Security research teams from The Citizen Lab and Google's Threat Analysis Group (TAG) have revealed that three zero-day vulnerabilities recently patched by Apple were exploited to install Cytrox's Predator spyware. The attacks took place between May and September 2023 and targeted former Egyptian MP Ahmed Eltantawy, who had announced plans to run in the 2024 Egyptian presidential election. The attackers utilized the bugs (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) in deceptive SMS and WhatsApp messages.
According to Citizen Lab, Eltantawy's mobile connection with Vodafone Egypt was consistently targeted via network injection from August to September 2023. Whenever Eltantawy visited certain non-HTTPS websites, a device installed at the edge of Vodafone Egypt's network redirected him to a malicious website, which then infected his phone with Predator spyware.
The zero-day exploit chain on iOS devices involved using CVE-2023-41993 for initial remote code execution in Safari through malicious web pages, CVE-2023-41991 to bypass signature validation, and CVE-2023-41992 for kernel privilege escalation. The exploit chain was activated automatically after the redirection, deploying a malicious binary that determined whether the spyware implant should be installed on the compromised device.
Google TAG also noted the attackers using a separate exploit chain to install Predator spyware on Android devices in Egypt. This involved exploiting CVE-2023-4762, a Chrome bug patched on September 5th, to achieve remote code execution.
Apple's Security Engineering & Architecture Team confirmed that the iOS Lockdown Mode would have prevented the attack. Citizen Lab advised all at-risk Apple users to install Apple's emergency security updates and enable Lockdown Mode to protect against potential attacks exploiting this exploit chain.
Citizen Lab attributed the network injection attack to the Egyptian government with high confidence, given that Egypt is a known customer of Cytrox's Predator spyware and the spyware was delivered via network injection from a device located physically inside Egypt.
In addition, Citizen Lab researchers disclosed two other zero-days (CVE-2023-41061 and CVE-2023-41064) that were exploited as part of another zero-click exploit chain (dubbed BLASTPASS) to infect fully patched iPhones with NSO Group's Pegasus spyware. These were fixed by Apple in emergency security updates earlier this month.
Apple addressed the three zero-days on Thursday in iOS 16.7 and 17.0.1 by resolving a certificate validation issue and implementing improved checks. The list of affected devices includes a wide range of older and newer models. Since January 2023, Apple has addressed a total of 16 zero-days exploited in attacks targeting its customers.