Virus Bulletin 2018: Saudi Dissident Spyware Attack Belies Bigger Threat

A spyware attack on a Saudi dissident living in Canada made headlines this week, but Citizen Lab warns that simpler attacks are the real epidemic.

MONTREAL – This week, news broke that a well-known Saudi dissident has been targeted by the notorious Pegasus spyware – after he gained permanent citizen status in Canada. While this fits into pattern of ongoing attacks on “civil society” members (i.e., journalists, social justice activists, dissidents and human rights organizations), the larger pool of threats against this group comes from what Citizen Lab terms “forever-days” – run-of-the-mill malware and old exploits that have been hanging around for years.

In the latest campaign, Omar Abdulaziz, a Saudi activist and Montreal resident, was targeted and infected with NSO Group’s Pegasus spyware, according to Citizen Lab. The targeting occurred while Abdulaziz, who recently received asylum in Canada, was attending McGill University.

Citizen Lab’s Masashi Nishihata explained in a session at Virus Bulletin 2018 in Montreal this week that while performing a global mapping of NSO’s Pegasus infrastructure, the group identified a suspected Pegasus infection located in Quebec. It was carried out by what researchers “inferred to be a Saudi Arabia-based attacker,” he added.

Upon further analysis, the infection was seen using two different networks for internet connectivity: The risq academic network, which is specific to the French-Canadian province of Quebec, and Videotron, which is a large telecom provider in the region. Given that Abdulaziz is a student, Citizen Lab was able to match the infection’s communications pattern to his movements using time stamps and other information that the victim provided.

The attack was highly targeted and relied on a knowledge of Abdulaziz as a person. “It turns out that Omar ordered a large tub of whey protein,” Nishihata said. “Shortly thereafter, he received a text message with ‘shipping information.’ It seemed relevant, and there was no reason to distrust it. It wasn’t a confirmation though; it was the Pegasus spyware.”

The message in fact contained a link to a known Pegasus exploit domain.

“We examined the attack chain and they used a string of three different exploits to carry this out,” Nishihata noted.

That Abdulaziz was targeted isn’t surprising, Citizen Lab said in a breakdown of the attack, posted this week: “Abdulaziz has been outspoken on an ongoing diplomatic feud over human rights issues between Canada and Saudi Arabia,” researchers explained.

The problems started this summer when Canadian citizens who are also Saudi dissidents were arrested in Saudi Arabia in August, prompting concerns on the part of Prime Minister Justin Trudeau’s government. In the resulting escalation of tensions, Saudi Arabia has expelled the Canadian ambassador, is attempting to pull thousands of students and medical patients from Canada and has suspended Saudi state airline flights to Toronto.

Abdulaziz has been gaining some amount of notoriety for his activism, starting even before the feud. He regularly appears in Canadian media, and “Omar had amassed a significant following on YouTube,” said Citizen Lab’s John Scott Railton, speaking at Virus Bulletin 2018 in Montreal this week. “And he has been under pressure from the Saudi government to tone it down.”

Most recently, Abdulaziz, on a recent guest appearance on the Canadian Broadcasting Corporation (CBC)’s current affairs show, The Current, on August 10, said that Saudi authorities had entered his brother’s home in Saudi Arabia and “asked him to convince me [to] stop tweeting about what’s really going on between Canada and Saudi Arabia, or they’re going to send him to jail.”

Citizen Lab said that the situation is just the latest example of the misuse of commercial spyware – which it defines as products ostensibly made by legitimate companies for use by supposedly vetted governmental organizations to catch terrorists and criminals.

“In six years, we have observed four spyware companies (FinFisher, Hacking Team, Cyberbit and NSO Group) make similar claims: their products are used for catching terrorists and criminals; they undertake due diligence before selling their products to a customer; and they investigate allegations of misuse, taking remedial actions if warranted,” researchers noted in the posting. “[Yet] findings by Citizen Lab show that many governments and their intelligence services cannot resist abusing spyware… each company’s products have been abused in ways that caused measurable harm to human rights defenders, journalists, lawyers working on behalf of victims of crimes, or civic media (e.g. bloggers).”

