Seems random developers were targeted as well as European Parliament members (and more):
> Jordi Baylina is the technology lead at Polygon, a popular decentralised Ethereum scaling platform. He is also an advisor on projects related to digital voting and decentralisation, and has built a widely-used privacy toolkit. He was extensively targeted with Pegasus, receiving at least 26 infection attempts. Ultimately, he was infected at least eight times between October 2019 and July 2020.
> Baylina received a text message masquerading as a boarding pass link for a Swiss International Air Lines flight he had purchased. Targeting in this case indicates that the Pegasus operator may have had access to Baylina’s Passenger Name Record (PNR) or other information collected from the carrier.
Scare stuff that not just random text messages can infect you (we knew this) but combined with harvesting other data (like PNR), they can time to exploit messages with other actions you do (like buying an flight ticket) and get you that way.
I was scared of receiving random text messages already, but easy to just ignore them as they have nothing to do with me. But if I buy a flight ticket and receive a text message that looks relevant to me, I'm not sure I'd be able to guess it was actually malicious. Scary stuff.
Edit: The more I read, the worse it gets:
> Another common mode of targeting was to masquerade as official notifications from Spanish government entities, including the Tax and Social Security authorities.The messages also used SMS Sender IDs to masquerade as official agency accounts.
> Notably, fake official messages were sometimes highly personalized. For example, a message sent to Jordi Baylina included a portion of his actual official tax identification number, suggesting that the Pegasus operator had access to this information.
Seems clear at this point that the official Spanish government was behind these attacks, or the official registries got hacked (together with various delivery companies). Both are bad, but that signs are pointing to the earlier makes it even worse.
It seems that the Spanish government can't help itself to give more fuel to the fire that is the fight for Catalan independence. Who'd want to belong to a state that constantly suppresses and surveillance you?
> Seems clear at this point that the official Spanish government was behind these attacks, or the official registries got hacked (together with various delivery companies). Both are bad, but that signs are pointing to the earlier makes it even worse.
Not arguing again't your claim either way, but SMS sender can be set to anything, it's a feature of the system for it to work. The "DNI" (Spanish identification number) can't be considered private information and isn't difficult to find.
Candiru is the name of an amazonian species of fish with a history of anecdotes of entering the human urethra sometimes requiring amputation of genitals.
CEOs, executives, members of parliaments, journalists, researchers at industrial labs, those working in defense/military, etc are at elevated risk of being hacked by governments and hacking companies such as NSO.
I wonder how these people protect their digital assets?
Are there guidelines?
For example, if I am Microsoft CEO, would it be okay if I use the closed source iPhone from a competing company? Or perhaps these people use special hardened devices?
Because even Apple CEO uses iPhone, and Pegasus apparently could hack any iPhone with zero click. So what prevents acquisition of highly valuable inside information by NSO or its customers (sensitive data about the company, iOS source code, implanting malware by infecting Apple engineers for the next exploit, etc)?
> So what prevents acquisition of highly valuable inside information by NSO or its customers
Given the Bezos hack two years ago I think the answer to that question is actually, very little. Cisco and Blackberry for example used to provide hardened phones for executives but with the prominence of modern smartphones it seems like even CEOs of large companies are increasingly on insecure hardware.
This seems like a good time to remember when an (apparently solo) spanish speaking hacker completely owned Hacking Team's (italian company that sells spyware to governments and that was mentioned/used in this post/attack) network and then detailed all the steps in what is still a really fascinating read. [0]
The sysadmin's password was, wait for it... P4ssword
I reverse engineered a sketchy link I got in an SMS. I opened up Tor Browser Bundle (with JS disabled), then went to a URL 'un-shortener' service[0]. Furthermore, I saw an interstitial page with a JavaScript payload in it, and it was all obfuscated and obviously coded to hide what it was doing.
