19 Matching Annotations
  1. Jul 2021
    1. Frequently this website was running a random and sometimes obscure PHP application or CMS
    2. The fingerprint technique is conceptually similar to the JA3S fingerprint technique published by Salesforce in 2019
    3. Amnesty International presented an excerpt of more than 600 domain names tied to NSO Group’s attack infrastructure
    4. System log files also reveal the location of Pegasus binaries on disk. These file names match those we have consistently observed in the process execution logs presented earlier. The binaries are located inside the folder /private/var/db/com.apple.xpc.roleaccountd.staging/ which is consistent with the findings by Citizen Lab in a December 2020 report.
    5. These most recent discoveries indicate NSO Group’s customers are currently able to remotely compromise all recent iPhone models and versions of iOS. 
    6. a random identifier tied to the attack attempt followed by the word "stadium".
    7. The Cache.db file for com.apple.coretelephony contains details about the HTTP response which appeared to have been a download of ~250kb of binary data
    8. a service fronted by Amazon CloudFront, suggesting NSO Group has switched to using AWS services in recent months
    9. HTTP request performed by the com.apple.coretelephony process. This is a component of iOS involved in all telephony-related tasks and likely among those exploited in this attack
    10. This domain matched a distinctive fingerprint we devised while conducting Internet-wide scans following our discovery of the network injection attacks in Morocco
    11. HTTP request performed by the Apple Music app points to the domain opposedarrangement[.]net
    12. It is interesting to note that in the traces Amnesty International recovered from 2019, the iMessage lookups that immediately preceded the execution of suspicious processes often contained two-bytes 0x00 padding in the email address recorded by the ID Status Cache file
    13. iOS keeps a record of Apple IDs seen by each installed application in a plist file located at /private/var/mobile/Library/Preferences/com.apple.identityservices.idstatuscache.plist. This file is also typically available in a regular iTunes backup, so it can be easily extracted without the need of a jailbreak.
    14. iCloud accounts seem to be central to the delivery of multiple “zero-click” attack vectors in many recent cases of compromised devices analysed by Amnesty International
    15. _kBridgeHeadConfigurationFilePath in the libaudio.dylib file part of the Pegasus bundle
    16. configuration file located at /var/tmp/jb_cfg
    17. vulnerability in the iOS JavaScriptCore Binary (jsc) to achieve code execution on the device.
    18. network usage databases contained records of a suspicious process called “bh”. This “bh” process was observed on multiple occasions immediately following visits to Pegasus Installation domains.
    19. primarily attributed Pegasus spyware attacks based on the domain names and other network infrastructure used to deliver the attacks