Bill Marczak
@billmarczak
Followers
12,919
Following
346
Media
452
Statuses
7,710
senior researcher @citizenlab , phd @UCBerkeley , co-founder @BHWatch . كلنا راجعين
Berkeley, CA
Joined January 2010
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Eagles
• 232598 Tweets
Packers
• 133849 Tweets
श्री गणेश
• 123537 Tweets
Ganesh Chaturthi
• 117299 Tweets
गणपति बप्पा
• 87165 Tweets
भगवान गणेश
• 45130 Tweets
#二度と撮れない画像を貼れ
• 43577 Tweets
JustinOn NCAA100Kickoff
• 34349 Tweets
Party Love AndaLookkaew
• 34118 Tweets
Jordan Love
• 33114 Tweets
#GanpatiBappaMorya
• 31339 Tweets
#マイナビTGC
• 26019 Tweets
#Smoke1stWin
• 24062 Tweets
#学マスデビュー初心_名古屋
• 18735 Tweets
ビッグラン
• 16685 Tweets
Nikocado Avocado
• 12730 Tweets
ボンドガール
• 10559 Tweets
クリスマスパレード
• 10530 Tweets
紫苑ステークス
• 10372 Tweets
THREAD with a couple of interesting bits from
@AmnestyTech
's new report on what they learned from looking for NSO Group's spyware on phones
18
952
2K
Stop and UPDATE your iPhones to iOS 14.8 NOW!!! We
@citizenlab
recovered NSO Group's FORCEDENTRY zero-click exploit (CVE-2021-30860) from the phone of a Saudi activist, and shared w/ Apple, who released iOS 14.8 today with a fix.
27
902
1K
@AmnestyTech
(1)
@AmnestyTech
saw an iOS 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. We at
@citizenlab
also saw 14.6 device hacked with a zero-click iMessage exploit to install Pegasus. All this indicates that NSO Group can break into the latest iPhones.
31
677
1K
It also indicates that Apple has a MAJOR blinking red five-alarm-fire problem with iMessage security that their BlastDoor Framework (introduced in iOS 14 to make zero-click exploitation more difficult) ain't solving.
15
258
830
NEW: Kaspersky releases full details on how they captured the “Triangulation” (suspected US Government) exploits and iPhone spyware targeting their employees.
4
166
510
NEW REPORT today from
@Reuters
@JoelSchectman
providing more detail about fatal flaws in the CIA's defunct communications network. Iran and China compromised the network in 2011, and killed dozens of CIA assets
7
225
406
Here are some instructions we released (in Arabic and English) on how to check if your phone was targeted by KINGDOM, the Saudi-linked operator of NSO Group's Pegasus spyware.
15
213
329
Phone logs show that (at least some of) the iOS 13.x and 14.x zero-click exploits deployed by NSO Group involved ImageIO, specifically the parsing JPEG and GIF images. ImageIO has had more than a dozen high-severity bugs reported against it in 2021.
2
94
373
BlastDoor is a great step, to be sure, but it's pretty lame to just slap sandboxing on iMessage and hope for the best. How about: "don't automatically run extremely complex and buggy parsing on data that strangers push to your phone?!"
6
48
363
Wow! NSO seemingly failed to password-protect their server hosting oodles of location-tracking data from their pandemic-fighting (read: mass surveillance) Fleming system. Exactly the kind of breach you don’t want when your core business is secrecy...
7
179
332
New
@citizenlab
report "BREAKING THE NEWS", in which we show how New York Times journalist Ben Hubbard was hacked with Pegasus twice (July 2020 and June 2021), both after he complained to NSO about previous hacking attempts against him
9
161
340
Wow... Kaspersky apparently managed to obtain an iOS kernel exploit from the
#Triangulation
attack! Just patched as CVE-2023-32434 in iOS 16.5.1. That's pretty much "as good as it gets" in terms of capturing an exploit chain.
