Intellexa, an Israeli espionage software vendor, reportedly used three zero-day vulnerabilities in Apple's iOS and one in Google Chrome to craft an exploit chain targeting Egyptian organizations. The firm leveraged these vulnerabilities to infiltrate iPhones and Android devices, deploying its signature 'Predator' spyware. The Predator software was initially developed by Cytrox, a company that Intellexa has absorbed.
Intellexa has a history of deploying the Predator spyware against Egyptian citizens, with previous instances recorded in 2021. The recent attacks began with man-in-the-middle (MITM) tactics, where users attempting to access http sites were intercepted. The MITM technique allows the attacker to bypass the need for user interaction, such as clicking on a specific link or opening a document.
'The use of MITM injection gives the attacker a capability where they don't have to rely on the user to take a typical action like clicking a specific link, opening a document, etc. This is similar to zero-click exploits, but without having to find a vulnerability in a zero-click attack surface,' Google's Threat Analysis Group (TAG) researchers explained.
The users were then redirected to a site controlled by the attacker. If the user was the intended target, they were redirected again to a second domain where the exploit was triggered. The exploit chain developed by Intellexa involved three zero-day vulnerabilities: CVE-2023-41993, a remote code execution bug in Safari; CVE-2023-41991, a certificate validation issue enabling PAC bypass; and CVE-2023-41992, which allows for privilege escalation in the device kernel.
Intellexa also targeted Android devices using MITM and one-time links sent directly to targets. This attack required only one vulnerability: CVE-2023-4762, a high-severity flaw in Google Chrome that allows attackers to execute arbitrary code on a host machine via a specially crafted HTML page.
Google TAG researchers believe the discovery of these exploits will force the attackers to develop new ones, costing them time and resources. 'Each time their exploits are caught in the wild, it costs attackers money, time, and resources,' the researchers noted.