OUR SERVICESSERVICESFollow usPREMIUM AREAWhitepaperEventsWebinarCHANNELSNational cybersecurityMalware and attacksRegulations and adjustmentsCorporate solutionsCyber cultureThe expert answersNews analysisAbout usTHE ANALYSISHomeMalware and hacker attacksShare this article
We are once again talking about Pegasus, the spyware developed by the well-known Israeli company NSO and used to spy on journalists, activists and heads of state. A persistent threat that makes any smartphone insecure, even those who do not live under authoritarian regimes. Here because
20 Jul 2021SMarco SantarelliExpert in Network Analysis, Critical Infrastructures, Big Data and Future EnergiesPegasus has struck again. We've already talked about it and predicted a return. So it was: 180 journalists and 30 heads of state were monitored by the spyware that had already made headlines for a security flaw in WhatsApp developed by NSO Group, the Israeli company that created it.
Let's see what happened this time.
Topics indexPegasus spyware: the international investigation
An investigation carried out by international newspapers, including the authoritative Washington Post, has revealed that Pegasus spying malware has attacked numerous devices of journalists, activists and heads of state: we are talking, as we said, of 180 reporters and 30 heads of state.
WHITEPAPERStorage technologies to modernize the IT infrastructure: discover the advantages for IT Operators!StorageBackupDownload the WhitepaperFrom what was declared following the investigation, Israeli software has been used by some world governments as a spy tool against of journalists, activists and managers. Among these governments that have made use of it there would also be the Hungarian one chaired by Victor Orban.
Born as software to control the trafficking of terrorists and criminals internationally, worth 8 million dollars, Pegasus has involved more than 50,000 telephone numbers located in countries that usually monitor their citizens, customers of the NSO Group and belonging to numerous journalists from authoritative international publications, such as CNN, New York Times, Wall Street Journal, Financial Times, Voice of America and Al Jazeera, as well as those of various heads of state.
In Hungary, for example, espionage malware appears to have targeted investigative journalists and independent media executives on orders from Hungarian President Victor Orban, in his war against the media.
But also people close to Jamal Khashoggi, the "progressive Saudi" journalist of the Washington Post who had openly criticized the work of the crown prince of Saudi Arabia, Mohammad bin Salman. Khashoggi himself had also opposed Saudi military intervention in Yemen and was killed inside the Saudi Embassy in Istanbul by the crown prince himself, according to CIA reports.
The attacks with Pegasus: the WhatsApp case
The news of the new Pegasus attack was disclosed by the NGO Forbidden Stories and Amnesty International and could be considered the biggest invasion of privacy since Prism, American electronic surveillance program whose existence Edward Snowden revealed in 2013.
Recall that already in 2019 a breach in the security of WhatsApp had claimed numerous victims, including the President of the Catalan Parliament Roger Torrent. WhatsApp had filed a lawsuit against NSO Group for having exploited the vulnerability of video calls to attack users and Amnesty International itself had already then launched a lawsuit against the social platform among the most used in the world for numerous other attacks against activists, politicians and journalists.
The appeal was rejected by the Tel Aviv court, despite the fact that the Canadian research group Citizen Lab and newspapers such as The Guardian, El País and the Washington Post had demonstrated that Pegasus had been used in September 2019 to hack into Omar's phone Radi, a Moroccan investigative journalist, in that of Bezos, Khashoggi, Abdulaziz and many others, including a New York Times reporter, Ben Hubbard, and Osama Bin Laden.
Pegasus: from defense tool to means of attack
As we have already had the opportunity to explore previously, the Pegasus espionage malware was developed by the Israeli company NSO Group to fight crime and above all the terrorism.
The attack through Pegasus is initiated through a decoy, or the intrusion, in the case of smartphones, via a video call (mainly on WhatsApp) in which the victim does not need to respond.
The spyware activates and, through the fake call, exploiting phishing, social engineering and web browsing techniques, manages to "enter" the device and can activate listening to conversations, viewing the contents stored in the internal memory , take pictures and more.