3
92
367
Because the 0-clicks they're using appear to be quite reliable, the lack of traditional "persistence" is a feature, not a drawback of the spyware. It makes the spyware more nimble, and prevents recovery of the "good stuff" (i.e., the spyware and exploits) from forensic analysis
4
59
282
Wow... The UAE and Saudi governments have gotten so much data from hacking phones with NSO’s Pegasus spyware that they don’t know what to do with it all. So, NSO has hired Israeli military veterans to help them. Blockbuster report from
@Haaretz
.
5
167
277
Because NSO infection servers used TLS, and because they were using 4th-level subdomains for infection, NSO needed to register *wildcard 3rd-level* TLS certs. Just look at these.. they look really weird, right? I'm sure you can imagine how to find a bunch more in public data 🤔
4
35
271
NEW: I've come out of self-imposed retirement from my
@Medium
blog to write some thoughts about the FSB and Kaspersky's discovery of the
#Triangulation
attack:
7
77
264
WOW. Bombshell investigation from
@tomer_ganon
at
@calcalist
shows that an Israeli police SIGINT unit used NSO's Pegasus spyware to target leaders of anti-Netanyahu protests in Israel, without obtaining a warrant.
6
153
248
(2):
@AmnestyTech
also found that after
@citizenlab
's Dec 2020 report mentioning the zero-click hacking of Al Jazeera, NSO Group switched to Amazon's CloudFront to deliver exploits (lololol).
@AmnestyTech
reported this to Amazon, who took action to try and block the activity.
1
43
216
NEW: I did a deep dive into the corporate structure behind the ToTok VoIP app. A classified US intelligence assessment (reported by NYT) says that ToTok is a spy tool developed by UAE intelligence.
2
145
191
We've got a neat new
@citizenlab
report out, looking at NSO Group affiliate company Circles, the we-spy-without-hacking-your-phone guys, who reportedly exploit flaws in mobile phone networks themselves. We ID'd a bunch of likely customers!
2
133
195
The Financial Times has seen the forensic report on the alleged hack of Bezos' phone, done by FTI Consulting. They say that the forensic report "does not claim to have conclusive evidence," and "could not ascertain what alleged spyware was used."
10
131
191
Also, (3) as
@AmnestyTech
observed and we
@citizenlab
can confirm, NSO Group's Pegasus spyware delivered via 0-click exploits is no longer "persistent" in the strict sense of the word (i.e., doesn't come back when you reboot). Persistence is achieved via firing the 0-click again
7
39
197
🚨BIG
@citizenlab
report on an NSO Group hacking bonanza. In late 2019 and in July 2020, NSO Group clients appear to have used an invisible 0-click exploit in iMessage to break into the latest, up-to-date iPhones. Some of the first target were journalists
5
141
182
ICYMI, some new info about yesterdays Apple updates! Working w/
@maddiestone
, we managed to capture a full iOS zero-day exploit chain. The chain was targeted at fmr Egyptian MP Ahmed Eltantawy, who has said he will challenge el-Sisi in the 2024 Elections
4
54
205
DataUsage.sqlite is a file in an iTunes backup that records process names accessing the mobile data, as well as bytes uploaded and downloaded. Information can persist in here for *years* unless cleaned up. So, in around 2019, NSO Group decided to try their hand at cleaning it up.
2
27
178
MAJOR scoop by
@Haaretz
: In June 2017, NSO Group execs presented the Pegasus spyware system to the Saudi Royal Family in defiance of Israel’s Defense Ministry, and sold Pegasus to the Saudis for $55m. The system has a 0-click infection capability.
8
163
163
NEW: Last week, we
@citizenlab
captured a "zero-click" exploit used to install Pegasus on the latest version of iOS, 16.6. The exploit installed Pegasus without any interaction from the victim, and was virtually invisible
3
98
183
Most of the information is in two tables, ZLIVEUSAGE and ZPROCESS. Entries in ZLIVEUSAGE reference an implicit foreign key in ZPROCESS, but there is no formal DB constraint, nor is there an ON DELETE CASCADE. Sooo... NSO deleted entries from ZPROCESS but not ZLIVEUSAGE.
