Pegasus: how it works and where it was used

[CarderPlanet]

NSO Group​

NSO Group is an Israeli IT company specializing in the production of software for extracting data from a smartphone bypassing its security mechanisms. That is, in other words, it is spyware. The company is characterized by accusations of collaboration with authoritarian regimes who used their products to spy on the opposition.

NSO Group was founded by immigrants from Israeli intelligence in 2010 (named after the founders of Niv Karmi, Shalev Hulio, Omri Lavie). Primary funding was obtained from a group of investors led by Eddy Shalev, a partner at Genesis Partners, an Israeli venture capital fund.

In 2014, NSO Group was acquired by Francisco Partners, an American investment firm specializing in investments in the technology sector. In 2019, the founders of the company Hulio and Lavie, together with the European investment company Novalpina Capital, bought out a controlling stake in NSO Group (the third founder of the company left it at the very beginning).

Pegasus​

The main product of the company is Pegasus - software that is remotely installed on a smartphone under iOS or Android (the focus of the product, apparently, on iOS, but there is also targeting on Android, but this information could be outdated) without the owner's knowledge and collecting data from the device. Another product is Circles (the company of the same name merged with the NSO Group in 2014), which allows you to locate your smartphone anywhere in the world within seconds. Pegasus exploits a number of vulnerabilities (identified as zero-day vulnerabilities) that allow it to target different versions of these operating systems (code analysis suggests that the software is applicable to iPhones starting with version 5).

This software is licensed by the Israeli Ministry of Defense as a "weapon" for export purposes, and can only be purchased by other countries, not individuals (however, it should be noted that NSO Group also uses its offices in Cyprus and Bulgaria for export ).

Interestingly, the company requires payment based on the number of targets to be monitored (in addition to a fixed price per use).

Where Pegasus Was Used​

The following countries bought Pegasus and used it to spy on the opposition.

• Mexico
• In particular, to spy on Carmen Aristegui, who in 2014 was investigating the corruption of the wife of the then President of the country, over the popular journalist Carlos Loret de Mola, and possibly over the journalist Rafael Cabrera.
• To spy on activists investigating the kidnapping and alleged murder of 43 people by drug punishers in 2014.
• To spy on Juan E. Pardinas, who drafted anti-corruption laws.
• The attacks were carried out via a text message with a malicious link.
• To capture the famous drug lord Joaquin "El Chapo" Guzman.
• With the help of corrupt Mexican authorities, drug cartels used software to spy on opposing journalists.
• To spy on journalists and activists who checked the activities of the authorities:
• Saudi Arabia (Amnesty International accused Saudi Arabia in 2018 of using Pegasus to spy on its employees)
• In particular, it was used in the organization of the assassination of dissident Jamal Khashoggi. After this incident, NSO Group froze its cooperation with the Saudi authorities.
• It is also alleged that the Saudi authorities have embedded software in Jeff Bezos's phone, for which the Crown Prince of Saudi Arabia, Mohammed ibn Salman, sent him a message.
• To spy on Amnesty International staff working on Saudi issues.
• UAE
• It was used to spy on opposition figures, in particular Ahmed Mansoor, who was unsuccessfully tried to hack by sending a malicious link in a text message to his iPhone. It was the study of this link by Citizen Lab specialists that made it possible to obtain the first technical data on the operation of Pegasus.
• Morocco
• Spain
• India
• For the first time, the use of Pegasus was recorded by Citizen Lab researchers in 2018 when identifying a number of software operators, one of which, the Ganges, was active primarily on Indian Internet networks.
• In 2019, 121 people were attacked, including journalists, activists, and human rights lawyers. Suspicion fell on the government of Prime Minister Narendra Modi; oppositionists in the Indian parliament demanded to investigate the incident at the level of the Supreme Court.
• In 2019, it was announced that unknown persons were spying on several dozen high-ranking Pakistani officials, including representatives of the Ministry of Defense and intelligence services.
• In both cases, a vulnerability in WhatsApp was exploited.
• Panama
• According to Univision, the number of victims in 2012-2014 could reach 150 people.
• The surveillance was carried out at the initiative of the former president of the country, Ricardo Martinelli, followed by his political opponents and other persons of interest to him.
• Togo
• Rwanda
• Azerbaijan
• Bahrain
• Hungary
• Kazakhstan
• Kenya

Perhaps the software was used to spy on unknown persons.

And what about Russia?​

It is interesting to note that NSO Group products (as well as other similar organizations) do not appear to be used by the Russian authorities. The exact reason for this is unknown, but, according to Andrey Soldatov, editor-in-chief of the Agentura.ru website, this is due, firstly, to the production (and export) of Russian spyware, and secondly, to the distrust of the Russian authorities in foreign products in these areas (and leaks against NSO Group justify it) that allow their developers (and their countries' intelligence agencies) to collect customer data.

So, in the case of Pegasus, NSO Group servers are used to directly control the infected device. As part of the data breach, a list of 50,000 phone numbers was published, whose owners were of interest to the company's customers.

In addition, it is worth mentioning that in 2018, the Citizen Lab cyber security research group accused the NSO Group of being spied on by actors associated with the company. In 2019, one of these people was identified as a former Israeli security officer, Aharon Almog-Assouline.

After gaining access to the Pegasus device, presumably, it can intercept all communications (SMS, calls, messages in the main popular instant messengers, mail, etc.), collect device location data and passwords from Wi-Fi, data from other applications, and also gets access to the list of microphone and camera, contact list, browser history. This happens due to obtaining elevated privileges in the system (rooting in the case of Android, jailbreaking in the case of Apple products).

