On September 21, 2023, Apple confronted three newly identified vulnerabilities. These vulnerabilities were a part of a complex exploit chain targeting Ahmed Eltantawy, a former Egyptian MP, using a malicious software dubbed “Predator” from May to September 2023.
Following Eltantawy’s public announcement of his intent to run for the Egyptian Presidential election in 2024, he became a target. The Citizen Lab attributes the cyberattack to the Egyptian government, with substantial evidence pointing to them being a regular patron of this particular surveillance tool.
A collaborative investigation by Canada’s Citizen Lab and Google’s Threat Analysis Group (TAG) revealed that this invasive software was being shared via links in SMS and WhatsApp messages.
During the months of August and September 2023, Eltantawy’s mobile service with Vodafone Egypt seemed to be under continuous cyberattacks. His visits to non-HTTPS websites resulted in auto-redirections by a system within Vodafone Egypt’s network infrastructure. This redirection took him to a harmful site set to install the Predator malware developed by Cytrox.
The exploitation took advantage of three vulnerabilities: CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993. These vulnerabilities, when combined, could enable an attacker to bypass security measures, escalate system permissions, and remotely control the compromised device.
Cytrox’s Predator shares many functionalities with NSO Group’s infamous Pegasus software. It allows extensive surveillance and unauthorized data extraction from victimized devices. Due to its association with human rights violations, Predator, a product of the Intellexa Alliance, was blacklisted by the U.S. government in July 2023.
Eluding the basic details, an intricate network strategy was used to direct Eltantawy to a malicious site using Sandvine’s PacketLogic technology. The method involved the combination of genuine and deceptive content, which eventually led to the downloading of the Predator software.
Maddie Stone from Google TAG described this approach as an adversary-in-the-middle (AitM) attack. This technique uses unsecured HTTP websites to stealthily direct the victim to a different, attacker-controlled site.
In 2021 and 2023, Eltantawy was also targeted with deceptive SMS and WhatsApp messages, seemingly alerting him to suspicious activity on his accounts. Interestingly, one of the messages was linked to the aforementioned malware within mere minutes of being viewed.
Furthermore, Google TAG discovered that the Predator software also had a version targeting Android devices. This variant exploited another vulnerability, CVE-2023-4762, within Google Chrome’s browser.
This specific flaw, which pertains to Google Chrome’s V8 engine, was reported on August 16, 2023, and Google addressed it by September 5, 2023. There are indications that Cytrox/Intellexa could have been utilizing this as an undisclosed vulnerability.
Recent revelations about these cyberattacks emphasize the severe risks in the telecommunications sector, with certain aspects being misused to siphon data or deploy malware onto unsuspecting users’ devices.
The Citizen Lab advised users to be wary of non-HTTPS websites, given that a single visit to such sites can result in a malware infection. They also recommended individuals who might be at a higher risk of cyberattacks to regularly update their devices and use security features like Lockdown Mode for added protection.