2
17
158
(4) One of the other interesting bits here is just how much of pain it is to do phone forensics.
@AmnestyTech
couldn't do much w/ Android (as a lot of logs that are easy-to-access are wiped on device reboot), and the highest-signal iPhone analysis was limited to DataUsage.sqlite
1
20
154
This leaves an implicit inconsistency in the database which can be observed. Oh, and also you can just run "strings" on the DataUsage.sqlite file and find the deleted entries...
3
17
147
Wrench
#1
: NSO instituted "port-knocking" on their C&C servers. Originally, it looked like this (really freeking bizarre, right?), but then they switched to a much smarter scheme that only uses 80 and 443. This means C&Cs had no open ports to scan.
3
25
157
BREAKING: A UK court has found Sheikh Mohammed (the Emir of Dubai) responsible for the use of NSO Group's spyware to hack the iPhones of his ex-wife Princess Haya, her staff, and her lawyers (including Fiona Shackleton), in their ongoing child custody case
5
83
121
I'm not going to burn
@citizenlab
's exact process here, but I *do* want to relate a really fascinating story. Previously, we used to detect most of these through IP-based Internet scanning. But NSO threw three new major wrenches into our process here in 2018.
2
19
126
Check out our new
@citizenlab
report on Pegasus in Thailand, in collaboration with
@iLawFX
and
@DigitalReachSEA
:
3
62
132
The way Kaspersky wrote this, it's an interesting case study of defenders working out how to capture a zero-click exploit. I especially like that Kaspersky said what they tried that *didn’t work*, in addition to what did ultimately work. Let’s dive in with a thread!
3
28
132
We believe that the FORCEDENTRY exploit has been in use by NSO Group since at least February 2021. According to Apple's analysis, the exploit works against all iOS, MacOS, and WatchOS versions prior to those released September 13, 2021 (today).
7
33
118
But, today I learned that Apple (et al) do *not* force end-to-end encryption of push notifications payloads(!!) In fact, there’s even this in the Apple documentation
2
28
126
The judgements in the Sheikh Mohammed/Princess Haya NSO Pegasus hacking case have just been posted by the UK High Court: . Read on for a THREAD where I highlight some interesting bits from the hacking fact finding judgement.
7
67
116
NEW today from
@joel_schectman
and
@Bing_Chris
: the incredible story of how one Saudi woman (
@LoujainHathloul
) helped keep all of our iPhones safe, and helped seriously put NSO Group on the ropes around the world
1
54
108
CIA: "High confidence" that Crown Prince Mohammed bin Salman ordered Jamal Khashoggi’s assassination
10
67
88
NEW REPORT: A Saudi-linked operator of NSO Group’s Pegasus government spyware targeted and likely infected the phone of Canadian permanent resident Omar Abdulaziz
@oamaz7
, who has been vocal about the diplomatic spat between Canada and Saudi Arabia
51
53
89
Some interesting new details from Kaspersky about the Triangulation (suspected US Government) iPhone hacking campaign. TLDR: Seems like attackers making more highly questionable operational security decisions…
2
43
122
We found the exploit and shared w/ Apple last Tuesday (Sep 7), and they released a fix today (six days later), underscoring the urgency of the update.
3
32
106
The exploit is invisible to the target, but in our forensic analysis, we found 31 files with the ".gif" extension on a target's phone. Of course, they weren't GIFs at all! 27 of them were the same 748-byte Adobe PSD file, and four were PDFs.
2
28
107
WhatsApp "sent a special WhatsApp message to approximately 1,400 users" to notify them that they were targeted by NSO Group's "missed call" phone hack:
0
72
97
Wrench
#3
: The infection servers' domain names no longer appeared in SMSes. Instead, NSO created "URL shortener servers" hosted on shared-IP hosting that redirected to these bizarre 4th-level subdomains. Shared-IP hosting means scanning by IP will *not hit* the infection servers.
