Season 1 | Episode 7
Episode 7 of Hacking Exposed, Qwiet Edition follows a unique format. Instead of taking you through a handful of developing stories, this episode is focused on one extremely important topic: Predator spyware. This one is a must-listen for lots of reasons.
Resources for this episode:
Predator Spyware Overview
- [00:03:44] Chris outlines Predator’s invasive monitoring capabilities
- [00:05:07] Stu argues spyware builders pretend tools are for “good”
- [00:10:47] Chris notes Predator leverages multiple zero-days to infect devices
- [00:14:27] The group examines a screenshot of Predator’s monitoring dashboard
Enabling Factors and Concerns
- [00:06:11] Ben says spyware is effective, driving government demand
- [00:10:20] Chris suspects Egypt assisted spyware deployment via ISPs
- [00:16:46] Chris worries about personal privacy implications
- [00:18:29] Stu notes journalists have been targeted and killed
Possible Prevention Tactics
- [00:11:05] Stu suggests using burner phones in high-risk areas
- [00:22:16] Chris stresses being hyper-vigilant about links and previews
- [00:26:10] Chris recommends mobile forensics tools like MVT
- [00:13:34] Chris expects commercial spyware issues to persist
- [00:17:02] Stu says social engineering tactics still succeed frequently
- [00:18:13] Ben notes spyware’s privacy implications are deeply concerning
[00:00:00] Stu McClure: All right. Welcome everybody. This is Hacking Exposed podcast, quiet edition. And as promised, we’re diving in a little bit more into the murky world. Of spyware, and more importantly, commercialized spyware. So, bad guys getting paid big bucks to do bad things. And, I guess getting celebrated for it. Uh, best I can tell.
[00:00:39] So, at any rate, look guys. Um, there’ve been a couple of these flare ups over the years. Actually, more than a couple. Uh, a few. Probably over the last 10 to 15 years. And basically, let’s break it down for everybody. I mean, Predator, which is the current sort of wave of spyware and Amnesty [00:01:00] International did a fantastic breakdown and review.
[00:01:03] If you haven’t seen it, you absolutely need to go through this technical analysis. It’s not as technical as you might think. You can follow it pretty easily of how bad this thing is, which we’re going to get into it. But, um, sometimes called, uh, uh, Intellexa, which is, I guess, the founding alliance or companies, uh, that have sort of brought this to market, similar to the old school NSO group.
[00:01:29] Now, old school, meaning what, as of a few years ago, five years, four or five years ago, et cetera, uh, was covered on 60 Minutes, I remember, um, Forbes did a piece on some of these guys. So, anyway. A lot of material is out there in and around what’s happening and why is this a big deal? So let’s just kick it off.
[00:01:53] So Predator, what do you guys know about it?
[00:01:56] Chris Hatter: Well, before, before we get in into it, uh, [00:02:00] this was really weird, but a couple of weeks ago, and I know we’re not talking about Pegasus, but someone
[00:02:04] sent me
[00:02:05] a book on Pegasus. They didn’t include their name, return address, I just got dropped to my home address a book on Pegasus and I don’t know if that was a sign or what, but, uh, yeah, I’m still trying to figure out who that is, so if anyone’s listening that, that sent me that, I’d love to know, uh, that was an accident or not, but, uh, I have an oddity before, before we actually talk about, Pegasus?
[00:02:33] Stu McClure: How, how was it anonymized? Like you couldn’t,
[00:02:36] Chris Hatter: it was just dropped off, was just dropped off packages, brown box with no return address.
[00:02:41] Stu McClure: And you have no ring camera or
[00:02:43] Chris Hatter: no, uh, I have a ring camera. It came from like a proper delivery service, but it doesn’t have a sticker, like where we’re from. Who is almost like a, kind of like a gift.
[00:02:53] A gift receipt type thing.
[00:02:55] Stu McClure: Well, interesting. This is the rabbit hole continues. Okay. Well, we’ll, uh, we’ll cover that on another [00:03:00] podcast then when you figure out where that came from.
[00:03:02] Chris Hatter: Yeah. I, I started looking at, um, some of the iOS forensic collectors. There’s one out there called MBT. I’m going to take a look and some of my iTunes backups, see if, uh, there’s any traces of anything going on here.