Israel-based vendor NSO Group produces and sells the Pegasus mobile phone spyware suite; it contains a range of features that can be used to infect the user’s smartphone, track keystrokes, take control of the phone’s camera and microphone, and access contact lists.

It’s been on the international market for a while, and continues to morph: In 2016, Citizen Lab and Lookout found that Pegasus was being used to take control of Apple devices using three zero-day iOS vulnerabilities, collectively called Trident. This function (now patched) was then used to target the Emirati award-winning human rights defender Ahmed Mansoor, the firms found, who has been in prison in the United Arab Emirates since March 2017. In addition, former president Ricardo Martinelli stands accused by the government of Panama of having used Pegasus during his tenure between 2009 and 2014 to systematically spy on political opponents and journalists. More recently, Amnesty International was targeted by Pegasus; as were several Mexican dissidents. Recent research shows that use of the malware has spread to 45 different countries.

The civil-society set has seen an epidemic of digital threats as they rush to use internet platforms and social media to carry out their work. Some of these threats are sophisticated, and include zero-day exploits, custom kits and government-exclusive spyware like Pegasus, sold for millions of dollars.

However, Nishihata and fellow Citizen Lab researcher John Scott Railton contended at Virus Bulletin 2018 that the majority of these threats don’t advance far beyond the minimum necessary technical sophistication to get the job done.

“Phishing and commodity off the shelf (COTS) malware, in other words, are the norm,” Railton explained in a session on “forever-days.” “These basic threats are successful, because they exploit human behavior, and are the original vulnerability.”

Regardless of the level of sophistication, these threats can lead to very real harm to individuals, organizations and social movements.

“The security community has a tendency to focus on the newest, most sophisticated and exotic threats,” the researcher said. “Phishing and remote access trojans (RATs) are ‘boring’. Yet boring threats can do far more harm, on a much larger scale.”

To put it in perspective, the researchers framed it in terms of public health models: Some of the biggest killers in the world are not exotic, high-profile diseases like Ebola, but are actually much more common and mundane illnesses, like malaria and intestinal ailments.

The rate of attack for this segment is comparable to other attacked segments, hovering around 20-ish percent of the focus for groups like APT 28, according to Nishihata and Railton. “However, these are much, much softer targets,” Railton said – adding that between 40 percent and 60 percent of civil-society workers in testing are tricked by spear-phishing emails.

Nishihata added, “there’s an inherent asymmetry in information security: It’s cheap to connect, but expensive to secure. In practical terms, for NGO groups, you’re running your ultimate BYOD environment, and they have very limited staff with a mix of technical skills and poor documentation of the systems they’re using. There’s likely no real IT staff.”

Going back to the context of public health, “preventable and curable issues can become catastrophic without infrastructure to prevent it,” Nishihata said. “Zero-days are the Ebola; RATs and ‘old-day’ exploits are old, crusty and boring – and preventable; they’re the tuberculosis of security. But they’re delivering, and honestly, if you’re a threat actor, why would you burn a zero-day if you don’t need to?”

That said, despite many of the threat groups having what Railton calls a bottom-of-the-barrel, “my cousin knows computers” level of sophistication, one thing they’ve gotten very good at is making lures believable for phishing emails.

For example, in one campaign using a “check out this news” type of lure, if a target clicked on a link in an email, he or she would be redirected to a phishing page for Dropbox or Google Drive that pre-populated the victim’s name and looked identical to the real log-in page.

“Once you put in your credentials, you’re redirected to benign content – the original content that was promised, so you wouldn’t know you’ve been attacked,” explained Nishihata. “In all, the campaign used 58 decoy documents and 11 targeting themes and was active for 19 months and it was very, very successful. We estimated the total cost of the attack to be little over $1000.”

Between having a target population that’s more susceptible than most, and the fact that these types of threats present a minimal barrier of entry and require a low level of technical sophistication, these attacks are becoming more and more common.

“It levels the playing field for digital espionage so everyone can do it, and believe me, everyone is,” Nishihata said.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.