7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
Google is warning victims in Kazakhstan and Italy that they are being targeted by Hermit, a sophisticated and modular spyware from Italian vendor RCS Labs that not only can steal data but also record and make calls.
Researchers from Google Threat Analysis Group (TAG) revealed details in a blog post Thursday by TAG researchers Benoit Sevens and Clement Lecigne about campaigns that send a unique link to targets to fake apps impersonating legitimate ones to try to get them to download and install the spyware. None of the fake apps were found on either Appleâs or Googleâs respective mobile app stores, however, they said.
âWe are detailing capabilities we attribute to RCS Labs, an Italian vendor that uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android,â a Google TAG spokesperson wrote in an email to Threatpost sent Thursday afternoon.
All campaigns that TAG observed originated with a unique link sent to the target that then tries to lure users into downloading Hermit spyware in one of two ways, researchers wrote in the post. Once clicked, victims are redirected to a web page for downloading and installing a surveillance app on either Android or iOS.
âThe page, in Italian, asks the user to install one of these applications in order to recover their account,â with WhatsApp download links specifically pointing to attacker-controlled content for Android or iOS users, researchers wrote.
One lure employed by threat actors is to work with the targetâs ISP to disable his or her mobile data connectivity, and then masquerade as a carrier application sent in a link to try to get the target to install a malicious app to recover connectivity, they said.
Researchers outlined in a separate blog post by Ian Beer of Google Project Zero a case in which they discovered what appeared to be an iOS app from Vodafone but which in fact is a fake app. Attackers are sending a link to this malicious app by SMS to try to fool targets into downloading the Hermit spyware.
âThe SMS claims that in order to restore mobile data connectivity, the target must install the carrier app and includes a link to download and install this fake app,â Beer wrote.
Indeed, this is likely the reason why most of the applications they observed in the Hermit campaign masqueraded as mobile carrier applications, Google TAG researchers wrote.
In other cases when they canât work directly with ISPs, threat actors use apps appearing to be messaging applications to hide Hermit, according to Google TAG, confirming what Lookout previously discovered in its research.
While Lookout previously shared details of how Hermit targeting Android devices works, Google TAG revealed specifics of how the spyware functions on iPhones.
They also released details of the host of vulnerabilitiesâtwo of which were zero-day bugs when they were initially identified by Google Project Zeroâthat attackers exploit in their campaign. In fact, Beerâs post is a technical analysis of one of the bugs: CVE-2021-30983 internally referred to as Clicked3 and fixed by Apple in December 2021.
To distribute the iOS application, attackers simply followed Apple instructions on how to distribute proprietary in-house apps to Apple devices and used the itms-services protocol with a manifest file with com.ios.Carrier as the identifier, researchers outlined.
The resulting app is signed with a certificate from a company named 3-1 Mobile SRL that was enrolled in the Apple Developer Enterprise Program, thus legitimizing the certificate on iOS devices, they said.
The iOS app itself is broken up into multiple parts, researchers said, including a generic privilege escalation exploit wrapper which is used by six different exploits for previously identified bugs. In addition to Clieked3, the other bugs exploited are:
All exploits used before 2021 are based on public exploits written by different jailbreaking communities, researchers added.
The emergence of Hermit spyware shows how threat actorsâoften working as state-sponsored entitiesâare pivoting to using new surveillance technologies and tactics following the blow-up over repressive regimesâ use of Israel-based NSO Groupâs Pegasus spyware in cyberattacks against dissidents, activists and NGOs, as well as the murders of journalists.
Indeed, while use of spyware like Hermit may be legal under national or international laws, âthey are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians,â Google TAG researchers wrote.
The United States blacklisted NSO Group over the activity, which drew international attention and ire. But it apparently has not stopped the proliferation of spyware for nefarious purposes in the slightest, according to Google TAG.
In fact, the commercial spyware industry continues to thrive and grow at a significant rate, which âshould be concerning to all Internet users,â researchers wrote.
âThese vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities in-house,â they said.
blog.google/threat-analysis-group/italian-spyware-vendor-targets-users-in-italy-and-kazakhstan/
cpj.org/2021/07/pegasus-project-risk-corruption-reporters/
cve.mitre.org/cgi-bin/cvename.cgi?name=2018-4344
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8605
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3837
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9907
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30883
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30983
googleprojectzero.blogspot.com/
support.apple.com/en-us/HT212846
support.apple.com/en-us/HT212976
threatpost.com/apple-ios-updates-iphone-13-jailbreak-exploit/177051/
threatpost.com/pegasus-spyware-blacklisted-us/175999/
threatpost.com/protecting-phones-from-pegasus-like-spyware-attacks/167909/
www.theguardian.com/world/2021/jul/18/nso-spyware-used-to-target-family-of-jamal-khashoggi-leaked-data-shows-saudis-pegasus
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C