[00:03:15] Stu McClure: Well, MBT. Yeah, that, that is the, um. That, you know, probably the best that we have when it comes to sort of taking mobile devices and tearing them down, looking for indicators to compromise for sure. So, uh, good luck. Sounds like your weekend is set, scheduled out.
[00:03:34] Chris Hatter: I mean, the, but, um, on the topic of Predator though, this kind of this Intellectual group, um, just as I guess set the table, it was Intellectual was started by.
[00:03:44] Uh, former Israeli, uh, military commander named Tal Dillion. Um, and, you know, when I was looking at this, best I can tell he was relatively enamored with what NSO was doing around Pegasus. Uh, so enamored, he built an [00:04:00] entire, you know, chain of, uh, uh, spy technologies, uh, Predator being only one of them. They, the Intellectual Group is in control of a lot of different.
[00:04:08] Uh, types of, uh, you know, spyware technologies and intellectual purports to be a partner to federal agencies, intelligence agencies for the purposes of, uh, doing good in the world. Um, when in reality, when you, when you look at a lot of what Amnesty International did and some of the research that’s out there, uh, there’s a very gray line at best in terms of what, what this group is doing.
[00:04:31] Um, and, and to further that there’s an incredibly complex corporate structure. Uh, I was listening to a podcast and apparently Taldillion’s wife is a specialist in very highly complicated corporate structures designed to avoid like government oversight and regulation and also just, you know, create kind of a confusing web to stay out of the, uh, you know, grasp of law enforcement, so to speak.
[00:04:56] So. This is a really interesting and [00:05:00] complex setup, uh, you know, led by, you know, a former military officer, uh, with some very sophisticated technologies.
[00:05:07] Stu McClure: I mean, let’s just, let’s just break it down, guys. I mean, this is a bunch of BS, you know, everybody like claims to be building this munition stuff for the governments and doing it for good, but we all know that’s total BS and we all know that it’s leaked out there and, and.
[00:05:24] At worst, it’s sold directly. I mean, you know, you’ve seen the same POs that I have of all kinds of entities that have acquired this technology and these POs have been leaked. And so we all know that it’s happening. We all know that. And especially in this particular case, I mean, we’ve got a lot of companies that are involved in this.
[00:05:44] I mean. Cyprus, North Macedonia, Greece, Thailand, Ireland, like you name it, man. It’s like everywhere. So, so what, what, why is this possible? Why is this?
[00:05:59] Ben Denkers: [00:06:00] Because it’s effective, I would say, right? Uh, I mean, that’s, that’s the honest truth. You, you have, uh, you have a. Industrial scale as, as I, I’ve seen it referred to spyware operation, right?
[00:06:11] That has been commercialized. That is effective, uh, so much so that you have government agencies all across the world who are fighting for regulation to control it so that it can be leveraged for their version of good. Right? I mean, and. And that’s can be, uh, you know, to Chris’s point, uh, somewhat either subjective or gray area, but everyone’s definition of what, what is right, uh, isn’t necessarily, uh, accurate.
[00:06:35] And so, you know, that’s why it’s effective.
[00:06:38] Stu McClure: And, uh Well, and who’s to judge? Who’s, who’s a bad person, right? And who you’re going after? I mean That’s the spy game, I guess, in a nutshell. You don’t know if they’re good or bad and you just spy.
[00:06:49] Chris Hatter: That’s what Tal and the team said. So when they started, I think, in Cypress, kind of a crazy situation, but they When it was starting to get [00:07:00] popularized that this was some pretty effective spy tech, they asked Forbes to come over and take a look.
[00:07:06] And so Tal and his team, like, showed them this crazy spy van, showed them all this kind of technologies and the government of Cyprus is like, Hey, you know, what’s going on with our borders? Why don’t we have technology like that? Right? And so all of a sudden, how’s business and inflection gets rated. They have to go find another place to operate.
[00:07:24] And they, they kind of pull their hands up and said, who are we to judge like what people do with it? We sell it with good intent, but we cannot control the end users of the, of the, of the software.