I could have gone further and unpacked the code, beautifying it to see what 0 day it was leveraging, but I didn't proceed further. Obviously, this was designed to take over my device. Luckily, my default browser on my phone is Firefox with JavaScript turned off, so it wouldn't have been able to execute if I did click on the link.
Javascript is absolutely not the only way these payloads can infect your device, so I wouldn't consider that particularly safe.
Also, if you aren't on a phone or similar, you can just use curl to expand shortened URLS. Tell it follow redirects (-L) and print headers (-I), and use the last "location: " header it spits out. e.g.,
curl -fsSLI https://t.co/blahblah | sed -n 's/^location: //p'
I see something very positive in this news - it looks like Apple and other companies have successfully blocked most if not all of Pegasus' 0-click exploits
The true scary portion of this world is not even being sent an SMS/clicking a dangerous link, for a while people were getting infected without ever clicking anything
To me the most interesting leak/investigation that can come out of NSO is what happens once a 0-day is patched, is there downtime? do customers need to wait for a software update? is there automatic rotation of exploits?
I wondered about how they manage their exploits too. Presumably they are constantly developing new exploits. I would guess that if they have a live 0-click that is working reliably they sit on the others until the current exploit is no longer effective. I doubt NSO considers their customers fully trustworthy. So they probably check every prerelease of ios and android for patches and ship the next exploit to customers only when a current exploit is being patched.
> To me the most interesting leak/investigation that can come out of NSO is what happens once a 0-day is patched, is there downtime? do customers need to wait for a software update? is there automatic rotation of exploits?
I'd have to think NSO Group has the finances to bank at least a few 0-click, zero-days. It seems that the price of such vulnerabilities is increasing however. Zerodium, a large zero-day broker, is paying up to 2.5 million USD for 0-click Android and 2 million USD for iOS: https://zerodium.com/program.html
All these spyware incidents by nation states prove one thing: how fickle the so called rule of law is in much of the western democracy. In fact west has increasingly become de facto kleptocracy with media and nation state security apparatus actively seeking ways to maintain and grow the power for the national elites leaving them unchecked.
I mean, this was all happening before too, we just had less visibility into it.
If you think that the governments of 'western democracies' weren't spying on their own citizens or going against their own laws - even in collaboration with private interests - before the advent of the Internet and spyware/malware, I've got bad news for you.
Where's that quote about how Spain always seems to be close to collapse, but still somehow keeps going? For a variety of reasons I am often surprised that Spain hasn't turned into a Swiss style federation, at the very least (i.e. with the Federal government almost being powerless). Madrid seems to be the only area that actually wants (or wanted) the state to be as it is.
Spaniard here, I don't believe a federation-like would work here. Historically the more independence/leeway that has been given to Catalonia, the stronger it has snowballed into more separatism (e.g. when allowed to have somewhat different media, education, etc. that was turned to teach the younger generations that Catalonia is a different culture and not belonging to Spain, which in turn ...).
TBH I do not know what the solution is here, I'd like to see a unified country, but I can see how both the left and right politic parties are destroying it (one with lies/doctrinism, other with oppression/treating them like they are still 3rd party) and makes me sad. When visiting Barcelona, Spanish is often the 3rd language, after the Catalan (for Catalonian and the rest of Spain) and English (for tourists).
Edit: look at the numbers, it's scary how in a single generation a whole region has gone from 90%+ wanting to be united to 50%+ wanting independence, specially during a "peace" era:
I was very surprised how little education there is amongst Spaniards about the Franco area, how this plays a significant role in the catalonian independence desires. Also how little processing of the Franco regime there was (compared to Germany), I mean the last Franco statue was removed only last year.
I really never got the Catalonia crisis, especially around 2017, 2018. A region of approx. 8 million Catalonias who see themselves as Catalonians first and as Spanish second, with their own distinct history, vote with over 80% for their indipendence from Spain. People representing the interests of Catalonians go to the Spanish parlament, explain their goal of indipendence.
