bleepingcomputer[.]com/news/apple/apple-emergency-updates-fix-3-new-zero-days-exploited-in-attacks/
bleepingcomputer].\com/news/security/recently-patched-apple-chrome-zero-days-exploited-in-spyware-attacks/
The list of impacted devices encompasses older and newer device models, and it includes:iPhone 8 and later
iPad mini 5th generation and later
Macs running macOS Monterey and newer
Apple Watch Series 4 and later
Security researchers with the Citizen Lab and Google's Threat Analysis Group (TAG) revealed today that three zero-days patched by Apple on Thursday were abused as part of an exploit chain to install Cytrox's Predator spyware.Between May and September 2023, the attackers exploited the bugs (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) in attacks using decoy SMS and WhatsApp messages to target former Egyptian MP Ahmed Eltantawy after announcing plans to join the Egyptian presidential election in 2024.
"In August and September 2023, Eltantawy's Vodafone Egypt mobile connection was persistently selected for targeting via network injection," Citizen Lab explained.
"When Eltantawy visited certain websites not using HTTPS, a device installed at the border of Vodafone Egypt's network automatically redirected him to a malicious website to infect his phone with Cytrox's Predator spyware."
On iOS devices, the attackers' zero-day exploit used CVE-2023-41993 for initial remote code execution (RCE) in Safari using maliciously crafted web pages, the CVE-2023-41991 bug to bypass signature validation, and CVE-2023-41992 for kernel privilege escalation.
The exploit chain was triggered automatically after the redirection, deploying and running a malicious binary designed to choose if the spyware implant should be installed on the compromised device.
Google TAG also observed the attackers using a separate exploit chain to drop Predator spyware on Android devices in Egypt, exploiting CVE-2023-4762—a Chrome bug patched on September 5th—as a zero-day to gain remote code execution.