Pierluigi Paganini
October 30, 2019
In May, Facebook has patched a critical zero-day vulnerability in WhatsApp, tracked as CVE-2019-3568, that has been exploited to remotely install spyware on phones by calling the targeted device.
WhatsApp did not name the threat actor exploiting the CVE-2019-3568, it described the attackers as an “advanced cyber actor” that targeted “a select number of users.”
“A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.” reads the description provided by Facebook.
The WhatsApp zero-day vulnerability is a buffer overflow issue that affects the WhatsApp VOIP stack. The flaw could be exploited by a remote attacker to execute arbitrary code by sending specially crafted SRTCP packets to the targeted mobile device.
At the time, The Financial Times reported that the WhatsApp zero-day has been exploited by threat actors to deliver the spyware developed by surveillance firm NSO Group.
The surveillance software developed by NSO Group was used by government organizations worldwide to spy on human rights groups, activists, journalists, lawyers, and dissidents. Security experts have detected and analyzed some of the tools in its arsenals, such as the popular Pegasus spyware (for iOS) and Chrysaor (for Android).
In September 2018, a report published by Citizen Lab revealed that the NSO Pegasus spyware was used against targets across 45 countries worldwide.
In November 2019, Snowden warned of abuse of surveillance software that also had a role in the murder of the Saudi Arabian journalist Jamal Khashoggi.
In October 2019, NSO Group ‘s surveillance spyware made the headlines again, this time the malware was used to spy on 2 rights activists in Morocco according to Amnesty International.
“NSO Group claims they responsibly serve governments, but we found more than 100 human rights defenders and journalists targeted in an attack last May. This abuse must be stopped,” Cathcart said on Twitter.
The lawsuit filed by WhatsApp in U.S. District Court in San Francisco sees Facebook accusing NSO Group to have violated WhatsApp’s terms of services by abusing its servers to spread the surveillance malware.
According to the lawsuit, the NSO Group has approximately infected 1,400 mobile devices between April and May 2019.
“Between in and around April 2019 and May 2019, Defendants used WhatsApp servers
According to the document, at least 100 members of civil society were targeted with the spyware.
“Working with research experts at the Citizen Lab, we believe this attack targeted at least 100 members of civil society, which is an unmistakable pattern of abuse. This number may grow higher as more victims come forward.” reads a post published by WhatsApp. “This attack was developed to access messages after they were decrypted on an infected device, abusing in-app vulnerabilities and the operating systems that power our mobile phones,” Facebook-owned WhatsApp said in a blog post.
The attackers created WhatsApp accounts to send bait messages to target devices. The attackers created the accounts using telephone numbers registered in different counties, including Cyprus, Israel, Brazil, Indonesia, Sweden, and the Netherlands.
“We sent a special WhatsApp message to approximately 1,400 users that we have reason to believe were impacted by this attack to directly inform them about what happened.” continues the post.
The complaint filed by WhatsApp in U.S.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – WhatsApp, NSO Group)
[adrotate banner=”5″]
[adrotate banner=”13″]
Pierluigi Paganini
September 28, 2023
