Security researchers with the Citizen Lab and Google's Threat Analysis Group (TAG) revealed today that three zero-days patched by Apple on Thursday were abused as part of an exploit chain to install Cytrox's Predator spyware.
Between May and September 2023, the attackers exploited the bugs (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) in attacks using decoy SMS and WhatsApp messages to target former Egyptian MP Ahmed Eltantawy after announcing plans to join the Egyptian presidential election in 2024.
"In August and September 2023, Eltantawy's Vodafone Egypt mobile connection was persistently selected for targeting via network injection," Citizen Lab explained.
"When Eltantawy visited certain websites not using HTTPS, a device installed at the border of Vodafone Egypt's network automatically redirected him to a malicious website to infect his phone with Cytrox's Predator spyware."
On iOS devices, the attackers' zero-day exploit used CVE-2023-41993 for initial remote code execution (RCE) in Safari using maliciously crafted web pages, the CVE-2023-41991 bug to bypass signature validation, and CVE-2023-41992 for kernel privilege escalation.
The exploit chain was triggered automatically after the redirection, deploying and running a malicious binary designed to choose if the spyware implant should be installed on the compromised device.
Chrome zero-day also used to install spyware
Google TAG also observed the attackers using a separate exploit chain to drop Predator spyware on Android devices in Egypt, exploiting CVE-2023-4762—a Chrome bug patched on September 5th—as a zero-day to gain remote code execution.
"This bug had already been separately reported to the Chrome Vulnerability Rewards Program by a security researcher and was patched on September 5th. We assess that Intellexa was also previously using this vulnerability as a 0-day," Google TAG's Maddie Stone said.
Apple's Security Engineering & Architecture Team confirmed today that the iOS Lockdown Mode would have blocked the attack.
Citizen Lab urged all Apple users at risk to install Apple's emergency security updates and enable Lockdown Mode to thwart potential attacks exploiting this exploit chain.
"Given that Egypt is a known customer of Cytrox's Predator spyware, and the spyware was delivered via network injection from a device located physically inside Egypt, we attribute the network injection attack to the Egyptian government with high confidence," Citizen Lab added.
Citizen Lab security researchers disclosed two other zero-days (CVE-2023-41061 and CVE-2023-41064)—fixed by Apple in emergency security updates earlier this month—abused as part of another zero-click exploit chain (dubbed BLASTPASS) to infect fully patched iPhones with NSO Group's Pegasus spyware.
16 Apple zero-days exploited in attacks this year
Apple fixed the three zero-days on Thursday in iOS 16.7 and 17.0.1 by addressing a certificate validation issue and through improved checks.
The complete list of affected devices includes a wide range of older and newer device models:
- iPhone 8 and later
- iPad mini 5th generation and later
- Macs running macOS Monterey and newer
- Apple Watch Series 4 and later
Since January 2023, Apple has addressed a total of 16 zero-days exploited in attacks targeting its customers, including:
- two zero-days (CVE-2023-37450 and CVE-2023-38606) in July
- three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June
- three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May
- two zero-days (CVE-2023-28206 and CVE-2023-28205) in April
- and another WebKit zero-day (CVE-2023-23529) in February