1
13
106
Man this is like the 3rd time Kaspersky has burned a
#FruityArmor
Windows 0day! Interesting also that they mention FruityArmor (UAE) as sharing tech w/ a new APT called
#SandCat
(probably Saudi)
2
53
94
Wrench
#2
: NSO appeared to institute "DNS-knocking" on their infection servers. An arbitrary high (or low) numbered port is opened on the infection server when a victim sends a DNS query for a random 4th-level subdomain of an infection domain, like this:
1
17
107
NEW report from Project Zero looking into how NSO Group's FORCEDENTRY zero-click exploit works; it's an astounding story involving looping .GIFs, an esoteric late-90s fax machine compression algorithm, and Turing machines
Today we're publishing a detailed technical writeup of FORCEDENTRY, the zero-click iMessage exploit linked by Citizen Lab to the exploitation of journalists,
activists and dissidents around the world.
65
2K
5K
1
45
104
Uh oh. It looks like the US state of Nevada has partnered with a UAE intelligence-linked company (Group 42) on COVID19 testing. It seems that Group 42 will get access to test data from US Citizens, which they will use for an "innovative genomic study."
5
97
99
Another bit (5), is the fact that
@AmnestyTech
(and also
@citizenlab
) were able to trace NSO's "version 4" domain names, which NSO was using for command-and-control thru mid-2020, and for exploit/payload delivery thru early-2021. So how did this mapping work?
1
13
100
Watch 'The Spy in Your Phone' by
@AJEnglish
, the story of how 36 Al Jazeera journalists were hacked with NSO Group's Pegasus spyware! Presented by
@TamerMisshal
, with guests including me,
@cooperq
,
@Ingleton
,
@JennaMC_Laugh
, and others!
2
59
99
For those that missed it, my analysis of Zoom’s encryption. TLDR: It's suboptimal, but the good news is: if you’re holding a casual/social event on Zoom, you don’t need to worry. Also Zoom have committed to improving the security of their app. Let's see!
6
40
92
These three wrenches were a direct challenge to the IP-based Internet scanning methodology we used in 2018. However... what NSO taketh away, NSO also giveth :).
1
9
94
Spain's Govt discovers a suspected case of foreign espionage w/ NSO Group's Pegasus spyware against the PM and Defense Minister. Looks like more awkwardness from NSO selling Pegasus both to EU govs, and also to foreign govs spying on those same EU govs.
3
57
96
New
@citizenlab
report,
#ProjectTorogoz
, documenting the use of NSO's Pegasus spyware in El Salvador, in collab w/
@AccessNow
, w/ assistance from
@FrontLineHRD
@MohdMaskati
,
@socialtic
, and
@fundacionacceso
, and w/ peer review from
@AmnestyTech
1
43
93
Since NSO (or clients) control the DNS servers for the 3rd-level domain (e.g., *.f15fwd322[.]regularhours[.]net), they respond to the lookup, and have the chance to open the appropriate port on the infection server.
1
10
95
NSO Group is apparently considering selling off its Pegasus spyware division, changing the name of the company, and focusing on turning itself into a big data analytics company, ala Palantir.
5
52
82
Exciting new report from
@citizenlab
colleagues: WeChat trains its censorship filter for Chinese users on documents and images sent by users outside of China. What this means: by communicating on WeChat, you help improve censorship for users in China.
1
34
79
Fascinating report today from
@RonanFarrow
on NSO Group, coinciding with our new
@citizenlab
report on spyware attacks against Catalan targets in Spain. First, some of the big findings:
1
40
82
I wrote up a brief technical note on FTI Consulting's forensic report into the Jeff Bezos Hack, with some thoughts on where the investigation should go next:
1
46
72
Some major new news about the WhatsApp "missed call" hack from May 2019: WhatsApp generated a list of 1,400 users who they suspect were hacked using the method, and they're suing NSO Group under CFAA. On their list? At least 100 members of civil society:
1
49
68
Using just this one website (plus the Wayback Machine, passive DNS data, and Internet scan data) we were able to map out a total of 885 websites in 29+ languages, potentially geared towards assets in 36+ countries.