[00:07:34] Stu McClure: I mean, that’s kind of where it’s, it’s the whole scissors argument, right? It’s a tool, right? I make scissors.
[00:07:39] Well, but if you run around with them and fall on them, it’s not my fault. Right? Exactly. It’s not my fault. If you use them to kill somebody, it’s not my fault.
[00:07:49] Chris Hatter: And where they, they tried to stand on that ground.
[00:07:53] Stu McClure: Well, yeah, I don’t know. I mean, I, I personally am serious. I’m just over this whole friggin arguments, you know, we’ve been [00:08:00] talking about it for 20 plus years.
[00:08:01] Um, it just causes more headache than good to be honest. I mean, I know that we don’t hear a lot of the good stories. So maybe you could say, Stu, you know, we don’t know about the good stories because we stopped this bad guy from doing this bad thing using this tool. Okay, fine. But then don’t sell it commercially for Christ’s sake.
[00:08:21] Like what, how hard is this? You know, just keep it super tight inside the governments inside the arms of the government. And, uh, you know, stop selling this stuff, you know, worldwide. This is what drives me bananas, because they just, they are part of the problem, period. I mean, I’m, I’m, I’m done. Well, look, so there’s a lot of cool parts to this, obviously.
[00:08:43] I think the coolest part is the zero click stuff. Now, we’ve been doing a lot of GSM interception in the space for a long time. I mean, DEF CON, Christ, we used to do this stuff just for fun. You go out there and you just start intercepting. First, you downgrade whatever [00:09:00] level of N10 service they have, you try to force it downgraded to GSM, and then you’re able to intercept with a lot of, um, you know, freely available tools.
[00:09:11] And you could certainly intercept all kinds of voice traffic and, you know, text traffic and all kinds of stuff. But, but now it’s, it’s different. Like, in this Pegasus scenario, at least in the zero clicks and one clicks, they’re basically partnering with an ISP. I mean, you’re basically an ISP is allowing them to install their servers in their infrastructure.
[00:09:33] And intercept, um, the communications in and outbound of the ISP. How is this happening?
[00:09:41] Ben Denkers: Yeah, no, exactly, exactly. Like why, why, why isn’t the ISP held accountable for, for that particular action? I just, that’s mind boggling.
[00:09:49] Stu McClure: It is mind boggling. And I don’t know, I know that if one or two have been rated, but I haven’t really seen too much of that in terms of news coverage.
[00:09:58] I mean, I understand going into a. [00:10:00] Surveillance van outside the street, I should look, uh, yeah, and, and, and see, you know, a big black van, you know, all covered, um, and masked out, but like, I get that, to install it in ISP, like, give me a break, what is happening to this world?
[00:10:20] Chris Hatter: Um, the most noted news case on this particular situation, there was a government official or lawmaker in Egypt, um, that was targeted with the, with the zero click. Um, and from what I found on the Egypt is a known buyer predator. So in my estimation, right, this is just purely a guess, I would suggest that it’s likely that whomever was deploying the malware was kind of in cahoots with the ISP.
[00:10:47] This wasn’t a situation where they compromised and dropped it on the ISP. It seems like a little bit too good to be true. And this is, I think, relatively common in places who are investing in software like Predator. [00:11:00]
[00:11:00] Stu McClure: Unfortunately, that’s probably a good point, which is, Hey, who are the buyers of this stuff?
[00:11:05] This is probably where a, you need a burner phone wherever you’re going. I mean, a great prevention step burner phone where you do nothing on there. Okay.
[00:11:16] Ben Denkers: Um, just need to communicate via
[00:11:18] letters. That’s the problem guys.
[00:11:20] Stu McClure: Like, yeah, right. Kick carrier pigeon. Yeah. Well, I do have a whole series of preventative steps at the very end.
[00:11:28] I want to share with everybody in terms of how you can. As an individual, as a company, how you can try to avoid being a victim of a lot of this BS spyware crap that drives me bananas. But also, I wanted to just dive a little bit into the capabilities here. Now, spyware as a general rule gives you spy ability.
[00:11:50] So you can just sort of look into, like, their images on their phone, uh, you can listen to their voice calls, you can read their texts, right? You can [00:12:00] do certain things. It doesn’t necessarily mean you have full control over the device. Now, in some cases you do. That’s more like malware. It’s just important to know that.
