New Apple Zero-Days Exploited to Target Egyptian ex-MP with Predator Spyware

Cyber Security Threat Summary:
According to a joint investigation conducted by Citizen Lab and Google’s Threat Analysis Group, three zero-day flaws addressed by Apple on September 21, 2023, were leveraged as part of an exploit chain to deliver Predator spyware on the device of a former Egyptian member of parliament Ahmed Eltantawy. The exploit chain was delivered via a man-in-the-middle attack. Between August and September 2023, Eltantawy’s Vodafone Egypt mobile connection was persistently selected for targeting via network injection, where the attackers would wait for the government official to visit a website not using HTTPS. In the event that Eltantawy visited a site using HTTP, the attackers would use this opportunity to intercept the website traffic and redirect him to c.betly[.]me, a site operated by Intellexa, a European spyware manufacturer that was blacklisted by the U.S government in July 2023. This site would then further redirect Eltantaway to sec-flare[.]com, an exploit server used by the attackers. Once redirected to the server, this would initiate the execution of the iOS exploit chain encompassing the three vulnerabilities addressed by Apple:

  • CVE-2023-41993: Initial remote code execution (RCE) in Safari
  • CVE-2023-41991: PAC bypass
  • CVE-2023-41992: Local privilege escalation (LPE) in the XNU Kernel
“The chain then ran a small binary to decide whether or not to install the full Predator implant. However, TAG was unable to capture the full Predator implant,” noted researchers in a blog post.

Security Officer Comments:
The attacks have been attributed to the Egyptian government, given that it’s a known customer of the Predator spying tool. Furthermore, the targeting took place after Eltantawy publicly stated his plans to run for President in the 2024 Egyptian elections. According to researchers, Eltantawy was also targeted via several SMS messages in September 2021, May 2023, and September 2023. These messages masqueraded as security alerts from WhatsApp urging Eltantawy to click on a link to terminate a suspicious login session originating from a purported Windows device.

“Approximately 2 minutes and 30 seconds after Eltantawy read the 15 September 2021 message, the Predator spyware was installed on his phone. We suspect that he clicked the message’s link, triggering the installation. Since the 2023 messages contain similar bait content, we believe these messages were also attempts to install the Predator spyware on his phone,” stated researchers.

Suggested Correction(s):
CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993 impact the following products:

  • iPhone 8 and later
  • iPad mini 5th generation and later
  • Macs running macOS Monterey and newer
  • Apple Watch Series 4 and later

  • They have been fixed in macOS 12.7/13.6, iOS 16.7/17.0.1, iPadOS 16.7/17.0.1, and watchOS 9.6.3/10.0.1 by addressing a certificate validation issue and through improved checks. Users of these products should ensure that they are running on the latest versions and apply updates as needed.