One of the Apple iOS zero-day flaws exploited by the NSO group was also used by another surveillance firm named QuaDream.
One of the vulnerabilities in Apple iOS that was previously exploited by the spyware developed by the Israeli company NSO Group was also separately used by another surveillance firm named QuaDream.
Like NSO Group, QuaDream develops surveillance malware for government and intelligence agencies.
QuaDream was founded in 2016 by Ilan Dabelstein, a former Israeli military official, and by two former NSO employees, Guy Geva and Nimrod Reznik.
“A flaw in Apple’s software exploited by Israeli surveillance firm NSO Group to break into iPhones in 2021 was simultaneously abused by a competing company, according to five people familiar with the matter.” reads the article published by Reuters. “QuaDream, the sources said, is a smaller and lower profile Israeli firm that also develops smartphone hacking tools intended for government clients.”
The interesting aspect of the news shared by Reuters is that both firms were weaponizing the iOS zero-day in the same period, according to the five sources.
The two companies were able to remotely compromise iPhone devices without any user interaction.
The two surveillance firms employed the zero-click iMessage exploit dubbed FORCEDENTRY (CVE-2021-30860). Apple addressed the flaw used by the ForcedEntry exploit in September 2021, rendering both NSO and QuaDream’s spyware ineffective.
In August 2021, researchers from Citizen Lab discovered the zero-click iMessage exploit that was used to deploy NSO Group’s Pegasus spyware on Bahraini activists’ devices.
The iPhones of nine activists, including members of the Bahrain Center for Human Rights, Waad, Al Wefaq, were infected with Pegasus spyware as part of a surveillance operation likely orchestrated by a threat actor tracked as LULU and attributed with high confidence to the government of Bahrain.
“We identified nine Bahraini activists whose iPhones were successfully hacked with NSO Group’s Pegasus spyware between June 2020 and February 2021. Some of the activists were hacked using two zero-click iMessage exploits: the 2020 KISMET exploit and a 2021 exploit that we call FORCEDENTRY.” reads the analysis published by citizen Lab.
“We saw the FORCEDENTRY exploit successfully deployed against iOS versions 14.4 and 14.6 as a zero-day. With the consent of targets, we shared these crash logs and some additional phone logs relating o KISMET and FORCEDENTRY with Apple, Inc., which confirmed they were investigating.”
Threat actors leveraged two zero-click iMessage exploits to infect the iPhones with spyware, respectively known as 2020 KISMET exploit and a new exploit dubbed FORCEDENTRY.
Citizen Lab researchers discovered that the FORCEDENTRY exploit is able to bypass the “BlastDoor” sandbox introduced eight months ago in iOS to block iMessage zero-click exploits.
The spyware developed by QuaDream is named REIGN, it has the same capabilities as the NSO Group’s Pegasus spyware, it allows operators to gain full control of the device.
“REIGN’s “Premium Collection” capabilities included the “real time call recordings”, “camera activation – front and back” and “microphone activation”” reads a brochure of the spyware.
An NSO spokeswoman sent a written statement to Reuter to clarify that the company “did not cooperate” with QuaDream but he pointed out that “the cyber intelligence industry continues to grow rapidly globally.”
Reuters also shared information about the prices of QuaDream’s services reported in a 2019 brochure. One QuaDream system allows to hack into 50 smartphones per year and is offered for $2.2 million, exclusive of maintenance costs.
“Several of QuaDream’s buyers have also overlapped with NSO’s, four of the sources said, including Saudi Arabia and Mexico – both of whom have been accused of misusing spy software to target political opponents.” concludes Reuters. “One of QuaDream’s first clients was the Singaporean government, two of the sources said, and documentation reviewed by Reuters shows the company’s surveillance technology was pitched to the Indonesian government as well. Reuters couldn’t determine if Indonesia became a client.”
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, QuaDream)