Check Point Research (CPR) recently conducted investigations into two known Iranian cyber groups which showed the Iranian government continues to surveil and attack dissidents of the regime, in Iran and abroad. The first cyber-group, known as APT-C-50, spies on the mobile phones of dissidents, collecting phone call recordings, messages, pictures, and GPS data. In a campaign dubbed ‘Domestic Kitten’, APT-C-50 targeted over 1200 individuals living in seven countries, with over 600 successful device infections. Extracting sensitive data The second group, known as Infy, spies on the PCs of dissidents, extracting sensitive data from home and business computers after tricking targets into opening malicious email attachments. With the help of researchers at SafeBreach, CPR has exposed a recent Infy campaign that targeted dissidents in 12 countries. Both campaigns, Domestic Kitten and Infy, are still live and ongoing. CPR first revealed the Domestic Kitten operation in 2018. Now, CPR has uncovered the full extent of Domestic Kitten’s extensive surveillance operation against Iranian citizens. Since 2017, the Domestic Kitten campaign has consisted of 10 unique campaigns, four of which are currently active, with the most recent campaign beginning in November 2020. Collecting device identifiers Victims are lured into installing a malicious application through multiple vectors In these campaigns, victims are lured into installing a malicious application through multiple vectors, including an Iranian blog site, Telegram channels, or by SMS with a link to the malicious application. The capabilities of the Domestic Kitten malware, which CPR researchers call ‘FurBall’ include: call recording, surround recording, location tracking, collecting device identifiers, grabbing SMS messages and call logs, stealing media files like videos and photos, obtaining a list of installed applications, and stealing files from the external storage. FurBall uses a variety of covers to disguise its malicious intentions. Disguises identified by CPR researchers include: VIPRE Mobile Security – A fake mobile security application ISIS Amaq – A news outlet for the Amaq news agency Exotic Flowers – A repackaged version of a game from Google Play MyKet – An Android application store Iranian Woman Ninja – A wallpaper application Mohen Restaurant application – a restaurant in Tehran Theft of sensitive data Check Point and SafeBreach researchers found evidence of renewed activity of Infy Domestic Kitten has targeted over 1200 individuals, with over 600 successful device infections, in seven countries: Iran, United States, Great Britain, Pakistan, Afghanistan, Turkey, and Uzbekistan. Victims include internal dissidents, opposition forces, ISIS advocates, people in the Kurdish minority in Iran, and more. Check Point and SafeBreach researchers found evidence of renewed activity of Infy, a cyber campaign that has been in intermittent operation since 2007. Infy’s most recent activity targets PCs by sending fake emails with attractive content, usually with an attached document. Once the document is opened, the Infy spying tool is installed on the victim's PC, resulting in the theft of sensitive data from the computer. Taking significant efforts Two example documents recently used by Infy include a photo of Mojtaba Biranvand, the governor of Dorud city in Lorestan Province, Iran. The document is in Persian and includes information regarding the governor’s office and his alleged phone number. The second document, also in Persian, contains the logo of ISAAR, the Iranian government-sponsored Foundation of Martyrs and Veterans Affairs which provides loans to disabled veterans and families of martyrs. According to researchers, the technological abilities of Infy are far superior to most other known Iranian campaigns, attacking only a handful of targets, and taking significant effort to go undetected and uninterrupted. Importance of being alert In our research, we revealed several new techniques used by these campaigns for the very first time" Check Point head of cyber research, Yaniv Balmas said: “It is clear that the Iranian government is investing significant resources into cyber-operations. While both of the campaigns highlighted in our research were previously known, we managed to find new and recent evidence of their activity.” “The operators of these Iranian cyber espionage campaigns seem to be completely unaffected by any counter-activities done by others, even though both campaigns had been revealed and even stopped in the past – they have simply restarted. The campaign operators learned from the past, modified their tactics, waited for a while for the storm to pass to only go at it again.” “In our research, we revealed several new techniques used by these campaigns for the very first time, some more advanced than others, but all previously unknown. All in all, I believe our latest research shows us the dangerous power of cyber-attacks when used by governments and how relevant it can be to all of us as individuals, teaching us all the importance of being constantly alert when using our mobile phones, home computers – or frankly any electronic device.” Researchers have alerted law enforcement agencies in the US and Europe of their findings.
