CSW discovers a new zero day in ZOHO CRM Lead Magnet!

Pegasus Spyware Snoops On Political Figures Worldwide

Posted on 25th Aug, 2021 | By Surojoy Gupta

{Updated on October 01, 2021}: After the recent wave of Pegasus spyware attacks on iPhones, researchers have discovered a new Trojan campaign being deployed by a group unconnected to the NSO. The Trojan masquerades as Amnesty International Organization and promises an antivirus tool, AVPegasus. 

Apple patched the Pegasus iMessages vulnerability on September 13. We urge all users to update their iOS versions as soon as possible and not entertain any antivirus solutions that may seem as being offered by a legitimate source.  

{Updated September 2021}: On September 13, 2021, Apple released fixes for two zero-day vulnerabilities being exploited in the wild, one of which can be used to install the Pegasus spyware on an iPhone. Tracked as CVE-2021-30860, this zero-click zero-day iMessages vulnerability codenamed FORCEDENTRY, allows attackers to bypass the iOS BlastDoor security feature to deploy the spyware. The other vulnerability, CVE-2021-30858, is a Webkit use-after-free vulnerability that allows attackers to create a maliciously crafted webpage that is executed when visited through an iPhone or iPad. CISA issued an advisory as well.
We encourage all users to update their iOS versions immediately. 

{Updated on August 25, 2021}: A never-before-seen zero-click iMessages vulnerability was reportedly being used by the Pegasus spyware to attack Bahraini dissidents between June 2020 and February 2021. The new zero-click vulnerability is able to circumvent the Apple BlastDoor feature—a structural improvement to the iOS where it acts as a sandbox for the iMessage app to parse untrusted messages and prevent zero-click exploits. Named FORCEDENTRY because of its ability to bypass the BlastDoor, this vulnerability exists in iOS versions 14.6 and prior. Since it is unlikely that the flaw is patched yet, it might affect the latest iOS versions as well.

 

An Israeli zero-click cyber-espionage software recently infected the Apple devices of journalists and politicians from around the world by exploiting three zero-day vulnerabilities. Here is our analysis of these vulnerabilities.


On 18 July 2021, the Pegasus spyware, developed by the Israeli Intelligence agency, NSO Group Technologies, was discovered snooping on the smartphones of journalists and politicians from several countries, including India. 


Pegasus is a highly sophisticated cyber espionage spyware prominently used by governments. The malware infects iPhones and Android devices and enables attackers to record calls, secretly activate microphones, extract messages or photos, and access emails and secondary apps without the user’s knowledge.


The earliest version of the Pegasus spyware was discovered by researchers at CitizenLabs in 2016 after it unsuccessfully infected the phone of a UAE-based journalist, through spear-phishing messages. Apple was made aware of the attack and soon discovered three zero-day vulnerabilities (CVE-2016-4655, CVE-2016-4656, and CVE-2016-4657) chained to exploit the journalist’s phone. 


Over two years (from 2016 to 2018), the spyware had infected more than 50,000 phones in 45 countries, alongside 8 Indian telecommunication companies such as Bharti Airtel Limited, Hathway IP Over Cable Internet, and Mahanagar Telephone Nigam Limited (MTNL). 


On 23 August 2021, a new extortion scam was uncovered that leverages the Pegasus iOS spyware attacks to blackmail people into paying a ransom. The scammer threatens to leak sensitive videos of the person to business associates and people on the contacts list apart from dark forums, if a sum of money (0.035 bitcoin, approximately $1600 USD) is not paid within a stipulated time frame. 

What is Vulnerability Chaining?

Vulnerability chaining is a well-established technique used by threat actors during their reconnaissance process, where they identify direct or peripheral vulnerabilities and weaknesses, both in hardware and software, in order to exploit them at the same time to compromise the target host. 

The vulnerability chaining technique used by Pegasus in 2016 and 2021 is popularly referred to as Trident. Apple issued an upgrade that patched the security loophole after the 2016 attack, albeit, ineffectively. 

 

Could the Pegasus Spyware attacks have been avoided? 


Yes. Apple had issued patches for the security loophole that allowed Pegasus to carry out the phishing attack in 2016. However, Pegasus was still able to use the same Trident vulnerability chaining technique in the recent July 2021 attacks.


In the more recent attack, Pegasus spyware employed a critical zero-click vulnerability (CVE-2019-8646) in the Apple iOS v14.6 iMessaging app alongside the Trident vulnerabilities, an exploit called KISMET. The iMessage vulnerability allowed Pegasus to create backdoor access to millions of iPhones. A simple phishing text message on iMessage was enough to allow Pegasus attackers to access the target’s device. Although Apple issued patches for other vulnerabilities in their version update on July 22, they did not patch the iMessage vulnerability. Apple has likely patched the Pegasus spyware vulnerability in their iOS 14.7.1 update; however, the company has not released any definitive statement.   


