We’ve all heard about Nation State surveillance programs and their capabilities throughout the world, but have you ever wondered how these programs were developed and the decisions that went into them? In this talk we will go through the very recent actions a particular nation-state undertook in order to build up their offensive cyber capabilities for both desktop and mobile, including iOS and Android. With insights gleaned from exfiltrated content obtained during a recent investigation into one of their bespoke tools, we will look at the build vs. buy decisions that key individuals involved in this process went through–from the lawful intercept and exploit shops they communicated with, to their in-house development, and ultimately to what their resulting solution(s) were.
Behind Enemy Lines: Inside the operations of a nation state’s cyber program
1. Behind Enemy Lines:
Inside the operations of a nation state’s cyber program
SHMOOCON 2019
Washington D.C, USA
2. New phone, who dis?
2
Andrew Blaich
Head of Device
Intelligence
@Lookout
Michael Flossman
Head of Threat
Intelligence
@Lookout
Discover, track, disrupt, and
understand the context around
targeted Surveillanceware
Pegasus, ViperRAT, DarkCaracal,
StealthMango, and many many
more
3. Outsource Tooling?
The Quest for a Cyber Surveillance Program
3
Adversary
Infrastructure
WhatsApp Databases
$23 million government
budget
Surveillance Tooling
Internal development?
4. Agenda
• Surveillance Goals
• Vendor communications
• Rolling Your Own Surveillance Platform
• StoneFish and Barracuda
4
5. Same decisions as any other engineering
organization.
What is the budget?
What are our resources?
How much time do we have?
What’s on the market?
What do we want to achieve?
5
What goes through the mind of a nation state?
Build Buy
?
6. 6
Building Your Cyber Surveillance Program
Record Calls &
Surrounding Audio
Connected Cell
Tower Details
Key Logging Retrieve & Push
Specified Files
Take photos &
Screencaps
Call Logs Text Messages Email Accounts
Browser History Location Tracking Contacts Messaging Apps
Intel Focused Capabilities Exploits Vectors
7. Group Objectives
“In general, we are
interested in infecting iOS
and Android phones to
extract correspondence
from messaging apps.”
7
10. Zero Click iOS Compromise
10
Communication with FinFisher
Item: iOS 10 RCE, root, persistent, zero click
Tested Against iOS Versions:
- 10 beta, 10.0.x, 10.1.x, 10.2
Tested Devices:
- iPhone 7, 6s, 6, 5s, 5c, 5
- iPad Air, iPad 4
Attack Vector & Deployment:
- Victim must have iMessage and internet data enabled
- Malicious iMessage sent to target, arbitrary code executed as
Mobile user, privileges escalated to root, persistence achieved after
reboot.
- User does not need to click a link and does not even need to read
the iMessage. This is a zero-click exploit. iMessage receipt is enough
to compromise any phone.
11. Flash SMS Mobile Compromise
11
NSO Group
Item: Mobile Vulnerability
Description:
- The SMS services launches the default browser, the browser goes
to the correct server, downloads and installs the Trojan, then closes.
Deployment Recommendations:
- It is recommended to do at night, because the browser itself opens
for a few seconds.
NSO Group
12. Mobile 0-days Compromise
12
Arity Business Inc
Item: Android RCE Vulnerability
Description:
- Vulnerability in Mediaserver but not in libstagefright.
- Exploit could be delivered via MMS, browser content, or mail clients.
- Bypasses all implementations of ASLR.
- Doesn’t exploit any buffer overflows or rely on return to libc.
- Would provide root access to an APK agent delivered in tandem.
Tested on Android Versions 4.4.4 – 7.1
Tested on devices from:
- HTC, Samsung, ASUS, Motorola, Xiaomi, LG, Sony, and Huawei.
- Exploitation time between 6 and 15 seconds depending on model.
