OP 2 hours ago
Israeli surveillance firm NSO Group reportedly used multiple zero-day exploits, including an unknown one named "Erised," that leveraged WhatsApp vulnerabilities to deploy Pegasus spyware in zero-click attacks, even after getting sued.
Pegasus is NSO Group's spyware platform (marketed as surveillance software for governments worldwide), with multiple software components that provide customers with extensive surveillance capabilities over victims' compromised devices. For instance, NSO customers could monitor the victims' activity and extract information using the Pegasus agent installed on the victims' mobile phones.
According to court documents filed on Thursday (first spotted by Citizen Lab senior researcher John Scott Railton) as part of WhatsApp’s legal battle with the Israeli NSO Group, the spyware maker developed an exploit named ‘Heaven’ before April 2018 that used a custom WhatsApp client known as the ‘WhatsApp Installation Server’ (or ‘WIS’) capable of impersonating the official client to deploy the Pegasus spyware agent on targets' devices from a third-party server under NSO’s control.
However, WhatsApp blocked NSO's access to infected devices and its servers with security updates issued in September and December 2018, preventing the Heaven exploit from working.
By February 2019, the spyware maker allegedly developed another exploit known as 'Eden' to bypass WhatsApp's protections implemented in 2018. As WhatsApp found in May 2019, Eden was used by NSO customers in attacks against approximately 1,400 devices.
"As a threshold matter, NSO admits that it developed and sold the spyware described in the Complaint, and that NSO's spyware—specifically its zero-click installation vector called 'Eden,' which was part of a family of WhatsApp-based vectors known collectively as 'Hummingbird' (collectively, the 'Malware Vectors')—was responsible for the attacks," the court documents reveal.
Tamir Gazneli, NSO's head of research and development, and the "defendants have admitted that they developed those exploits by extracting and decompiling WhatsApp's code, reverse-engineering WhatsApp" to create the WIS client that could be used to "send malformed messages (which a legitimate WhatsApp client could not send) through WhatsApp servers and thereby cause target devices to install the Pegasus spyware agent—all in violation of federal and state law and the plain language of WhatsApp's Terms of Service."
After detecting the attacks, WhatsApp patched the Eden vulnerabilities and disabled NSO's WhatsApp accounts. However, even after the Eden exploit was blocked in May 2019, the court documents say that NSO admitted that it developed yet another installation vector (named 'Erised') that used WhatsApp's relay servers to install Pegasus spyware.
WhatsApp users targeted even after lawsuit was filed
The new court documents say that NSO continued to use and make Erised available to customers even after the lawsuit was filed in October 2019, until additional WhatsApp changes blocked its access sometime after May 2020. NSO witnesses allegedly refused to answer whether the spyware maker developed further WhatsApp-based malware vectors.
They also revealed the spyware vendor acknowledged in court that its Pegasus spyware exploited WhatsApp's service to install its surveillance software agent on "between hundreds and tens of thousands" of target devices. It also admitted reverse-engineering WhatsApp to develop that capability, installing "the technology" for its clients and supplying them with the WhatsApp accounts they needed to use in the attacks.v
The spyware installation process was allegedly initiated when a Pegasus customer entered a target's mobile phone number into a field on a program running on their laptop, which triggered the deployment of Pegasus onto the targets' devices remotely.
Thus, its clients' involvement in the operation was limited as they only had to input the target number and select "Install." The spyware installation and data extraction were handled entirely by NSO's Pegasus system, requiring no technical knowledge or further action from clients.
However, NSO continues to state they are not responsible for their customers' actions or have no access to the data retrieved during the installation of the Pegasus spyware, limiting their role in surveillance operations.
"NSO stands behind its previous statements in which we repeatedly detailed that the system is operated solely by our clients and that neither NSO nor its employees have access to the intelligence gathered by the system," Gil Lainer, NSO Group's VP for Global Communications, told BleepingComputer when asked for a statement.
"We are confident that these claims, like many others in the past, will be proven wrong in court, and we look forward to the opportunity to do so."
Among other targets, NSO's Pegasus spyware was used to hack into the phones of Catalan politicians, journalists, and activists, United Kingdom government officials, Finnish diplomats, and U.S. Department of State employees.
In November 2021, the United States sanctioned NSO Group and Candiru for supplying software used to spy on government officials, journalists, and activists. In early November 2021, Apple also filed a lawsuit against NSO for hacking into Apple customers' iOS devices and spying on them using Pegasus spyware.
Update: Added NSO Group statement.