21 December 2020

Dozens of Al Jazeera journalists allegedly hacked using zero-click iOS zero-day


Dozens of Al Jazeera journalists allegedly hacked using zero-click iOS zero-day

Personal iPhones of at least 36 journalists, producers, anchors, and executives at Al Jazeera, as well as a journalist at London-based Al Araby TV were allegedly compromised using spyware called Pegasus sold by the Israeli private intelligence firm NSO Group.

The major espionage campaign against employees of one of the world’s leading media organizations was uncovered by researchers at Citizen Lab at the University of Toronto who said the cyber attack was most likely orchestrated by Saudi Arabia and the United Arab Emirates.

The campaign, which has been active in July and August 2020, involved a no-user-interaction zero-day vulnerability in the iOS iMessage app, which was part of an exploit chain called Kismet. Infrastructure used in these attacks included servers in Germany, France, UK, and Italy using cloud providers Aruba, Choopa, CloudSigma, and DigitalOcean.

The investigation revealed that this tool was also deployed in campaigns launched between October and December 2019.

According to the report, the Kismet tool was sold to at least four entities, including two buyers in Saudi Arabia and the United Arab Emirate which Citizen Lab linked to two threat actors. One is called Monarchy (attributed to Saudi Arabia), and the other is Sneaky Kestrel, which is thought to have ties to the United Arab Emirates.

Citizen Lab said the malicious code they discovered made “almost all” iPhone devices running versions that pre-dated iOS 14 vulnerable. According to the researchers, it appears that Kismet does not work against iOS 14 and above suggesting the issue has been already fixed by Apple.

“Given the global reach of NSO Group’s customer base and the apparent vulnerability of almost all iPhone devices prior to the iOS 14 update, we suspect that the infections that we observed were a miniscule fraction of the total attacks leveraging this exploit,” the report said.

The researchers shared their findings with Apple that, in turn, initiated its own investigation into the matter.

NSO Group said it was not familiar with the allegations.

“As we have repeatedly stated we do not have access to any information with respect to the identities of individuals our system is used to conduct surveillance on. However, where we receive credible evidence of misuse, combined with the basic identifiers of the alleged targets and timeframes, we take all necessary steps in accordance with our product misuse investigation procedure to review the allegations,” a spokesperson for NSO Group said in a statement to the Guardian.

Back to the list

Latest Posts

Exploit code published online for a critical VMware vulnerability

Exploit code published online for a critical VMware vulnerability

A proof-of-concept code for the vulnerability along with technical analysis has been published by a security researcher.
10 August 2022
Cloudflare employees also targeted by SMS phishing attack

Cloudflare employees also targeted by SMS phishing attack

The company says that the attack occurred around the same time as Twilio was attacked and was similar in nature.
10 August 2022
Microsoft fixes yet another MSTD zero-day exploited in the wild

Microsoft fixes yet another MSTD zero-day exploited in the wild

Microsoft had been aware of the DogWalk vulnerability for nearly two years, but deemed it not a security issue.
10 August 2022