As part of the social media giant’s ongoing legal battle with the Israeli spyware vendor, a U.S. judge has ordered NSO Group to give Meta its source code for Pegasus and other products.
The court’s decision is a significant legal victory for Meta, which filed the lawsuit in October 2019 for using its network to distribute the spyware to roughly 1,400 mobile devices between April and May. Two dozen Indian activists and journalists were also present.
In order to deliver Pegasus, the attackers used a crucial buffer overflow bug in the instant messaging app ( CVE- 2019- 3568, CVSS score: 9.8), as well as a crucial buffer overflow bug in the voice call functionality, to simply place a call, even when the calls were left unanswered.
In an effort to avoid detection, the attack chain also included measures to remove the incoming call information from the logs.
According to court documents released late last month, NSO Group has been asked to provide “information regarding the full functionality of the relevant spyware,” specifically for a year prior to the alleged attack and one year thereafter ( i .e., from April 29, 2018 to May 10, 2020 ).
However, WhatsApp “would be able to glean the same information from the full functionality of the alleged spyware,” meaning the company does n’t need to “provide specific information regarding the server architecture at this time.” Perhaps more importantly, it has n’t been required to reveal the identities of its clients.
It is disappointing that NSO Group will be able to keep the identity of its clients, who are responsible for this unlawful targeting, secret, according to Donncha Cearbhaill, head of Amnesty International’s Security Lab.
In 2021, NSO Group was ordered by the United States to develop and supply cyber weapons to foreign governments that “use these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.”
However, Meta faces mounting scrutiny from privacy and consumer protectionist organizations in the European Union over its “pay or okay” ( also known as “pay or consent” ) subscription model, which they claim is a Hobson’s choice between paying a “privacy fee” and consenting to be tracked by the company.
According to them,” This places the control over personal data in a luxury rather than a fundamental right, directly undermining existing discriminatory exclusions,” adding that the practice would violate GDPR regulations.
The development comes as Predator, a mercenary mobile spyware managed by the Intellexa Alliance, was revealed in Recorded Future’s new multi-tiered delivery system.
Predator customers are most likely located in countries like Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago. No Predator customers have been found so far in Botswana and the Philippines, so it’s worth noting.
Predator operators “react to public reporting by altering certain aspects of their infrastructure, but they seem to stick to their mode of operation, which include consistent spoofing themes and a focus on different types of organizations, such as news outlets, while adhering to established infrastructure setups,” the company said.
In its own report on the Predator spyware ecosystem, Sekoia claimed to have found three customer-related domains in Botswana, Mongolia, and Sudan, and that it had noticed a” significant increase in the number of generic malicious domains that do not provide information on the targets and potential customers.