of millions of dollars, and are used to target specific individuals,” said Ivan Krstić, director of security engineering at Apple. Krstić adds that while this is not a latent threat to most iPhone users, they will work to try to prevent these attacks from affecting people of interest in authoritarian governments or facing criminal threats.

It is worth mentioning that Amnesty International is not the only organization to have pointed out the use of spy technology by the NSO Group. Security firm Citizen Lab recently released a report on the use of Pegasus, a powerful spyware developed by the Israeli firm, confirming that it is possible to infect any iPhone 12 Pro Max devices with iOS 14.6.

Bill Marczak of Citizen Lab mentions that these attacks can even be performed without user interaction, in a method never seen before: “The zero-click exploit mechanics for iOS 14.x appear to be substantially different from the KISMET exploit for iOS 13.5.1 and iOS 13.7, suggesting that it is in fact a completely new iMessage exploit.”

Years go by and the list of reports related to NSO Group and Pegasus continues to grow. A couple of years ago, Facebook tried to take legal action against the Israeli company for creating and selling a zero-day exploit for WhatsApp, used to extract information from government officials, journalists, political activists, dissidents and businessmen around the world.

In collaboration with Microsoft, Citizen Lab also revealed detection between another Israeli surveillance company known as Candiru and new Windows spyware called DevilsTongue, implemented through the abuse of a zero-day flaw in Windows systems.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post 50,000 journalists and important people’s iPhones and Android phones were hacked using Pegasus spyware appeared first on Information Security Newspaper | Hacking News.