{"uuid": "c5a1468a-d064-479b-a1d2-a73b1f9672e4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-38000", "type": "published-proof-of-concept", "source": "https://t.me/technical_private_cat/378", "content": "What is this spyware for anyway? \ud83e\uddf2\n\nAs we understand it is for surveillance.  \nBut who needs to be spied on and by whom? \n\nWell first of all the government. They need to spy on criminals or terrorists . \nBut besides that, they can use the spyware for other purposes and spy on any political or significant civilians without criminal activity. \nThis software can also be used for military purposes.  In addition to the government, private companies can also use these tools to spy on competitors and the like. \nIt is possible that some governments produce their own tools for targeted digital surveillance, many states buy the sophisticated technology for such surveillance from private companies. \nOf course, such tools may also be useful to some advanced attackers. \nFor example, to spy on and subsequently hack into companies, or individuals. \nUnfortunately, in many cases surveillance software is used not for its intended purpose (to catch criminals), but for the purposes of violating the privacy of ordinary people.\nNevertheless, spyware can be very useful in preventing many crimes\n\u2728\n\nNow let's look at the tools and the exploits \n\nThe first thing we want to talk about is the forcedentry exploit \ud83c\udf4f\n\nWhen analyzing a phone infected with Pegasus . We discovered a zero-day exploit with zero clicks for iMessage. The exploit, called forcedentry, targeted Apple's image rendering library and was effective against Apple iOS, macOS and WatchOS devices. \nThe payload included 27 identical copies of a .gif file, \"which was actually a 748-byte Adobe PSD file,\" with each copy causing IMTranscoderAgent to fail on the device. It also included four different .gif files that were actually \"Adobe PDF files containing a JBIG2 encoded stream.\"\nThis vulnerability has been assigned the number CVE-2021-30860  . \nThis vulnerability uses Apple's image rendering library, CoreGraphics, and does not require user intervention after opening a text message. \nApple has released a patch for this vulnerability: iPhone and iPad users should update to iOS 14.8 and iPadOS 14.8. \n\nHere's a scanner by the way if this vulnerability is on your device \nAlso here is an article explaining the details of this vulnerability , there will be a report about it and its discovery in the archive, also here is a detailed article about it \n\nI also want to tell you about an interesting spyware Predator, from Cytrox\ud83e\uddf2\n\nCytrox itself, founded in 2017 as providing governments with an \"operational cyber solution\" that involves collecting information from devices and cloud services. \n\nPitchbook defines their technology as \"cyber intelligence systems designed to keep governments safe\" and help them \"develop, manage and implement cyber intelligence collection across the network, allowing enterprises to collect intelligence from both endpoint devices and cloud services.\"\n\nPredator is developed by Cytrox and has been sold to the governments of several countries, including Armenia, Greece, etc. \nHowever, the perpetrators of the spyware attacks during 2021 are unknown. \nThe aim of the campaigns was to gain access to Android devices of specific targets. \nIn all cases, a link sent via email was used, mimicking a URL shortening service. When an unsuspecting victim clicked on the link, the browser was connected to a domain controlled by the cybercriminals, from which the malware was downloaded and which then displayed a legitimate site. \n\nWe are talking about the Alien malware, which downloads Predator, an espionage tool. The latter can perform various actions, including recording sound, adding certificates and hiding applications.\nIn August 2021, a zero-day vulnerability in Chrome, CVE-2021-38000 , was used to upload a domain address into the Samsung browser without user input. Then it used Chrome zero-day vulnerability CVE-2021-37973  and CVE-2021-37976  to bypass browser sandbox and download spyware onto the smartphone\ud83e\ude78.\n\n#spyware #browsers #cve #exploit", "creation_timestamp": "2022-12-15T10:04:56.000000Z"}