Wednesday, June 7, 2023
LetsAskBinu.com
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things
No Result
View All Result
LetsAskBinu.com
No Result
View All Result
Home Cybersecurity

QuaDream Spyware Used to Target Journalists, Activists

Researcher by Researcher
April 13, 2023
in Cybersecurity
0
Microsoft Details Malware Attacks on Ukrainian Organizations
189
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


Dual reports released this week shed light on the KingsPawn iOS malware developed and sold by known spyware vendor QuaDream. The QuaDream malware has infected at least five unnamed victims between 2019 and 2021, including journalists, political dissidents and a non-government organization worker in North America, Central Asia, Europe and the Middle East.

QuaDream (also called DEV-0196 by Microsoft) is an Israeli spyware vendor that has been operating for several years, goes to great lengths to remain under the radar and has “common roots” with Pegasus spyware maker NSO group and others in the commercial spyware landscape, according to Citizen Lab in a Tuesday report.

Unlike hack-for-hire groups like Void Balaur, which are known to conduct attacks on behalf of organizations or individuals, QuaDream develops and sells products that end users then operate themselves. QuaDream and its suite of exploits have been highlighted by previous reports, including a Reuters investigation last year exposing QuaDream’s flagship exploit toolset and a Meta report in December that described the takedown of 250 accounts associated with the company.

“QuaDream’s obscurity reflects an effort to avoid media scrutiny that was successful, for a time,” said Citizen Lab researchers. “Yet once QuaDream infections become discoverable through technical methods, a predictable cast of victims emerged: civil society and journalists. This pattern is a repetition of the abuses found with more notorious players, like NSO Group’s Pegasus spyware, Cytrox’s Predator spyware, and before them Hacking Team and FinFisher.”

In a separate Tuesday analysis, Microsoft found that the KingsPawn malware is made up of different components, including a monitor agent aimed at hindering detection and a main agent with various spying capabilities. These functionalities include monitoring phone calls and using a device’s camera in the background, getting device locations and collecting various device, Wi-Fi and cellular information.

KingsPawn’s main agent uses several techniques to cover its tracks on victims’ devices. In one notable tactic, the malware infected some of the target devices through what Citizen Lab researchers believe to be an iOS 14 zero-click exploit. Researchers said the exploit (running on iOS 14 through iOS 14.4.2) appeared to leverage malicious, invisible iCloud calendar invitations sent from spyware operators to victims. Because the iCloud calendar invitations had backdated timestamps, they were automatically processed by the phone and added to the calendar sans user notification. Upon closer inspection of devices that had been infected by QuaDream’s malware, researchers also found that a suspicious event added to a victim’s calendar contained CDATA opening and closing tags embedded in keys in an .ics file.

“Ultimately, this report is a reminder that the industry for mercenary spyware is larger than any one company, and that continued vigilance is required by researchers and potential targets alike.”

“We suspect that the attacker’s use of closing and opening CDATA tags in the .ics could potentially facilitate the inclusion of additional XML data that would be processed by the user’s phone, in order to trigger some behaviour desired by the attacker,” according to Citizen Lab researchers.

In another technique aimed at sidestepping detection, the main agent has injected itself into key binaries like the Transparency, Consent and Control daemon (tccd), which controls access permissions for components like the microphone and camera.

“Normally, users are met with a pop-up prompt from the tccd process, alerting them that something has requested access to the camera, microphone, or other peripheral, and the user is required to either allow or deny it,” said Microsoft researchers. “In this compromise scenario, the agent injects itself into the tccd binary, which allows the agent to spawn both new processes and threads as part of the exploitation process, and also allows it to bypass any tccd prompts on the device meaning the user would be unaware of camera compromise.”

Microsoft researchers said that the observed malware sample targets iOS 14, so some of these techniques may no longer be functional on newer operating system versions – however, they said it is highly likely that QuaDream will have updated their malware to account for newer versions.

Spyware and cyber mercenary commercial firms like QuaDream are increasingly selling their tools to authoritarian governments in order to target human rights activists, journalists, dissidents and others. Similar to Microsoft’s Tuesday report, which shared host and network IoCs in an effort to help detection, over the past year companies across the tech industry have offered up further information about cyber mercenary groups and cracked down on domains linked to related operations. In March, the Biden administration put pressure on spyware vendors by signing an executive order prohibiting U.S. government use of commercial spyware.