Price:
- $90000
Estonian based “Arity Business Inc”
13. Desktop 0-days Compromise
13
Arity Business Inc
Item: IE & Edge Sandbox Escape & RCE
Tested Against Windows Versions:
- 7, 8, 10, Server 2008, 2012 (x64, x86)
Attack Vector & Deployment:
- Target directed to specially crafted webpage
- Priv esc and arbitrary code escalation may take 3 – 10 seconds and
cause browser page to be unresponsive during that time frame
Price:
- $50000
Estonian based “Arity Business Inc”
15. Desktop 0-days Compromise
15
Arity Business Inc
Item: Flash RCE Vulnerability
Description:
- Takes advantage of vulnerability in action script (AS3)
- No visible indicators that vulnerability exploited
Tested on browsers:
- IE / Edge, Mozilla Firefox, Google Chrome, Opera (Windows &
Linux)
Price:
- $65000
Estonian based “Arity Business Inc”
17. Desktop 0-days Compromise
17
Item: Exclusive access & guaranteed replacements
Description:
- exclusive access == 40 day guarantee
- secondary exploit guarantee of 30 days
- if vuln patched, guaranteed provision of additional exploit from their
arsenal*. (exploit may be for different product)
• Only if usage instructions and recommendations have been followed.
No stupid deployments. e.g, mass emailing of exploits to large
enterprises.
Estonian based “Arity Business Inc”
Arity Business Inc
20. Vendors Are Reading Our Research
20
Seller
Seller: A scandal with the NSO product was published. In the
past, there was a story with an iPhone and now they are exposed
on Android.
https://www.forbes.com/sites/thomasbrewster/2017/04/04/google-
nso-group-android-surveillance-tool/#6019c5391a1d"
"Well, how? Read?"
Buyer: Yes, I read, but I did not understand how they
learned about the NSO product for Android.
Seller
Seller: In this world, everyone can know everything they want.
But you ask them. We did not write this article!
22. 22
“This is the only inexpensive way to get to the iPhone, except for the
[Israeli] solution for 7 million and that’s only for WhatsApp.
We still need Viber, Skype, Gmail and so on.” - Buyers
Why inhouse development?
“There are a lot of Android OS versions and the hardware
differences between devices is making it a pain to use these
exploits.
They need tuning for each targeted environment!” - Buyers
29. 29
Immediate solution was inhouse developed iOS (StoneFish)
and Android (Barracuda) malware w/ associated tooling.
StoneFish and Barracuda
Malware Stats
Infection Vectors: Physical Access and Phishing
Active Exploits: None discovered at this time
Infrastructure: Shared C2’s for iOS and Android exfil
Number of malware variants: 400+ (testing and targeting)
Successfulness: > 50GB of Data
30. iOS Tooling and Capabilities
30
Custom end to end solution using open source and existing tools and techniques
Pre-DRM removed Apps
- Used to add trojan code
iOS Developer Account
$99 to sign and distribute
apps for targeted device
IDs
Open Source – PPSideloader
- CydiaSubstrate for hooking
- pptweak.dylib for malicious code
Desktop Tooling
- Parse device backups
- Request trojan versions of apps
- Provision apps for installing
- Instructions on how to infect targets
Developer(s) are active in these communities
31. iOS Infection Vector
31
Physical Access
Trojan App
WhatsApp
Physical access
Backup Machine
Creates an iTunes backup
of the phone and uploads
to the provisioning server
using the custom desktop
tool.
Provisioning Server
Creates a trojan copy of:
WhatsApp, Viber, WeChat,
or Telegram
Apple’s Signing Servers
Provisions an iOS app for a
specific device UDID using
a developer account.
Install Server
Installs the requested
trojan apps onto the device
via an install URL
Trojan App
Viber
Trojan App
Telegram
Trojan App
WeChat
32. Android Infection Vectors
32
Shared Command and
Control Server for
Android & iOS implants
Trojan App
Fake System Application
Self-signed
Phishing
Physical Access
Victim Device
with 3rd party installs on
38. Thank you!
Questions?
Note: All security research conducted by Lookout employees is performed according to the Computer Fraud
and Abuse Act (CFAA) of 1986. As such, analysis of adversary infrastructure and the retrieval of any exposed
data is limited to only that which is publicly accessible. Any sensitive information obtained during this
process, such as usernames or passwords, is never used in any authentication-based situations where its use
would grant access to services or systems.