[00:12:10] So for things like two factor authentication, I mean, Spyware just blows the lid off of that. I mean. Uh, by and large, uh, it depends on the capabilities of the spyware, but, um, to be able to sort of read your text messages and see that 2FA come through there. Um, even if there’s like a Google authenticator, if you could run apps, um, and then view the screen, obviously you can pull, you can pull codes like that.
[00:12:34] So a lot of that stuff exists. In this spyware stuff, I’m just curious, you know, what, when are, what are we going to be able to detect and prevent this stuff? I mean, on a mobile device, there’s very little that you can do to prevent as a good guy, you know, it’s sort of you’re beholden to the, to the carrier and the operating system of the manufacturer of the phone.
[00:12:59] [00:13:00] Largely, and there’s going to always be zero days inside these phones. I mean, we saw that with iMessage recently, uh, and iPhone in general and max, but also in Samsung, there are these zero days that these guys get paid to go find right. Millions of dollars worth that zero day then is either sold individually or put into spyware like this.
[00:13:22] That allows for the exploitation of all these devices. Um, I don’t know. I mean, is this, is the game of zero day munitions ever going to go away? Or we’re talking about this forever.
[00:13:34] Chris Hatter: I think we’re talking about it for quite some time. I think what’s, what’s really interesting about Predator specifically is that, Um, it’s intelligent enough to, you know, have a look at what operating system you’re running, what kind of browsers are on your phone.
[00:13:47] Or device, uh, and then it makes it makes a decision, right? Do I then go deploy? And when it does go deploy, it uses anywhere from like 4 to 8 different 0 days to actually, uh, implement the malware and create the [00:14:00] persistent. But what I would say is I have a view. I want to share my screen really quick if I can, um, to just show exactly how invasive this thing actually is.
[00:14:11] So this comes from the. Report from Amnesty that Stu was talking about, but this is literally a screenshot of it. And hopefully, hopefully you can see, but this is what, uh, Infilexa refers to as the Predator, uh, operations
[00:14:25] platform. And if you can see, I mean,
[00:14:27] you can see apps installed, what’s going on in Safari, take screenshots of the computer, what’s going on in the text message location.
[00:14:34] I mean, this is super invasive stuff, uh, and, and seemingly has a
[00:14:37] Stu McClure: It’s, it’s invasive, but like, I don’t see a, like, run. Like, you know, you could look at the apps installed, but you can’t run them, best I can tell, right? You can open Safari, or maybe it’s just the Safari configuration, like the history, and… The settings, I don’t really know.
[00:14:54] I mean, are you, you can do screenshots for sure. That’s yeah, it’s traditional spy. In other words, it’s [00:15:00] traditional spyware. Like this is not malware where I can like take it over the best I can tell.
[00:15:05] Ben Denkers: See, but here’s the thing is, is they, uh, they offer other packages that allow you to do that specifically speaking spearhead and we spear.
[00:15:11] Which allow for execution, uh, based upon my understanding, right?
[00:15:15] Chris Hatter: They have the ability to execute on whatever they want to do, really. Um, including like certificate, uh, injection. I mean, it’s pretty end to end, I would say. Comprehensive.
[00:15:28] Stu McClure: Well, I haven’t seen it with Pegasus in particular, but maybe some of the add on modules you can do it with, like you said, uh, Ben.
[00:15:35] I don’t know. I mean, I’m seeing this stuff over and over and over again. I do encourage everybody to sort of look out. For some of the, um, materials on the stuff because it’s not going to go away, um, by any stretch of the imagination and it’s really the zero clicks that worry me. I mean, the 1 clicks, maybe 2, but the 0 clicks in particular, I mean, and a lot of the stuff you think, well, geez, if I just use, you know, [00:16:00] HTTPS or SSL, then I’m safe.
[00:16:02] Of course, you know, there, there are bypasses to that as well. So you can’t be safe there
[00:16:07] Ben Denkers: or if the ISP is owned, right? Like that to me is one of the bigger, bigger changes is you, you still have the ISP you have to deal with. Uh, and, and if you have, you know, if one, one of the articles I read at 74, 75 government agencies leverage the product, uh, or some version of a product or similar product.