And then stuff happens that I only read from bad China and bad Russia. Those political leaders are arrested. Police is sent in to stop the protests. Protests are suddenly called "the rebellion", people are arrested, the representatives of the indipendance movement have to flee Spain. Later it comes out that the police was seizing ballet boxes during the election.
Spain then acts hard on the region, holds a gun against the head of many businesses located in the Catalonian region so they have to move out from there.
So much more bad stuff has happened around that.
I am just wondering - where is the outcry? I cannot stop overseeing the paralls to other conflicts around the world, very hot conflicts.
Check out The Silence of Others (2018) on Netflix, produced by Almodovar for more background on the Franco atrocities and how it still is echoing today.
[+] [-] capableweb|3 years ago|reply
> Jordi Baylina is the technology lead at Polygon, a popular decentralised Ethereum scaling platform. He is also an advisor on projects related to digital voting and decentralisation, and has built a widely-used privacy toolkit. He was extensively targeted with Pegasus, receiving at least 26 infection attempts. Ultimately, he was infected at least eight times between October 2019 and July 2020.
> Baylina received a text message masquerading as a boarding pass link for a Swiss International Air Lines flight he had purchased. Targeting in this case indicates that the Pegasus operator may have had access to Baylina’s Passenger Name Record (PNR) or other information collected from the carrier.
Scare stuff that not just random text messages can infect you (we knew this) but combined with harvesting other data (like PNR), they can time to exploit messages with other actions you do (like buying an flight ticket) and get you that way.
I was scared of receiving random text messages already, but easy to just ignore them as they have nothing to do with me. But if I buy a flight ticket and receive a text message that looks relevant to me, I'm not sure I'd be able to guess it was actually malicious. Scary stuff.
Edit: The more I read, the worse it gets:
> Another common mode of targeting was to masquerade as official notifications from Spanish government entities, including the Tax and Social Security authorities.The messages also used SMS Sender IDs to masquerade as official agency accounts.
> Notably, fake official messages were sometimes highly personalized. For example, a message sent to Jordi Baylina included a portion of his actual official tax identification number, suggesting that the Pegasus operator had access to this information.
Seems clear at this point that the official Spanish government was behind these attacks, or the official registries got hacked (together with various delivery companies). Both are bad, but that signs are pointing to the earlier makes it even worse.
It seems that the Spanish government can't help itself to give more fuel to the fire that is the fight for Catalan independence. Who'd want to belong to a state that constantly suppresses and surveillance you?
[+] [-] sneak|3 years ago|reply
[+] [-] dgut|3 years ago|reply
Not arguing again't your claim either way, but SMS sender can be set to anything, it's a feature of the system for it to work. The "DNI" (Spanish identification number) can't be considered private information and isn't difficult to find.
[+] [-] im3w1l|3 years ago|reply
There is a third alternative. An insider leaked it.
[+] [-] ricardobayes|3 years ago|reply
[deleted]
[+] [-] marcodiego|3 years ago|reply
[+] [-] matheusmoreira|3 years ago|reply
[+] [-] sofixa|3 years ago|reply
[+] [-] aborsy|3 years ago|reply
I wonder how these people protect their digital assets? Are there guidelines?
For example, if I am Microsoft CEO, would it be okay if I use the closed source iPhone from a competing company? Or perhaps these people use special hardened devices?
Because even Apple CEO uses iPhone, and Pegasus apparently could hack any iPhone with zero click. So what prevents acquisition of highly valuable inside information by NSO or its customers (sensitive data about the company, iOS source code, implanting malware by infecting Apple engineers for the next exploit, etc)?
[+] [-] slim|3 years ago|reply
[+] [-] Barrin92|3 years ago|reply
Given the Bezos hack two years ago I think the answer to that question is actually, very little. Cisco and Blackberry for example used to provide hardened phones for executives but with the prominence of modern smartphones it seems like even CEOs of large companies are increasingly on insecure hardware.
