Apple users should immediately update all their devices – iPhones, iPads, Macs & Apple Watches – to install an emergency patch for a zero-click zero-day exploited by NSO Group to install spyware.
Citizen Lab urges Apple users to update immediately. The new zero-click zero-day Forced Entry flaw affects all things Apple: iPhones, iPads, Macs & Watches.
The security updates, pushed out by Apple on Mon., include iOS 14.8 for iPhones and iPads, as well as new updates for Apple Watch & macOS. The patches will fix at least 1 vulnerability that the tech giant stated, “may have been actively exploited.”
Citizen Lab 1st discovered the never-before-seen, zero-click exploit, which it detected targeting iMessaging, last month. It’s allegedly been used to illegally spy on Bahraini activists with NSO Group’s Pegasus spyware, according to the cyber-security watchdog.
The digital researchers dubbed the new iMessaging exploit Forced Entry.
Citizen Group said in Aug. that they had identified 9 Bahraini activists whose iPhones were inflicted with Pegasus spyware between June 2020 & Feb. 2021. Some of the activists’ phones suffered zero-click iMessage attacks that, besides Forced Entry, also included the 2020 KISMET exploit.
The activists included 3 members of Waad (a secular Bahraini political society), 3 members of the Bahrain Centre for Human Rights, 2 exiled Bahraini dissidents, & 1 member of Al Wefaq (a Shiite Bahraini political society), Citizen Lab wrote.
The Forced Entry exploit was particularly notable in that it was successfully deployed against the latest iOS versions – 14.4 & 14.6 – blowing past Apple’s new Blast Door sandboxing feature to install spyware on the iPhones of the Bahraini activists.
Citizen Lab 1st observed NSO Group deploying Forced Entry in Feb. 2021. Apple had just introduced Blast Door, a structural improvement in iOS 14 meant to block message-based, zero-click exploits like these NSO Group-associated attacks – the month before.
Blast Door was supposed to prevent this type of Pegasus attack by acting as what Google Project Zero’s Samuel Groß called a “tightly sandboxed” service responsible for “almost all” of the parsing of untrusted data in iMessages.
In a post on Mon., Citizen Lab researchers explained that in March 2021, they had examined the phone of a Saudi activist who requested anonymity & determined that the phone had been infected with NSO Group’s Pegasus spyware. Last Tues., Sept. 7, Citizen Lab forwarded artifacts from 2 types of crashes on another phone that had been infected with Pegasus, suspecting that both infections showed parts of the Forced Entry exploit chain.
Citizen Lab forwarded the artifacts to Apple on Tues., Sept. 7. On Mon., Sept. 13, Apple confirmed that the files included a zero-day exploit against iOS & MacOS. Apple has designated the Forced Entry exploit CVE-2021-30860: an as-yet-unrated flaw that Apple describes as “processing a maliciously crafted PDF may lead to arbitrary code execution.”
NSO Group’s Tracks
Citizen Lab described several distinct elements that gives researchers high confidence that the exploit can be tied to the secretive Israeli spyware maker NSO Group, including a forensic artifact called Cascade Fail.
Cascade Fail is a bug whereby “evidence is incompletely deleted from the phone’s DataUsage.sqlite file,” according to Citizen Lab. In Cascade Fail, “an entry from the file’s ZPROCESS table is deleted, but not entries in the ZLIVEUSAGE table that refer to the deleted ZPROCESS entry,” they described.
Forced Entry Exploit
That has NSO Group’s fingerprints, they explained: “We have only ever seen this type of incomplete deletion associated with NSO Group’s Pegasus spyware, & we believe that the bug is distinctive enough to point back to NSO.”
Another telltale sign: multiple process names installed by the Forced Entry exploit, including the name “setframed”. That process name was used in an attack with NSO Group’s Pegasus spyware on an Al Jazeera journalist in July 2020, according to Citizen Lab: a detail that the watchdog didn’t reveal at the time.
Mercenaries & Criminals
Zero click remote exploits such as the novel method used by Pegasus spyware to invisibly infect an Apple device without the victim’s knowledge or the need for the victim to click on anything at all were used to infect 1 victim for as long as 6 months. They’re pure gold to governments, mercenaries & criminals who want to secretly watch targets’ devices without being detected.
Pegasus is a powerful spyware: it can turn on a target’s camera & microphone so as to record messages, texts, emails, & calls, even if they’re sent via encrypted messaging apps such as Signal.
NSO has long maintained that it only sells its spyware to a handful of intelligence communities within countries that have been thoroughly vetted for human rights violations. The company has repeatedly tried to keep up that narrative, taking the tactic of questioning Citizen Lab’s methods & motives.
As pointed out by Hank Schless, Senior Manager of Security Solutions at endpoint-to-cloud security company Lookout, the narrative is now threadbare. “The recent exposure of 50,000 phone numbers linked to targets of NSO Group customers was all people needed to see right through what NSO claims,” he outlined.
“Since Lookout & The Citizen Lab 1st discovered Pegasus back in 2016, it has continued to evolve & take on new capabilities,” he elaborated. “It can now be deployed as a zero-click exploit, which means that the target user doesn’t even have to tap a malicious link for the surveillance-ware to be installed.
While the malware has adjusted its delivery methods, the basic exploit chain remains the same, Schless continued.
“Pegasus is delivered via a malicious link that’s been socially engineered to the target, the vulnerability is exploited & the device is compromised, then the malware communicated back to a command-&-control (C2) server that gives the attacker free reign over the device.
Cache of Links
Many apps will automatically create a preview or cache of links in order to improve the user experience. Pegasus takes advantage of this functionality to silently infect the device.”
Schless explained that this is an example of how important it is for both individuals & enterprise organisations to have visibility into the risks their mobile devices present, Pegasus being just one “extreme, but easily understandable example.
“There are countless pieces of malware out there that can easily exploit known device & software vulnerabilities to gain access to your most sensitive data,” he continued.
“From an enterprise perspective, leaving mobile devices out of the greater security strategy can represent a major gap in the ability to protect the entire infrastructure from malicious actors. Once the attacker has control of a mobile device or even compromises the user’s credentials, they have free access to your entire infrastructure.
Once they enter your cloud or on-prem apps, they can move laterally & identify sensitive assets to encrypt for a ransomware attack or exfiltrate to sell to the highest bidder.”
Kevin Dunne, President at unified access orchestration provider Pathlock, noted that the Pegasus infections point to the need for businesses to look beyond securing servers & workstations as primary targets for cyber-attacks & espionage. “Mobile devices are now used broadly and contain sensitive information that needs to be protected,” he explained.
To protect themselves against spyware, businesses should look at their mobile device security strategy, Dunne stated – particularly when threats come in forms that are far more insidious than suspicious SMS messages or phishy links that security teams can train users to avoid.
“Spyware attackers have now engineered zero click attacks which are able to get full access to a phone’s data & microphone/camera by using vulnerabilities in 3rd party apps or even built-in applications,” Dunne outlined.
“Organisations need to make sure they have control over what applications users download on to their phones & can ensure they are up to date so any vulnerabilities are patched.”