Reports have emerged indicating that Israeli surveillance agency NSO Group exploited multiple zero-day vulnerabilities, including the mysterious “Erised,” to install Pegasus spyware on devices via zero-click attacks, despite facing legal action.
NSO Group’s notorious surveillance platform, masquerading as a legitimate tool for governments globally, boasts a suite of software components offering unparalleled invasive capabilities to monitor and manipulate compromised devices, rendering their unsuspecting owners powerless against the prying eyes of these powerful entities. NSO prospects may potentially track the targets’ activity and harvest information by leveraging the Pegasus agent installed on the victims’ mobile devices.
In line with Citizen Lab senior researcher John Scott Railton, as part of WhatsApp’s authorized battle with Israeli NSO Group, NSO developed an exploit named ‘Heaven’ prior to April 2018 that leveraged a custom WhatsApp client called the ‘WhatsApp Setup Server’ (or ‘WIS’), capable of impersonating the official client to deploy Pegasus spyware agents on targets’ devices from a third-party server under NSO’s control.
Notwithstanding this, WhatsApp successfully thwarted NSO’s attempt to infiltrate compromised devices and servers through safety updates released in September and December 2018, rendering the Heaven exploit ineffective.
By early 2019, the suspected creator of spyware had reportedly created an additional vulnerability, dubbed “Eden,” designed to circumvent WhatsApp’s security measures implemented in 2018. In May 2019, WhatsApp detected that NSO Group’s surveillance spyware, Pegasus, had targeted approximately 1,400 devices, highlighting the ongoing threat posed by sophisticated malware like Eden?
As admitted by NSO, it created and marketed the spyware in question, acknowledging that its malware – specifically the zero-click installation vector known as ‘Eden’, which was part of a WhatsApp-based family collectively referred to as ‘Hummingbird’ (together, the ‘Malware Vectors’) – was responsible for the attacks.
Tamir Gazneli, NSO’s head of analysis and growth, has acknowledged that he and his team developed these exploits by extracting, decompiling WhatsApp’s code, and reverse-engineering it to create the WIS shopper. This exploit can be used to “ship malformed messages (which a reputable WhatsApp shopper couldn’t ship) through WhatsApp servers and thereby trigger target devices to install the Pegasus spyware agent—all in violation of federal and state laws and the plain language of WhatsApp’s Terms of Service.”
Following the discovery of the attacks, WhatsApp swiftly addressed the Eden vulnerabilities by implementing critical patches and took decisive action to disable NSO’s access to WhatsApp accounts. Despite the initial Eden exploit being blocked in May 2019, court documents reveal that NSO subsequently developed another setup vector, dubbed ‘Erised’, which leveraged WhatsApp’s relay servers to deploy the Pegasus spyware.
Despite a lawsuit being filed against WhatsApp, the messaging service continued to prioritize customer satisfaction.
According to freshly filed court documents, NSO allegedly persisted in deploying and offering Erised to customers despite the October 2019 lawsuit, until subsequent WhatsApp updates effectively blocked access some time after May 2020. Witnesses from NSO Group are said to have declined comment on whether their company created further WhatsApp-based malware strains.
In a shocking revelation, the spyware vendor conceded under oath in court that it had utilized WhatsApp’s services to secretly install surveillance software on “hundreds of thousands” of targeted devices using Pegasus malware. The company further acknowledged reverse-engineering WhatsApp to create this capability, leveraging “the expertise” for its customers and providing them with the WhatsApp accounts needed to carry out the attacks.
According to allegations, the sophisticated surveillance operation was purportedly launched when a Pegasus buyer input a target’s cellphone number into a field on a programme operating on their laptop, thereby triggering the remote deployment of Pegasus onto the targets’ devices.
Purchasers’ participation in the process was limited, requiring only a simple setup: entering the desired quantity and selecting “Set Up.” The Pegasus system handled installation and data extraction seamlessly, eliminating the need for any technical expertise or further action.
Despite NSO’s claims, their clients’ lack of access to data obtained through Pegasus’ setup severely restricts their capacity in surveillance operations, effectively hindering their prospects’ ability to engage with the information retrieved.
Reports emerged that NSO’s Pegasus spyware was allegedly used to compromise the mobile phones of, among others, Jamal Khashoggi, Amal Clooney, and Jeff Bezos.
In November 2021, the United States government imposed sanctions on Israel-based NSO Group and its affiliates for providing software allegedly utilized to surreptitiously surveil authorities officials, journalists, and human rights advocates. In early November 2021, reports emerged that Apple had inadvertently allowed hackers to infiltrate iOS devices and monitor users’ activities using the sophisticated Pegasus spyware.
A representative from NSO Group remained unavailable for comment upon inquiry made to BleepingComputer earlier today.