[00:16:26] Uh, and so you can imagine, like, a large majority of those probably have, uh, ISP implementations. And so, you know, it just, you start going down that rabbit hole and you’re thinking, Hmm. Yeah, how secure really are my communication, especially, you know, at the point of where I need to be trusted
[00:16:42] Chris Hatter: as someone who cares about personal data privacy.
[00:16:46] Like, all this stuff gives me pause for concern, especially the 0 click stuff, right? The 0 click stuff. There’s very limited things that you could do. Maybe you’ll get into some some options at the end with Sue. But, um, the 1 click stuff. It’s still effective, [00:17:00] like, regardless of what we think. I mean, it still works.
[00:17:02] That’s why there’s these huge articles about this stuff. And when you look at the amnesty report, they, they go into specifics on how, for example, Vietnam was using Twitter now X to be able to do the, the one click, uh, the one click fishes. So there’s some really good material out there that shows you exactly how this stuff is done.
[00:17:21] And it’s just kind of a commitment, almost like a brute force, like a slow brute force to actually get someone to click a link. And once they do, it’s game over.
[00:17:30] Ben Denkers: You know what I find so interesting about this, right? I mean, obviously this is an incredibly powerful. Uh, commercialized spyware suite, right? But it’s not necessarily be let, let, it’s at least to my knowledge, it’s not being leveraged for things like ransomware, right?
[00:17:43] Or, or at least not, you know, in the more traditional sense, it’s truly intelligence. And so like, to your point, Chris, the privacy implications, you know, whether you’re a reporter, uh, you know, doing an investigation or, you know, a report [00:18:00] on, uh, you know, a corrupt government or something similar, right? This could have potential impact and as shown, uh, has a major
[00:18:07] Stu McClure: has, I mean, journalists have been killed.
[00:18:11] It’s like to me that in relation to this
[00:18:13] Ben Denkers: stuff, it’s, it’s, it’s to me that, that, that is what I find most concerning and interesting all in the same realm, right? Like we’re talking about a pure or primarily a pure intelligence play, uh, and at, you know, that, that’s what keeps me up at night for sure.
[00:18:29] Stu McClure: All right.
[00:18:29] Well look, break down real quickly vectors. Okay. Number one. ISP infections, right? So somehow they get access to an ISP, they infect a box, they put their stuff on there, installed at the ISP, probably, you know, in cahoots with the ISP and they’re able to intercept, um, and all and do a lot of that zero click stuff.
[00:18:52] Um, now there’s a tactical elements. Tactical meaning they could have a van outside my window here and be listening to all [00:19:00] my wifi and all of my cellular. Uh, for sure. And then lastly, what you were talking about, Ben, is this sort of call it the avatar attack, but, but using like anonymous accounts or bots and then really just probing people constantly for a one click, uh, click through, uh, to, to find a victim now, you know, how, how do you guys prevent against this?
[00:19:23] Right? I mean, I think a lot of the same old. Preventative steps, but detector response steps still apply. So, you know, make sure, I mean, I’m so paranoid. I always look whenever I’m in any, not just any country, but any city I’m looking at, well, am I 5g in my 4g or am I. You know, GSM, you know, if I’m GSM, just turn your phone off, you know, like, just kill it right away.
[00:19:49] Um, I don’t know how much, so this is really the crux of it in my mind, how much or how many of the attacks are dependent on [00:20:00] something being run even invisibly or explicitly by the user. So, for example, like, if there’s a zero day in the very handshaking. Of the cellular subsystem loading up on the phone, well, then gosh, there’s nothing you can do.
[00:20:19] I mean, all you can do is detect and respond because you don’t have insight into every step of that process. However, and I think most of these attacks, um, are really dependent on the user, something happening to a user infrastructure, like a browser getting started. Or a click in a Facebook or, but basically a click, um, even if it’s a zero click, there’s something that’s happening in the infrastructure.
[00:21:32] Like, that’s what you want, you know? You want to blow a zero day on trying to get to you. That’s, I think, the best you can possibly do. I’m back to carrier pigeons too.
