Google details the commercial spyware Hermit, used in Kazakhstan and Italy, targeting Android and iOS; the iOS version has six exploits, including two zero-days
Saturday, June 25, 2022 // (IG): BB //Weekly Sponsor: Dataminr Deeba Ahmed / HackRead : ISPs Helping Attackers Install Hermit Spyware on Smartphones- Google Sergiu Gatlan / BleepingComputer : Spyware vendor works with ISPs to infect iOS and Android users Efe Udin / Gizchina : Italian spyware hacks into iOS and Android smartphones Pierluigi Paganini / Security Affairs : Google TAG argues that Italian surveillance firm RCS Labs was helped by ISPs to infect mobile users Nehal Malik / iPhone in Canada Blog : Apple and Google Fix ‘Hermit’ Spyware Found on iPhone and Android Phones Jonny Evans / Computerworld : The surveillance-as-a-service industry needs to be brought to heel Sanjana Prakash / Tom's Guide : Italian spyware used to hack into iPhones and Android phones — are you at risk? Joe Rice-Jones / KnowTechie : Google warns of new spyware threat to iOS and Android users Jacob Siegal / BGR : Italian spyware used to hack iOS and Android phones TechRadar : This Android malware is so dangerous, even Google is worried Benoit Sevens / The Keyword : Spyware vendor targets users in Italy and Kazakhstan Anusuya Lahiri / Benzinga : Google Finds Apple and Android Smartphones Falling Victims To Spyware Attacks In Italy, Kazakhstan Daniel Petrov / PhoneArena : Google raises the alarm over Hermit hack that targets both iPhones and Android Charlie Osborne / ZDNet : Google details commercial spyware that targets both Android and iOS devices Zeba Siddiqui / Reuters : Apple and Android phones hacked by Italian spyware, Google says Sumit Adhikari / Android Headlines : Spyware Made For “Lawful Interception” Used To Target Android, iOS Users Shang Pemely / Huawei Central : Hermit spyware is dangerous for Android and iOS: Google Leigh Mc Gowran / Silicon Republic : Google warns of Italian spyware Hermit targeting iOS and Android devices Roman Loyola / Macworld : Italian spyware iPhone attack: Why you probably don't need to worry Tweets: @z3r0trust : “TAG says it currently tracks more than 30 spyware makers that offer an array of technical capabilities and levels of sophistication to government-backed clients.” Google Warns of New Spyware Targeting iOS and Android Users https://www.wired.com/... via @wired @rondeibert : Your weekly reminder that there are more spyware vendors active in the mercenary marketplace than just NSO: Apple and Android phones hacked by Italian spyware, @billyleonard of @Google says: https://www.reuters.com/... Ian Beer / @i41nbeer : Excited to publish my writeup of a novel iOS in-the-wild exploit: The curious case of the fake Carrier .app: https://googleprojectzero.blogspot.com/ ... Hector Martin / @marcan42 : TL;DR the DCP firmware interface design is insane, and none of this surprises me given what Apple did here. Thankfully, in exchange for having to deal with the AP side of the insanity from scratch, we also get to implement it properly from the get-go. Hector Martin / @marcan42 : Apple intends for coprocessors not to be able to pwn the system and vice versa, so there are two, possibly three vulnerabilities here: - The DCP vuln allowing the AP to take over - The DCP driver vuln allowing DCP to take over - Apple exposing DCP directly to userspace Hector Martin / @marcan42 : The Project Zero blogpost is wrong about this detail. DCP only needs to access a few register blocks, for which it uses a terribly-designed API that lets it specify the physical memory address to map. We knew it was dumb, so we implemented an allowlist. Apparently Apple didn't. https://twitter.com/... Hector Martin / @marcan42 : Ha, a DCP-based exploit that jumps from userspace to DCP and back to the kernel. Cute. Remember what I said about M1 coprocessors not being able to pwn the system? That's assuming your driver doesn't implement “sudo pwn the system” like Apple's does 😅. https://googleprojectzero.blogspot.com/ ... Eva / @evacide : Even if NSO Group dies, it is part of a whole ecosystem of companies that make and sell spyware to governments. TAG's latest report highlights the work of Milan-based RCS Lab, which used to be a Hacking Team reseller. https://twitter.com/... Alyssa Rosenzweig / @alyssarzg : I don't want to toot my own horn. All software has bugs. Both Linux and iOS have 0-days. But some software architectures eliminate entire classes of bugs, and maybe one of those classes is “userspace attacks a coprocessor and the coprocessor can pwn the kernel”. John Scott-Railton / @jsrailton : NEW: meet Italian mercenary spyware vendor RCS Labs. Victims in: 🇮🇹Italy 🇰🇿Kazakhstan. One clever technique: cut victims data w/ISP complicity, then prompt them to load malicious app to ‘reconnect.’ 