Endpoint Security, Next Generation Technology and Secure Development, Threat Intelligence
Cytorox predator discovered on Ahmed Eltantawy’s device
Mihir Bagwe (mihirbagwe) •
September 22, 2023
Apple on Thursday resolved three actively exploited vulnerabilities that researchers said were used by commercial spyware maker Cytrox to infect Egyptian politician Ahmed El-Tantawy’s iPhone with Predator malware. A patch has been released.
Related item: Live Webinar | Cyber Resilience: Recovering from Ransomware Attacks
Affected devices include iPhone 8 and later models, desktops running macOS Monterey and later versions, and recently released iPad Mini and Apple Watch models. Apple is also affected safari browser.
Apple credits the discovery of the flaw to Maddie Stone of the University of Toronto’s Citizen Lab and Google’s Threat Analysis Group. The Canadian organization and Stone teamed up earlier this year to analyze the smartphone of a former Egyptian lawmaker who announced his candidacy for president in the Arab country’s 2024 elections.
citizen lab attribute The Egyptian government carried out the attack with “high confidence”, given that Cairo is a known customer of the Hungarian-based spyware maker and that the attack appeared to have been carried out through Vodafone’s Egyptian network. “Precisely targeted injections to individual Vodafone subscribers will require integration with Vodafone’s subscriber database,” Citizen Lab writes.
It added that state authorities likely used a network policy control product developed by Canadian company Sandvine and sold as PacketLogic. Using this tool, they were able to redirect Internet requests from Eltantawy’s phone to a malicious site that downloaded Predator.
Three vulnerabilities – tracked as CVE-2023-41991, CVE-2023-41992 and CVE-2023-41993 – Contains certificate validation issues, kernel security flaws, and WebKit flaws that allow arbitrary code execution.
This is the second time this month that The Citizen Lab has tipped off Apple to a flaw exploited by a commercial spyware maker. In early September, the group reported that NSO Group, makers of the advanced spyware app Pegasus, used a zero-click exploit to steal at least one computer belonging to an individual working for a Washington, D.C.-based civil society organization. announced the results of a study showing that it infected iPhones (see: Apple fixes zero-click bug exploited by NSO Group spyware).