2
17
75
Big news from
@citizenlab
, we have a NEW SPYWARE MAP! This time, the map shows countries where devices infected with NSO Group's Pegasus spyware appear to be located. Read about how we generated it here:
2
63
75
For the first time ever, there are public PCAPs showing nation-state spyware injection. The PCAPs show a device on Turk Telekom’s network injecting HTTP 307 redirects to files containing targeted spyware. Check them out here! [2/n]
1
49
71
Interesting analysis by
@AmnestyTech
of leaked documentation and marketing materials pertaining to Cytrox/Intellexa’s Predator spyware, part of the
#PredatorFiles
project:
5
37
81
Very interesting new report from
@calcalist
with details of how the Israeli police SIGINT unit uses Pegasus. I don't think we've seen this sort of detail from the operator's side before
4
45
73
For about a week, I was extremely puzzled about the whole Push Notifications spying story. I assumed that push notifications services (e.g., APNs) naturally implemented end-to-end encryption for push notification payloads (like iMessage does, and iMessage is built on APNs).
1
11
75
Check out our NEW
@citizenlab
report "Sweet QuaDreams: A First Look at Spyware Vendor QuaDream’s Exploits, Victims, and Customers", in which we uncover traces of a new iOS 14 zero-click deployed against civil society from (at least) Jan through Nov 2021
1
53
71
A UK court has found Sheikh Mohammed (the Emir of Dubai) responsible for the use of NSO Group's Pegasus spyware to hack the iPhones of his ex-wife Princess Haya, her staff, and her lawyers (including Fiona Shackleton), in their ongoing child custody case.
1
29
58
HUGE
@Haaretz
investigation reveals widespread abuse of Israeli surveillance products in several countries to identify and monitor activists, political opposition, and gay people
2
88
58
NEW: NYT reporting that the FBI is a Pegasus customer, and can hack US numbers. But the claim is FBI only "tested" the system and didn't use against any real targets 🙄. The purchase itself makes sense, given the FBI's use of other commercial spyware
3
28
63
NEW
@citizenlab
REPORT: NSO Group had a busy 2022, in which they appear to have debuted 3 iPhone zero-click exploits, deployed against civil society targets around the world running iOS 15 and 16. We break down the technical details in our latest report
3
31
67
Wow, ANOTHER phenomenal scoop from
@tomer_ganon
@calcalist
: Israeli police had a practice of using Pegasus to conduct fishing expeditions against local elected officials and their families, sometimes only because somebody had a "gut feeling"
3
28
57
We confirmed, through forensic analysis, 35 cases of journalists and civil society members whose phones were successfully hacked with NSO Group's Pegasus spyware from July 2020 through November 2021.
4
27
59
Interesting: apparently there are discussions for NSO to be acquired for as little as $300M. As part of the sale, NSO might cut off all of its non-Five-Eyes Pegasus customers (i.e., most of them), and focus exclusively on Five Eyes customers for Pegasus
U.S. venture capital firm in talks to buy Israel's infamous spyware maker NSO
0
11
14
4
27
54
The 2018 reporting also mentions that the websites shared "similar digital signifiers or components", which allowed the Iranians and Chinese to "map out" and compromise the rest of the network given just one website.
1
10
52
You probably first read reporting about the Iranian and Chinese compromise of the CIA's covert communications network in
@JennaMC_Laugh
and
@zachsdorfman
's excellent 2018 Yahoo News story:
2
14
51
Some things to keep in mind re the FBI/Pegasus story. First, it seems unlikely that the FBI were "like, not even switching [their Pegasus system] on." These sorts of systems are typically "on" and available 24x7, not really something you switch on and off
3
25
53
Wow, so not only did Google ban ToTok from the Play Store, they’re now dropping the Play Protect hammer on ToTok, and pushing notifications to Android ToTok users recommending they delete the app from their phones.