The purpose of spyware is to spy on the victim's movements, up to the "discreet" use of the microphone for its constant geolocation.
This activity combines with a much more sophisticated activity: the so-called silent spy. That is, while we are browsing any site from the browser or from search engines, mainly on HTTP sites (HTTPS ones are apparently more "secure", the final "s" in fact stands for encrypted site), this spy has the ability to redirect our search on additional sites which in turn open targeted addresses, to which the software automatically hooks up: these can be operator services and therefore invitations to download apps, ringtones and offers or the infrastructure on which the physical device rests, ie antennas, bridges and docking repeater.
Based on how you use a software, obviously you can change its purpose.
“All spyware is an essential tool for criminal investigation, but its use confers enormous power, capable of destabilizing a state. The entire supply chain of their production must be controlled, as well as their use. In our devices there is a copy of our life. Whoever takes control of our phone can do everything without being noticed, even putting child pornography images in it and then reporting us. What if the target was a mayor or a minister? It is urgent to address the issue by taking up the proposal I made as a deputy in the last legislature. One cannot think always and only of telephone or environmental recordings”, these are the words of Stefano Quintarelli, president of the Advisory Group on Advanced Technologies of the United Nations.
Mobile Verification Toolkit, the tool to unmask Pegasus
The Mobile Verification Toolkit (MVT) is called the tool capable of detecting a possible violation of your smartphone or mobile device. It was developed by Amnesty International researchers and made freely available to everyone on GitHub.
The tool can be installed on macOS, Linux and Windows systems (in the latter case, it is necessary to install Windows Subsystem for Linux, WSL) and works for Android and for iPhone (which, as shown by the investigations conducted by Amnesty International itself , is the device most targeted by spyware developed by the NSO group).
Its operation is not very simple but in a short time, following the detailed instructions for use (available only for macOS and Linux systems) also published by Amnesty International, it allows you to identify and confirm a possible compromise of mobile devices.
Using the tool involves backing up your phone to a separate computer and running a check against that backup. It must also be said that the tool works from the command line or on the terminal and therefore requires a certain technical skill and a little patience to use it to the fullest.
Moreover, Amnesty itself states in its user guide that the analysis performed by the tool on Android phone backups is limited, but still allows you to check for any potentially harmful SMS messages and APKs.
To check if Pegasus is hidden on an iPhone, the easiest way to start is to make an encrypted backup of the memory (in this case, instructions are provided directly by Apple) using iTunes or Finder on a Mac (however, it is necessary install Xcode and Python 3 libraries first) or a PC. Once this is done, you can download and install Amnesty's MVT.
After running MVT, a list of warnings will appear on the screen listing suspicious files or their abnormal behavior. However, keep in mind that a warning does not necessarily mean that your device is infected with Pegasus.
Vulnerabilities exploited by Pegasus
In the specific case of Pegasus, the vulnerabilities of the software with which it interacts have been exploited by its own programmers and usually these are vulnerabilities defined as zero-day, i.e. unknown to the world, which are bought and sold in criminal circles and through legal brokerage agencies to allow access to spy software.
Furthermore, even more disturbing is the possibility of entering devices with zero-clicks, without the victim having to click on a malicious link, as stated by Claudio Guarnieri of the Citizen Lab of the University of Toronto. An example comes from iMessage, usually installed on the iPhone.
Recall that already in 2016 Pegasus had been found in vulnerable iPhones that were activated by clicking on a missed WhatsApp video call from a number with a Swedish prefix. That way the phone's microphone and camera were checked, passwords were collected, and photos and e-mails were accessed. Apple then released an update in August 2016 to close these vulnerabilities.
WHITEPAPERContract management and GDPR: guide to the outsourcing of personal data activitiesLegalPrivacyDownload the Whitepaper@RESTRICTED REPRODUCTIONPeopleMMarco SantarelliTopicsBBackupGGuideMmalwareNNSO GroupPPasswordPphishingPPrivacySSocial engineeringSspywareTtrojanWWhatsAppChannelsMalware and hacker attacksNews analysisMalware and hacker attacksTECHNOLOGY AND SECURITY