SweetQuaDreams or Nightmare Before Christmas? Dissecting an iOS 0Day
Christine Fossaceca , Bill Marczak
Not quite nation states but not quite independent corporations, “private sector offensive actors” (PSOAs) have become one of the latest sophisticated threats. These companies develop and sell surveillance and intrusion capabilities to governments around the world.
While some governments responsibly use the tools to track criminals and terrorists, others instead opt to abuse the tools by spying on journalists, dissidents, or members of their political opposition. The conversation about PSOAs often centers around NSO Group, and their infamous zero-click Pegasus spyware. However, an industry of competitors abounds.
While the final payload of Pegasus has proved elusive for some time, Microsoft and Citizen Lab successfully obtained and analyzed the final payload associated with a separate zero-click mobile threat fielded by an NSO competitor, “QuaDream”. QuaDream’s spyware was used against targets around the world, including journalists, political opposition figures, and an NGO worker. This sample was deemed “KingsPawn” by Microsoft and the exploit named “ENDOFDAYS” by CitizenLab.
So what does it take to develop such a zero-click, zero-day attack? What does a modern, top-tier, iOS spyware implant look like? What is the state-of-the-art in mobile threats? And what is the likelihood of you or your employees being targeted by such an attack?
In this talk, we will discuss the discovery of QuaDream’s spyware, outline the zero-click exploit likely used to deliver it, and share their experience reversing engineering the attack surface from the ground up.
Speaker BioS:
Christine Fossaceca is a Senior Mobile Security Researcher at Microsoft, specializing in iOS. She has a background in mobile exploit development, forensics techniques, red teaming, reverse engineering, and penetration testing. Christine’s current focus is on the Defender for Endpoint team analyzing iOS 0-days and developing features for Security Copilot. She is a co-founder and co-host HerHax Podcast, which provides both career advice to those interested in entering the cybersecurity field, guidance and community to those already in the field, and technical hot-takes on pop culture topics!
Bill Marczak is a Senior Researcher at the University of Toronto's Citizen Lab. Bill's work focuses on documenting and attributing novel technological threats to Internet freedom, including new censorship and surveillance tools. Bill's expertise is in Internet scanning, digital forensics, and open source research. Some of Bill’s past reports have helped uncover mercenary spyware companies like FinFisher, NSO Group, and Cytrox, documented the use of Sandvine’s deep packet inspection technology for targeted spyware injection in Turkey, and discovered China’s Great Cannon, a countrywide infrastructure for hijacking foreign computers to launch DDoS attacks against websites. Coverage of Bill's work has been featured in Vanity Fair, the New York Times, the Washington Post, on CNN, and on Larry King and 60 Minutes.
