U.S. Judge Orders NSO Group to Disclose Pegasus Spyware Source Code to Meta

March 2, 2024

A U.S. court has instructed the NSO Group to provide its Pegasus spyware source code to Meta. This is a significant win for Meta, which initiated the lawsuit in October 2019 after the spyware was distributed using its infrastructure, affecting about 1,400 mobile devices. The targeted devices belonged to a range of individuals, including Indian activists and journalists.

The spyware was delivered using a critical buffer overflow bug in WhatsApp's voice call feature (CVE-2019-3568), a then zero-day flaw. This allowed the spyware to be installed simply by placing a call, even if the call was not answered. Moreover, the attack included steps to delete the call information from the logs to avoid detection.

NSO Group has been directed to 'produce information concerning the full functionality of the relevant spyware,' specifically from a year before to a year after the alleged attack (April 29, 2018, to May 10, 2020). However, the company is not required to disclose specific information about the server architecture at this stage because Meta can derive the same information from the full functionality of the alleged spyware.

Notably, NSO Group is not required to disclose the identities of its clients. Donncha Ó Cearbhaill, head of the Security Lab at Amnesty International, expressed disappointment over this, stating, 'While the court's decision is a positive development, it is disappointing that NSO Group will be allowed to continue keeping the identity of its clients, who are responsible for this unlawful targeting, secret.'

NSO Group was sanctioned by the U.S. in 2021 for creating and supplying cyber weapons to foreign governments that 'used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.'

This development coincides with the revelation of a new multi-tiered delivery infrastructure associated with Predator, a mercenary mobile spyware managed by the Intellexa Alliance. This infrastructure network is likely associated with Predator customers in countries such as Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago. It is noteworthy that Predator customers in Botswana and the Philippines had not been identified until now.

Latest News

• CISA Issues Alert on Microsoft Streaming Bug Exploited in Malware Attacks
• Five Eyes Intelligence Alliance Issues Warning on Ivanti Gateway Vulnerabilities
• CISA Warns of Persistent Threats on Hacked Ivanti VPN Appliances Even After Factory Resets
• Cisco Fixes Serious Bugs in Data Center Operating Systems
• Chinese Cyber Espionage Clusters Exploit Ivanti VPN Vulnerabilities to Deploy New Malware