2
38
51
BREAKING: Major new investigation from
@FbdnStories
into a leaked list of 50,000+ phone numbers that are said to have been looked up by NSO Group's customers, perhaps as a prelude to the customers hacking into the phones
2
33
54
The scheme to discredit Citizen Lab's NSO Group reports by trying to bait researchers into anti-semitic remarks involved a retired Israeli security official, who was previously linked to Black Cube (the firm that tried to smear Harvey Weinstein's victims).
0
45
47
Really fascinating reporting here on NSO and Candiru. Apparently, there has been a very personal feud between the two companies' CEOs since Candiru "moved onto NSO's turf" by expanding its business to include phone hacking in 2018
1
19
53
Very interesting reporting from
@Bing_Chris
@razhael
: when Apple patched NSO Group's ForcedEntry zero-click exploit in iOS 14.8, the patch also blocked spyware from a second Israeli company: QuaDream.
1
30
53
@KimZetter
Jamal's wife's phone was demonstrably at least a target, I reviewed SMS msgs on her phone that contained links to Pegasus servers. The domain names in the links were operated by an NSO customer spying exclusively in UAE in 2018 (KASH04 in Appendix D)
3
30
52
The CIA network reportedly consisted of benign looking websites with a hidden communications functionality, used by assets around the world to communicate back and forth with their agency handlers.
1
10
48
English translation of the article is available here ("Israel police uses NSO’s Pegasus to spy on citizens"):
2
27
47
A third Greek target of Cytrox's Predator spyware has been revealed. It's
@c_spirtzis
, a former Minister, and current Syriza (center-left party) MP. He received an SMS link to a Predator site, blogspot[.]edolio5[.]com
Τα δύο μηνύματα που έλαβε ο Χρήστος Σπίρτζης από
#Predator
Όπως και στην περίπτωση του
@nasoskook
και του Νίκου Ανδρουλάκη, το ένα λινκ είναι παραλλαγή του μπλογκ edolio5. Το άλλο της Εφημερίδας Συντακτών.
7
74
109
0
35
50
Instead, as a first step, we intend to conduct a limited disclosure process to US government oversight bodies, to ensure that no one connected to these websites will be in danger, while still leading to accountability for this reckless behavior.
1
8
46
WOW.... BREAKING: Apple sues NSO Group; notifies targets who were hacked with NSO's FORCEDENTRY exploit; announces $10M contribution to public interest cybersecurity community
2
14
48
Israel-based NSO Group says that its Pegasus spyware "will not operate outside of approved countries." So does this mean that NSO Group authorized Saudi Arabia to use Pegasus to spy on targets in Canada? Canada should ask Israel this question...
5
26
40
Ok we (finally) have what looks like a small iota of technical data on the Bezos hack. The analysis (using Cellebrite) appears to have found nothing malicious, though "forensic artifacts" on the device suggest data exfiltration after the video was received
4
29
49
Now, for the first time,
@joel_schectman
, through his reporting, was actually able to identify one of those websites, used by an asset in Iran who was caught and served 7 years in prison. He's publishing the site: iraniangoals[.]com.
1
10
45
The guy behind ToTok appears to be our old friend, Tahnoon bin Zayed, who (in)famously bought a spyware system (via his company Mauqah Technology) from Italian surveillance vendor Hacking Team in 2012, which was used to target dissidents including Ahmed Mansoor.
1
27
40
Spyware vendor Candiru is back!
@Avast
detected a Candiru client hacking targets' computers in Lebanon, Turkey, Yemen, and Palestine via a Chrome 0day on compromised websites
2
29
42
Sites using different covert apps and apparently geared towards assets in different countries were sometimes packed together into blocks of sequential IP addresses registered to fictitious US companies.
1
13
44
This Tuesday (5 January) at 20:00 GMT, check out "The Spy in your Phone" on
@AJEnglish
. It's the English translation of
@TamerMisshal
's blockbuster #ما_خفي_أعظم program on the hacking of 36 Al Jazeera journalists with NSO Group's Pegasus spyware
0
14
37