How exactly does Pegasus do surveillance?​

The technologies used by Pegasus to hack devices are not advertised. In part, they can be analyzed based on known hacking cases. So, in 2019, WhatsApp accused the NSO Group that Pegasus used the application as an attack vector for the CVE-2019-3568 vulnerability (it allowed remote code execution during audio calls by sending special RTCP packets, which led to a memory buffer overflow; the victim was not required to respond to the call).

In a lawsuit against the NSO Group, WhatsApp officials said the hacking targets included "lawyers, journalists, human rights activists, political dissidents, diplomats and other prominent officials."

According to WhatsApp, the attacks came from NSO Group servers, and after the injection of malicious code, they were used to communicate with the jailbroken device, extract data from it, and update Pegasus on the device.

The phishing link is called the Enhanced Social Engineering Message (ESEM), according to documents leaked from rival tracking software vendor Italian company Hacking Team. After the click, the victim will be passed through the chain of NSO Group (PATN) anonymizing servers in order to hide the location of the company's client server. The server that directly tries to secretly install software on the victim's smartphone is called the Pegasus Installation Server (in addition, there is a Pegasus Data Server, used for C&C). If the attack fails, the victim will be redirected to the site that the attacker specified in the attack configuration.

In order to reduce the chances of detecting this infrastructure, the attacking server accepts connections only according to certain criteria, for example, from certain countries or with certain OS versions, and also, presumably, deactivates links after a short period of time (roughly 24 hours).

In 2016, Citizen Lab researchers stumbled upon the extensive online infrastructure of an unknown hacker group, which they called the Stealth Falcon (some of the phishing resources were disguised as humanitarian organizations like the Red Cross and media sites).

However, Citizen Lab did not have the malware sample it received after the Ahmed Mansoor hack attempt that same year. The researchers found the string "Pegasus Protocol" in the code and established that the malicious link was leading to one of the Stealth Falcon servers, the IP address of which was also used by the server registered in the name of one of the NSO Group employees ...

In 2018, after being tracked down by an employee, Amnesty International also conducted an investigation, during which they identified servers belonging to the NSO Group (some of which had previously been identified by Citizen Lab). This was done by creating digital fingerprints of the servers used in the attack on an employee of the organization and finding servers with a similar fingerprint. Another overlap with the servers identified by Citizen Lab was self-signed TSL certificates.

In addition, Amnesty International found that the majority of phishing domains were registered during the days and hours that coincide with the Israeli business week.

A number of domains had a certain peculiarity in their names, which may indicate their connection with a certain geographic area (for example, "zm" for Zambia, or odnoklass-profile [.] Com for countries of the Russian cultural area; we are not talking about the top-level domain .zn, and about a substring in a second-level domain name like onlineshopzm [.] com).

Other domains pretended to be existing news organizations (gulf-news [.] Info - https://gulfnews.com) or news organizations in principle (breaking-news [.] Co).

Historically, Pegasus exploited the following vulnerabilities:

• CVE-2016-4655 - a vulnerability in the iOS kernel that could allow an attacker to obtain information about the location of the kernel in memory.
• CVE-2016-4656 - a vulnerability in the iOS kernel that allows an attacker to secretly jailbreake devices by corrupting memory (memory corruption);
• CVE-2016-4657 - a vulnerability in WebKit (the Safari browser engine) that allows an attacker to take control of a device after the victim clicks on an infected link.

A December 2020 Citizen Lab report indicates that the NSO Group has shifted its focus to exploiting zero-click vulnerabilities and network attacks to better conceal a breach. And in their August 2021 report, it was reported that Pegasus successfully exploited the FORCEDENTRY vulnerability (CVE-2021-30860) for Apple operating systems (fixed in the September 2021 update).

However, it is logical to assume that Pegasus is exploiting other vulnerabilities that are still unknown to researchers.

Pegasus hides the fact of its presence on the infected system. If he is unable to contact the C&C for 60 days, then he self-destructs from the system (alternatively, he can do this on a command from the C&C).

The C&C itself (called the Pegasus Anonymizing Transmission Network, PATN) is believed to be a system of 500 domains, DNS servers, and other network infrastructure. One of the PATN methods is to operate on ports with higher numbers, thus avoiding the attention of standard port scanners. For each injection attempt, PATN generates unique subdomains and URLs without reusing them later, making it difficult to find.

As for the interaction between NSO servers and clients, according to Juan Andrés Guerrero-Saade (a cybersecurity researcher), the system is installed on the client's servers, after which the operator only needs to enter the victim's phone number to initiate an attack. After that, the entered number is tested and a one-time mechanism for delivering the vulnerability to the victim's device is generated. Presumably, each client gets access to “some non-overlapping segment of the NSO infrastructure” (primarily a set of phishing domains; domains can be registered both by the NSO representatives themselves and by the operator on the client's side).

Based on the available data, it is impossible to establish exactly whether NSO has access to the list of victims (the company itself denies this).

According to Citizen Lab, there were three iterations of the NSO Group infrastructure:

1. Version 1 - identified by historical data;
2. Version 2 - identified during the study of Stealth Falcon, IP addresses partially overlap with Version 1, presumably deactivated by NSO Group after the publication of the Citizen Lab report in 2016;
3. Version 3 - Revealed in 2018, IP addresses and domain names partially overlap with Version 2.

How to protect yourself?​

In this case, the only way to protect yourself is not to click on suspicious links. It is also useful to make backups and enable two-factor authentication.

In addition, you can read TechCrunch's instructions on how to detect Pegasus malware on the devices themselves. This requires a set of utilities Mobile Verification Toolkit, configuration from github Amnesty International.

On the other hand, if a person is not a political activist, then Pegasus will hardly be used against him.