Introduction
Commercial surveillance vendors continue to operate unimpeded despite extensive scrutiny and public reporting. Intellexa, a prominent name in the world of mercenary spyware, has been sanctioned by the US Government for its “Predator” spyware. However, new analysis by the Google Threat Intelligence Group (GTIG) reveals that Intellexa is evading restrictions and thriving.
Continued Prolific Exploitation of Zero-Day Vulnerabilities
Intellexa has solidified its position as one of the most prolific spyware vendors exploiting zero-day vulnerabilities against mobile browsers. Despite consistent efforts by security researchers and platform vendors to identify and patch these flaws, Intellexa repeatedly demonstrates an ability to procure or develop new zero-day exploits, quickly adapting and continuing operations for their customers.
Exploit Chain
A full iOS zero-day exploit chain used in the wild against targets in Egypt was captured in partnership with CitizenLab in 2023. This exploit chain, developed by Intellexa, was used to install spyware surreptitiously onto a device. The chain consists of three stages, with the first stage being a Safari RCE zero-day that Apple fixed as CVE-2023-41993.
Impact Assessment
The impact of Intellexa’s activities is significant, with several hundred accounts across various countries being targeted. The severity and widespread nature of Intellexa's activities have led to a government-backed attack warning being delivered to all known targeted accounts associated with Intellexa's customers since 2023.
Detection & Response
To assist the wider community in hunting and identifying activity outlined in this blog post, IOCs have been included in a GTI Collection for registered users. A YARA rule has also been provided to serve as a starting point for hunting efforts to identify PREYHUNTER malware.
Security Lessons Learned
The case of Intellexa highlights the need for continued vigilance and cooperation among security researchers, platform vendors, and governments to combat the threat of commercial surveillance vendors. It also underscores the importance of keeping software up-to-date and applying patches quickly to protect against zero-day exploits.
Where curiosity meets code and security meets strategy.
Recent Comments
No comments on this post yet.