[00:21:42] Ben Denkers: That’s, I mean, that’s it for me.
[00:21:44] Stu McClure: Well, how do you work like that? You can’t work like that, right? You gotta use this tag.
[00:21:48] Chris Hatter: He’s lying. He’s not in a video conference right now, so he’s not doing anything.
[00:21:51] Stu McClure: I know, he’s lying.
[00:21:53] Ben Denkers: I’m just saying, after this, after this, this is it.
[00:21:55] Stu McClure: Like, I mean… This is it, huh?
[00:21:58] Chris Hatter: This is not a solve, but [00:22:00] like, the recommendations here are very vanilla, and they’ve been in existence for a long time. Update your software. Be relentless on, uh, being suspicious, right? I’m a super suspicious person having worked in cybersecurity, my, my whole career.
[00:22:16] And now, you know, I mean, if you look at the, the, the amnesty report and so other content from this, like the link previews are no longer safe either. So you really, well, he’s suspicious.
[00:22:27] Stu McClure: Yeah. Don’t get me started on link previews, um, even like mouse over and stuff like that. Now you don’t even need. Yeah, you don’t even need a lot of that stuff with some of these vulnerabilities, right?
[00:22:36] They can just auto trigger all by themselves.
[00:22:39] Chris Hatter: Um, and like, for example, they, they, they, um, the, the Twitter handle that was dropping, uh, links, uh, for the, for the spyware, they were using legitimate news sources as the preview, but the link would go somewhere else. Right? So you would have to say, oh, listen, this comes from a very reputable source.
[00:22:58] And there’s an interesting article [00:23:00] to me. Let me click the link. Bing, bang, boom, you’re compromised. So
[00:23:03] Stu McClure: yeah, yeah, yeah. It’s, it’s all just click stuff. Um, but I wanted to tell you a story. So when I was back at Intel, Mac, Mac, the Intel, we had a, um, executive traveling in China, uh, with a BlackBerry actually.
[00:23:20] And, uh, they came back in that sucker was infected. Right. And we, we know after, after pulling that stuff down and looking at it, we know that it came through a carrier a hundred percent. And even though it was a burner BlackBerry, it was good because we were able to capture that and sort of do an analysis.
[00:23:39] We never made that public, uh, but man, I wish we would have. Um, there are these kinds of things that have been happening, and that was in 2010. I mean, this has been happening for a long time, and we all know, if you’ve ever been to Black Hat DEF CON, you know the rules, you know, don’t turn anything on that you don’t want pwned.
[00:24:39] And, uh, oh, there is one actually tool I will shout out to called File Insight. Now, we built this at McAfee. So you can search McAfee File Insight. And you can use this whenever you get a link. And you want to know, is it malicious or not? You can put this link into File Insight. It’ll show you just the text version [00:25:00] and then highlight the active.
[00:26:01] Chris Hatter: Well, I mentioned it at the beginning, but, and I’m not a, you know, forensic analysis expert, but I am going to try my hand with MBT.
[00:26:10] All right, I’m going to go learn how to use it. I’m going to go run some forensics on my own devices. I’d encourage you to do the same.
[00:26:16] Stu McClure: You should, yeah, take a look at, at MVT. Um, now that requires, you’re going to install it on Linux probably somewhere.
[00:26:24] Chris Hatter: Um, either let’s be more, uh, I think it’s compatible with iOS too, or not iOS, but Mac.
[00:26:30] Stu McClure: It’s probably iOS, yeah, or rather Mac, Mac OS rather. Um, yeah, that’s true. So, well, good, good luck report back. I’d love to hear if you find anything and then let us know where the, um, random Pegasus book came from.
[00:26:46] Chris Hatter: I don’t know if I’ll ever find out. I mean, this was, this was like. Three, four weeks ago at this point.
[00:26:51] Stu McClure: Well, did you pull down the Pegasus IOCs and start scanning at least your boxes for them? Not yet. I’m going to. Uh, are you [00:27:00] sure? I mean, I’ve been the first thing I’ve been doing. All right, guys. Well, thanks so much for joining. This was a special edition of a special edition, um, in and around predator and look forward to doing more of these in the future.
[00:27:11] Thanks guys. Thanks.