[+] [-] lgl|3 years ago|reply
The sysadmin's password was, wait for it... P4ssword
[0] https://pastebin.com/kHUzWWm9
[+] [-] favourable|3 years ago|reply
I could have gone further and unpacked the code, beautifying it to see what 0 day it was leveraging, but I didn't proceed further. Obviously, this was designed to take over my device. Luckily, my default browser on my phone is Firefox with JavaScript turned off, so it wouldn't have been able to execute if I did click on the link.
[0] https://urlex.org/
[+] [-] dundarious|3 years ago|reply
Also, if you aren't on a phone or similar, you can just use curl to expand shortened URLS. Tell it follow redirects (-L) and print headers (-I), and use the last "location: " header it spits out. e.g.,
[+] [-] shmatt|3 years ago|reply
The true scary portion of this world is not even being sent an SMS/clicking a dangerous link, for a while people were getting infected without ever clicking anything
To me the most interesting leak/investigation that can come out of NSO is what happens once a 0-day is patched, is there downtime? do customers need to wait for a software update? is there automatic rotation of exploits?
[+] [-] onionisafruit|3 years ago|reply
[+] [-] badRNG|3 years ago|reply
I'd have to think NSO Group has the finances to bank at least a few 0-click, zero-days. It seems that the price of such vulnerabilities is increasing however. Zerodium, a large zero-day broker, is paying up to 2.5 million USD for 0-click Android and 2 million USD for iOS: https://zerodium.com/program.html
[+] [-] mercy_dude|3 years ago|reply
[+] [-] sbarre|3 years ago|reply
If you think that the governments of 'western democracies' weren't spying on their own citizens or going against their own laws - even in collaboration with private interests - before the advent of the Internet and spyware/malware, I've got bad news for you.
[+] [-] sonicggg|3 years ago|reply
[+] [-] twoneurons|3 years ago|reply
[+] [-] antattack|3 years ago|reply
[+] [-] colpabar|3 years ago|reply
[+] [-] usrn|3 years ago|reply
[+] [-] bigDinosaur|3 years ago|reply
[+] [-] franciscop|3 years ago|reply
TBH I do not know what the solution is here, I'd like to see a unified country, but I can see how both the left and right politic parties are destroying it (one with lies/doctrinism, other with oppression/treating them like they are still 3rd party) and makes me sad. When visiting Barcelona, Spanish is often the 3rd language, after the Catalan (for Catalonian and the rest of Spain) and English (for tourists).
Edit: look at the numbers, it's scary how in a single generation a whole region has gone from 90%+ wanting to be united to 50%+ wanting independence, specially during a "peace" era:
https://en.wikipedia.org/wiki/Catalan_independence_movement#...
[+] [-] inglor_cz|3 years ago|reply
Source: https://quotepark.com/quotes/1886698-otto-von-bismarck-i-am-...
[+] [-] cycomanic|3 years ago|reply
[+] [-] ricardobayes|3 years ago|reply
[deleted]
[+] [-] 88840-8855|3 years ago|reply
And then stuff happens that I only read from bad China and bad Russia. Those political leaders are arrested. Police is sent in to stop the protests. Protests are suddenly called "the rebellion", people are arrested, the representatives of the indipendance movement have to flee Spain. Later it comes out that the police was seizing ballet boxes during the election.
Spain then acts hard on the region, holds a gun against the head of many businesses located in the Catalonian region so they have to move out from there.
So much more bad stuff has happened around that.
I am just wondering - where is the outcry? I cannot stop overseeing the paralls to other conflicts around the world, very hot conflicts.
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] pluc|3 years ago|reply
https://twitter.com/citizenlab/status/1516016174559121409
[+] [-] denton-scratch|3 years ago|reply
[deleted]
[+] [-] dordoka|3 years ago|reply
[+] [-] rinze|3 years ago|reply
[+] [-] s1artibartfast|3 years ago|reply
[+] [-] wswope|3 years ago|reply
[+] [-] medell|3 years ago|reply