Spyware: a growing global threat

Threat Discovery Telsy TS WAY Cyber Threat Intelligence

Threat Discovery is an editorial space of Telsy and TS-WAY dedicated to in-depth analysis of cyber threat intelligence at a global level.

The information reported is the outcome of the collection and analysis work done by TS-WAY specialists for the TS-Intelligence platform.

In this article we present an overview of the spyware threat.

 

Google and Apple warn about the spread of commercial spyware

Google’s Threat Analysis Group’s (TAG) Buying Spying report (March 2024) reported on the activities of several security companies known to be suppliers of surveillance tools.

The analysis, conducted in collaboration with several internal teams, including Project Zero, which searches for 0-day vulnerabilities, provides a basic technical fact. About half of the 72 0-day flaw exploits developed for Google products over the past decade can be attributed to commercial spyware vendors. Notable among them are NSO Group, which designed Pegasus, and the Intellexa cartel, to which Cytrox, which distributes Predator, belongs.

TAG’s report specifies that the landscape of surveillance solution vendors appears to be more multifaceted than imagined, since, in addition to the better-known companies, private entities operate that have less visibility, and presumably more freedom of action. Behind them would be supply chains about which not enough is yet known.

Also in March 2024, Apple reportedly sent notifications to iPhone users in 92 countries, warning them that they could be targets of commercial spyware-based attacks. Analysts point out that, in the recent communication, Apple no longer defines the threat as “state-sponsored,” but instead uses the formula “mercenary spyware attacks,” which implies a broader, more complex context.

 

Pegasus and Predator: some surveillance operations exposed

Telsy TS WAY pegasus spywareA joint forensic investigation by Access Now and the University of Toronto’s Citizen Lab uncovered a Pegasus-based spying campaign involving the devices of at least 30 activists, journalists, lawyers, and civil society members in Jordan. Further analysis by Human Rights Watch, Amnesty International’s Security Lab, and the Organized Crime and Corruption Reporting Project identified five more targets in the same country.

Reporters Sans Frontières revealed the first case of surveillance against journalists, reported in Togo. The two men involved, Loïc Lawson and Anani Sossou, were reportedly spied on, thanks to Pegasus, during 2021.

Between May and September 2023, Predator spyware operators exploited Apple’s 0-day vulnerabilities CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993 to monitor the activities of former Egyptian parliamentarian Ahmed Eltantawy after the man announced his candidacy for the 2024 presidential election. The campaign was disclosed in a Citizen Lab report after Apple on September 21 released related security bulletins.

 

Operation Triangulation has hit Kaspersky

Telsy TS WAY triangulation spywareOperation Triangulation is a spyware-based campaign that involved Russian cybersecurity company Kaspersky among its targets. In this case, neither the origin of the threat nor its possible attribution have been clarified.

The existence of Operation Triangulation had been known since May 2023, but only in October of that year Kaspersky published unpublished details of it. The campaign was based on four 0-day Apple vulnerabilities and collectively targeted top and middle management figures, as well as researchers based in Russia, Europe, and the area including the Middle East, Turkey, and Africa.

The sequence of the attack involves sending a message via iMessage with the code of an initial zero-click exploit attached. Then, files containing other exploits are downloaded, which give access to the phone’s physical memory and allow hardware security systems to be bypassed.

The attacker then gains control of the iPhone and can install inside it the TriangleDB spyware, which is capable of manipulating the phone’s functionality, exfiltrating information, making environmental recordings, and geolocating the victim.

Kaspersky has received confirmation of the existence of other victims, about whom it has maintained complete confidentiality.

 

Operation Zero platform raises quotes for iOS and Android 0-day vulnerabilities

As evidence of the widespread interest in specific 0-day vulnerabilities, as of September 2023, the Russian platform Operation Zero, which specializes in buying and selling attack and exploitation tools, has let it be known through its X channel that it has prepared much larger payments for high-level exploits specifically for the iOS and Android mobile platforms.

The maximum price offered, indifferently for exploits of the two platforms, is $20 million. Operation Zero would point out that the end customers are mainly countries outside of NATO.

 

Telsy and TS-WAY

Telsy_TS WAYTS-WAY is a company that develops technologies and services for medium and large-sized organizations, with a unique in Italy for cyber threat intelligence expertise. Founded in 2010, TS-WAY has been part of Telsy since 2023.

Is configured as an effective extension of the client organization, supporting the in-house team for intelligence and investigation activities, cyber incident response, and systems security verification activities.

TS-WAY’s experience is internationally recognized and is corroborated by large private organizations in finance, insurance, defense, energy, telecommunications, transportation, technology, and by government and military organizations that have used the services of this Italian company over time.

 

TS-WAY’s Services and Solutions

With several vertical teams of security analysts and researchers with technical and investigative expertise, and internationally recognized experience, TS-WAY provides all the assistance needed to align an organization’s security program with its risk management objectives.

Its services offer a preventive and comprehensive approach to security to protect clients’ assets and business continuity.

Its technology solutions transform global threat data into strategic, tactical, operational, and technical intelligence.

 

TS-Intelligence

TS-Intelligence_Telsy_Platform-2TS-Intelligence is a proprietary, flexible, and customizable solution that provides organizations with a detailed risk landscape.

It is presented as a Web-usable, full-API platform that can be operated within an organization’s defensive systems and infrastructure, to strengthen protection against complex cyber threats.

Constant research and analysis on threat actors and emerging networked threats, both in APT and cybercrime, produces a continuous information flow of an exclusive nature that is made available to organizations in real-time and processed into technical, strategic, and executive reports.

 

Learn more about TS-WAY’s services.