Security researchers from Citizen Lab and Google Tag have discovered and reported that Apple has recently patched three vulnerabilities that were being actively exploited by attackers to install the Cytrox spyware called Predator, as detailed in a report by Citizen Lab (source).
The main target of these attacks was Ahmed Eltantavi, a former Egyptian deputy who had expressed his intention to participate in the presidential election in 2024. The hackers leveraged the vulnerabilities identified as CVE-2023-41991 (source), CVE-2023-41992 (source), and CVE-2023-41993 (source) by sending false SMS and WhatsApp messages.
According to the researchers, the attack was carried out by redirecting Eltantavi’s Vodafone Egypt mobile device to a malicious resource when visiting unprotected HTTP websites, resulting in the infection of the device with the Predator spyware.
One of the vulnerabilities, CVE-2023-41993, was exploited to achieve remote code execution in Safari, while CVE-2023-41991 was used to bypass digital signatures and CVE-2023-41992 to elevate system privileges.
In addition, Google Tag observed attempted attacks on Android devices in Egypt, where a vulnerability in Chrome, known as CVE-2023-4762, was being exploited.
The Apple security team confirmed that the attack would be impossible to carry out in devices protected by LockDown, a security feature specifically designed to prevent such exploits. Citizen Lab strongly recommends that all Apple users install the latest updates promptly and activate LockDown to enhance their device security.
In their investigation, Citizen Lab also identified two other vulnerabilities, CVE-2023-41061 and CVE-2023-41064, which