Security researchers at Check Point identified a critical vulnerability in Instagram, the popular photo and video sharing app with over 1 billion users worldwide. The vulnerability would have given an attacker the ability to take over a victim’s Instagram account and turn their phone into a spying tool, simply by sending them a malicious image file. When the image is saved and opened in the target’s Instagram app, the exploit would give the hacker full access to the victim’s Instagram messages and images, allowing them to post or delete images at will, as well as giving access to the phone’s contacts, camera and location data. How the attack works To exploit the vulnerability, the attacker would only need a single, malicious image. Check Point researchers summarised the attack method in three steps: Attacker sends a malicious image to a target user’s email, WhatsApp or other media exchange platform. Picture is saved to the user’s mobile phone. This is can be done automatically or manually depending on sending method, the mobile phone type, and configuration. A picture sent via WhatsApp for example will be saved to the phone automatically by default on all platforms. Victim opens Instagram app, triggering the exploitation, giving the attacker full access for remote takeover. Phone as spying tool using Instagram At the most basic level, the exploitation could be used to crash a user’s Instagram app The vulnerability gives the attacker full control over the Instagram app, enabling the hacker to take actions without the user’s consent, including reading all direct messages on the Instagram account, deleting or posting photos at will, or manipulating account profile details. The Instagram application also has extensive permissions that are gateways to other functions on users’ phones, so an attacker could also use the vulnerability to access phone contacts, location data, phone camera and files stored on the device, turning the phone into a perfect spying tool. At the most basic level, the exploitation could be used to crash a user’s Instagram app, denying them access to the app until they delete it from their device and re-install it, causing inconvenience and possible loss of data. Danger in using 3rd party code Check Point researchers found the vulnerability in Mozjpeg, an open source, JPEG decoder used by Instagram Check Point researchers found the vulnerability in Mozjpeg, an open source, JPEG decoder which is used by Instagram to upload images to the application. As a result, researchers are warning app developers about the potential risks of using 3rd party code libraries in their apps without checking for security flaws. Application developers frequently do not write the entire application on their own. Instead, developers save time by using 3rd party code to handle common tasks such as image and sound processing, network connectivity, and more. However, 3rd party code often contains vulnerabilities which could lead to security flaws in the overall app, as in this case with Instagram. Responsible disclosure Check Point researchers responsibly disclosed their findings to Facebook, the owner of Instagram Check Point researchers responsibly disclosed their findings to Facebook, the owner of Instagram. Facebook promptly acknowledged the issue, describing the vulnerability as an “Integer Overflow leading to Heap Buffer Overflow". Facebook issued a patch to remediate the vulnerability on newer versions of the Instagram application on all platforms. To ensure enough Instagram users updated their applications, therefore significantly mitigating the security risk, Check Point researchers waited 6 months to publish these findings. Code libraries We strongly urge developers of software applications to vet the 3rd party code libraries they use" Yaniv Balmas, Head of Cyber Research at Check Point said: “This research has two main takeaways. First, 3rd party code libraries can be a serious threat. We strongly urge developers of software applications to vet the 3rd party code libraries they use to build their application infrastructures and make sure their integration is done properly. 3rd party code is used in practically every single application out there, and it`s very easy to miss out on serious threats embedded in it. Today it’s Instagram, tomorrow – who knows?” “Second, people need to take the time to check the permissions an application has on your device. This “application is asking for permission” message may seem like a burden, and it`s easy to just click ‘Yes’ and forget about it. But in practice this is one of the strongest lines of defence everyone has against mobile cyber-attacks, and I would advise everyone to take a minute and think, do I really want to give this application access to my camera my microphone, and so on?” Facebook has issued the following comment: “We’ve fixed the issue and haven’t seen any evidence of abuse. We’re thankful for Check Point’s help in keeping Instagram safe.” Safety tips Check Point’s Yaniv Balmas provided the following safety tips for people: Update! Update! Update! Make sure one regularly updates their mobile application, and the mobile operating systems. Dozens of critical security patches are being shipped out in these updates on a weekly basis, and each one can potentially have severe impact on one’s privacy. Monitor permissions. Pay close attention to applications asking for permissions. It`s very easy for app developers to just ask the users for excessive permissions, and it’s very easy for users to just click 'Allow' without thinking twice. Think twice for approvals. Take a few seconds to really think before one approves anything. Ask: “does one really want to give this application this kind of access, does one really need it?" if the answer is no, DO NOT APPROVE.