Israeli spyware maker NSO Group deployed at least three new “zero-click” exploits against iPhones in 2022 to infiltrate defenses erected by Apple and deploy Pegasus, according to the latest findings from Citizen Lab.
“NSO Group customers widely deployed at least three iOS 15 and iOS 16 zero-click exploit chains against civil society targets worldwide,” the University of Toronto interdisciplinary lab said.
NSO Group is the maker of Pegasus, a sophisticated cyberweapon that is capable of extracting sensitive information stored on a device (eg messages, locations, photos and call logs, among others) in real time. Typically delivered to targeted iPhones via zero-click and/or zero-day exploits.
While it has been touted as a tool for law enforcement to combat serious crimes such as child sexual abuse and terrorism, it has also been illegally deployed by authoritarian governments to spy on human rights defenders, defenders of democracy, journalists, dissidents and others.
Pegasus’ misuse led to the US government adding NSO Group to its business blacklist in late 2021, and Apple filed its own lawsuit against the company for targeting its users.
In July 2022, it emerged that spyware was being used against Thai activists involved in the country’s pro-democracy protests between October 2020 and November 2021 through two zero-click exploits called KISMET and FORCEDENTRY.
Two of the targets of the latest campaign uncovered by Citizen Lab include human rights defenders from the Centro PRODH, which represents victims of extrajudicial killings and disappearances by the Mexican military. The intrusions occurred in June 2022.
This led to the use of three different exploit chains called LATENTIMAGE, FINDMYPWN and PWNYOURHOME that weaponized various flaws in iOS 15 and iOS 16 as zero-days to penetrate devices and eventually launch Pegasus:
- LATIN IMAGE (iOS version 15.1.1, detected January 2022): An exploit suspected to involve the iPhone’s Find My and SpringBoard feature
- FINDMYPWN (iOS versions 15.5 and 15.6, detected June 2022) – A two-phase exploit that makes use of the Find My service and iMessage
- IN YOUR HOUSE (iOS version 16.0.3, spotted October 2022): A two-phase exploit that combines HomeKit functionality built into iPhones and iMessage to bypass BlastDoor protections
In an encouraging sign, Citizen Lab said it found evidence of blocking mode intervention to thwart an attempted attack by PWNYOURHOME, warning users that it was blocking unknown people with Gmail and Yahoo! that accounts try to “access a home”.
The development marks the first publicly documented instance in which Lockdown Mode, designed specifically to reduce the iPhone’s attack surface, has successfully protected a person from a compromise.
That said, Citizen Lab noted that NSO Group “may have discovered a way to fix the notification issue, such as fingerprint lock mode.” Since then, Apple has pushed several security improvements to HomeKit in iOS 16.3.1 and sent notifications to targeted victims in November and December 2022 and March 2023.
The findings are the latest example of NSO’s evolving attack techniques to get into iPhones without requiring any target to take any action to trigger the infection.
They also coincide with a new New York Times investigation uncovering Mexico’s use of Pegasus to target human rights defenders in recent months, detailing how the country became the first and most prolific user of the spyware .
In another indication of the widespread nature of these campaigns, Jamf Threat Labs uncovered evidence of a Middle East-based human rights activist as well as a Hungarian journalist being targeted with spyware. Their names were not released.
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
The attack on the reporter’s iPhone is also significant because the device was an iPhone 6s, which is no longer compatible with the latest version of iOS, indicating the penchant of threat actors to exploit vulnerabilities known and unknown to achieve their goals.
While Apple patches backports for critical flaws on older devices (the current version supported by the iPhone 6s is iOS 15.7.5), it’s important to note that not all vulnerabilities are addressed for legacy devices.
“As a result, threat actors can continue to exploit unpatched vulnerabilities that have been applied to newer supported devices, which could give attackers more time and more information to gain remote access to targeted devices,” he said. Jamf.
To protect yourself from spyware attacks, it’s recommended to apply the latest operating system updates, upgrade outdated devices to newer iPhone or iPad models, and consider turning on Lockdown Mode.
The UK’s National Cyber Security Center (NCSC), in an advisory published on 19 April 2023, warned that “the proliferation of commercial cyber tools will pose a growing threat to organizations and individuals globally” .
“The commercial proliferation of cyber tools and services lowers the barrier to entry for state and non-state actors to obtain capabilities and intelligence that they could not otherwise develop or acquire,” the agency said.
Source link
For all of us who are passionate about preserving the integrity of the human rights of all people, the recent reports of the infamous NSO Group using three zero-click iPhone exploit against peaceful human rights defenders is truly disturbing.
Zero-click exploits are powerful cyber warfare tools that can gain unfettered access to a device and its data without any input or knowledge from the user. In this case, it was reported that the Israeli-based NSO Group used three such exploits against Human Rights Defenders who were peacefully advocating for social justice and government accountability.
This is a gross abuse of technology. Such a slew of intrusive cyber spying tools should not be wielded in a manner where it can be used to silence peaceful political dissent and any efforts to amplify respect for human rights. Here at Ikaroa, we are strong proponents of defending the powerful rights that come with the freedom of expression and we support the efforts of those who fight for this liberty. We stand in solidarity with all of those whose right to express themselves freely and previously have been compromised by the malicious actions of the NSO Group.
As an industry, we must come together and develop stronger tools and protocols to negate the threat of these abuses of power. We must also do our best to ensure that those who create and use cyberweaponry are held accountable to the highest ethical standards. Ikaroa is committed to ensuring that human rights are defended and we will continue to be a leader in developing and deploying the technical solutions needed to protect these rights.