“Ultimately, this report is a reminder that the industry for mercenary spyware is larger than any one company, and that continued vigilance is required by researchers and potential targets alike,” said Citizen Lab researchers. “Until the out-of-control proliferation of commercial spyware is successfully curtailed through systemic government regulations, the number of abuse cases is likely to continue to grow, fueled both by companies with recognizable names, as well as others still operating in the shadows.”



Source link

Related articles

Ransomware, DDoS see major upsurge led by upstart hacker group

DDoS attacks dominate and pretexting lead to BEC growth

June 7, 2023
CISA: North Korea-Backed Actors Using Maui Ransomware

North Korean Attackers Target Google Account Credentials

June 7, 2023
Tags: ActivistsjournalistsQuaDreamspywaretarget
Share76Tweet47

Related Posts

Ransomware, DDoS see major upsurge led by upstart hacker group

DDoS attacks dominate and pretexting lead to BEC growth

June 7, 2023
0

In Verizon’s just-released 2023 Data Breach Investigations Report, money is king, and denial of service and social engineering still hold...

CISA: North Korea-Backed Actors Using Maui Ransomware

North Korean Attackers Target Google Account Credentials

June 7, 2023
0

North Korean threat group Kimsuky has recently launched a social engineering campaign against a number of experts specializing in North...

Sentra Raises $30 Million for DSPM Technology

KeePass Update Patches Vulnerability Exposing Master Password

June 6, 2023
0

Open source password manager KeePass was updated over the weekend to patch a vulnerability allowing attackers to retrieve the cleartext...

Zero-day MOVEit Transfer vulnerability exploited in the wild

Zero-day MOVEit Transfer vulnerability exploited in the wild

June 6, 2023
0

Shodan search engine results for internet-facing MOVEit instances. Image: Shodan The Cybersecurity & Infrastructure Security Agency has issued an alert...

New DDoS Attack Vector Abuses Content Filtering Systems

UNC4857 Exploits MOVEit Transfer Flaw in Data Extortion Attacks

June 6, 2023
0

A newly discovered threat campaign has been observed exploiting the recently uncovered, critical-severity MOVEit Transfer vulnerability in order to launch...

Load More
  • Trending
  • Comments
  • Latest
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 15/03

March 15, 2022
QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

March 15, 2022
Supply chain efficiency starts with securing port operations

Supply chain efficiency starts with securing port operations

March 15, 2022
A first look at threat intelligence and threat hunting tools

A first look at threat intelligence and threat hunting tools

March 15, 2022
Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Beware! Facebook accounts being hijacked via Messenger prize phishing chats

0
Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

0
Remote work causing security issues for system and IT administrators

Remote work causing security issues for system and IT administrators

0
Elementor WordPress plugin has a gaping security hole – update now – Naked Security

Elementor WordPress plugin has a gaping security hole – update now – Naked Security

0
Apple launches Vision Pro & more new products

Apple launches Vision Pro & more new products

June 7, 2023
Ransomware, DDoS see major upsurge led by upstart hacker group

DDoS attacks dominate and pretexting lead to BEC growth

June 7, 2023
Money20/20 Europe 2023: Day One TFT Roundup

Money20/20 Europe 2023: Day One TFT Roundup

June 7, 2023
Release date, price and more

Release date, price and more

June 7, 2023

Recent Posts

Apple launches Vision Pro & more new products

Apple launches Vision Pro & more new products

June 7, 2023
Ransomware, DDoS see major upsurge led by upstart hacker group

DDoS attacks dominate and pretexting lead to BEC growth

June 7, 2023
Money20/20 Europe 2023: Day One TFT Roundup

Money20/20 Europe 2023: Day One TFT Roundup

June 7, 2023

Categories

  • Cyber Threats
  • Cybersecurity
  • Fintech
  • Hacking
  • Internet Of Things
  • LetsAskBinuBlogs
  • Malware
  • Networking
  • Protection

Tags

Access attack Attacks banking BiWeekly bug Cisco cloud code critical Cybersecurity Data Digital exploited financial Fintech Flaw flaws Google Group Hackers Krebs Latest launches malware Microsoft million Network News open patches Payments platform Ransomware RoundUp security Software Stories TFT Threat Top vulnerabilities vulnerability warns Week

© 2022 Lets Ask Binu All Rights Reserved

No Result
View All Result
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things

© 2022 Lets Ask Binu All Rights Reserved