1/ By @benoitsevens & Clement Lecigne h/t @maddiestone https://blog.google/... https://twitter.com/... Alyssa Rosenzweig / @alyssarzg : I did not expect to find myself linked from a Project Zero write-up. Fascinating read about a seriously weird iOS 0-day. https://googleprojectzero.blogspot.com/ ... John Scott-Railton / @jsrailton : 2/ The inevitable question is “how does RCS Labs compare to...” Two datapoints: - This isn't zero click, this is a bunch of clicks & requires some user convincing - Look at these stale milk exploits... Yet obviously...it still works well enough that folks are paying for it. https://twitter.com/... Catalin Cimpanu / @campuscodi : Today, following on Lookout's report last week, Google TAG has published its own insight on the activities of Italian spyware vendor RCS Lab https://blog.google/... https://twitter.com/... Catalin Cimpanu / @campuscodi : The Project Zero team also has a report on CVE-2021-30983, a novel iOS zero-day exploit abused by the company's tools (which also included tons of other exploits, see image) https://googleprojectzero.blogspot.com/ ... https://twitter.com/... John Scott-Railton / @jsrailton : 4/ There is also an abuse scandal involving RCS Labs, within 🇮🇹Italy. Yet another reminder that the 🇪🇺EU has a festering mercenary spyware problem. https://twitter.com/... John Scott-Railton / @jsrailton : 3/ @Lookout recently published a detailed investigation into RCS Lab, which has been a reseller for Hacking Team. Lookout does a nice job of highlighting the sketchy regimes they deal with. Recommended read: https://www.lookout.com/... https://twitter.com/... Zack Whittaker / @zackwhittaker : Google said Hermit's iOS spyware app used a zero-day flaw which was known at the time of discovery to be actively exploited. Hermit used Apple enterprise developer certificates to bypass the App Store, which Apple says it has now revoked. https://techcrunch.com/... Ryan Naraine / @ryanaraine : “A memory-corruption-based privilege escalation that side-stepped kernel mitigations by corrupting memory on a co-processor instead...” GPZ research https://googleprojectzero.blogspot.com/ ... Zack Whittaker / @zackwhittaker : This follows Lookout's research into Hermit (https://t.co/...) which first attributed the spyware to RCS Lab. Google now has more details on the iOS version of the spyware, which abuses enterprise certificates to sideload outside of the app store. https://blog.google/... Kaylin Trychon / @kaylintrychon : Love me a little @Google Project Zero & TAG collabo.. New research out today about Italian spyware vendor, RCS Labs, capabilities and targeting of users in Italy & Kazakhstan. https://blog.google/... Patrick Howell O'Neill / @howelloneill : “We assess, based on the extensive body of research and analysis by TAG and Project Zero, that the commercial spyware industry is thriving and growing at a significant rate.” https://blog.google/... Tim Willis / @itswillis : Nice to see a “short” 25-pager from @i41nbeer on a novel iOS exploit found in the wild. While both @Lookout and Google TAG weren't able to capture the exploits used for the Android version, a reminder that if you've found Android in the wild 0-day, we'd love to write about it! https://twitter.com/... Ian Beer / @i41nbeer : Check out Google's Threat Analysis Group's post which has more operational details: https://blog.google/... Zack Whittaker / @zackwhittaker : New: Google is notifying Android users whose devices have been compromised by Hermit, a government-grade spyware used against victims in Italy and Kazakhstan. https://techcrunch.com/...