In 2019, WhatsApp reported that attackers had used NSO’s Pegasus spyware to send malware to more than 1400 mobiles by exploiting a zero-day bug. The bug allowed attackers to install malicious code without the target ever clicking on the iMessage app or answering a WhatsApp call. 

 

CVE Findings

In the recent July 2021 attack, Pegasus spyware used a series of older vulnerabilities paired with an iMessage vulnerability. Here is our analysis of the vulnerabilities:


CVE-2016-4655

  • CVE-2016-4655 exists in the kernel in Apple iOS versions before 9.3.5.

  • The kernel information leak circumvents the kernel address space layout randomization (KASLR).

  • The vulnerability allows attackers to obtain sensitive information from memory via a crafted application. 

  • Classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), this medium-severity vulnerability has a CVSS v3 score of 5.5.

  • CWE-200 appears in MITRE’s latest CWE Top 25 list of vulnerabilities.

  • A patch for the vulnerability was released in 2016. 


CVE-2016-4656

  • CVE-2016-4656 exists in Apple iOS versions 9.3.4 and earlier.  

  • The CVE is a kernel-level memory corruption vulnerability that leads to the jailbreak and eventual installation of surveillance software.

  • The vulnerability allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted application. 

  • Classified under CWE-264 (Permissions, Privileges, and Access Controls), the high-severity vulnerability has a CVSS v3 score of 7.8.

  • A patch for the vulnerability was released in 2016. 


CVE-2016-4657

  • CVE-2016-4657 is a memory corruption vulnerability in the Apple Safari Webkit for iOS versions below 9.3.5.

  • The vulnerability allows the attacker to execute arbitrary code or cause a denial of service (memory corruption) via a crafted website whenever a user clicks on a specific link. 

  • Classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), the high-severity vulnerability has a CVSS v3 score of 8.8.

  • CWE-119 appears in MITRE’s latest CWE Top 25 list of vulnerabilities.

  • A patch for the vulnerability was released in 2016. 

 
The Pegasus spyware chains the Trident iOS vulnerabilities—CVE-2016-4655, CVE-2016-4656, and CVE-2016-4657—to jailbreak iPhones during an attack.

 
CVE-2019-8646

  • CVE-2019-8646 is an out-of-bounds read vulnerability discovered in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, and watchOS 5.3. This vulnerability remained in the iOS till version 14.6.

  • The vulnerability lies in the iMessage app of a device and can allow memory to be leaked and files to be read remotely. 

  • The high severity vulnerability is classified under the weakness enumeration CWE-125 (Out-of-bounds Read) and has a CVSS v3 score of 7.5. The CWE is also listed in the CWE Top 10 vulnerabilities by MITRE.

  • The fix for the bug was released in July 2019. 

  • Apple has likely patched the Pegasus vulnerability in their iOS 14.7.1 update.

 

Pegasus Spyware Vulnerability Chaining Infographic

IoCs for the Jailbreaks used in Pegasus spyware

/--early-boot 

/var/root/test.app 

/private/var/tmp/crw 

/private/var/tmp/cr 

/private/var/tmp/st_data



Pegasus Spyware Attack Methodology


Pegasus spyware takes advantage of how mobile devices and their related features, such as Wi-Fi and mobile data, voice calls, cameras, email and text messaging services, GPS, and passwords, have become integrated with daily life. As a result, Pegasus spyware is highly configurable and can be adapted based on region, language, country of use, and applications installed on the target device. 

A Pegasus spyware attack sequence has three distinct stages. Here is a detailed look at the stages:

  • Stage 1

Attackers send a phishing text message to the target’s device, using the iMessage vulnerability (CVE-2019-8646), and gain initial access to the target’s smartphone. Older methods of compromising a target’s phone included giving a missed call on WhatsApp.

  • Stage 2

Once the attacker gains initial access to the target’s phone, they initiate the Trident iOS vulnerabilities (CVE-2016-4655, CVE-2016-4656, and CVE-2016-4657) to jailbreak the mobile device secretly.

  • Stage 3

Once the mobile device has been jailbroken, the attackers install and execute surveillance software that gathers information and helps in persistence attacks. 

Pegasus Spyware Attack Methodology

Check for compromise and upgrade your devices.


The NSO Group, the creators of the Pegasus spyware, was hacked on 20 July 2021, and details about their spyware-as-a-service tools were leaked to the public. Researchers at Amnesty then developed a toolkit for iOS versions 7 to 14.6 that could help people identify if their phones had been compromised. 


The Mobile Verification Tool (MVT) is a forensic tool to look for signs of infection in a smartphone device. The tool works on iPhones and Android devices, albeit a little differently. iPhone users are at an advantage as they can take a complete backup of their files if any indicators of compromise (IoCs) are discovered on their phones. 


Apple released a spyware detector and file transfer tool of their own called iMazing, inspired by the MVT, which makes it easier for iPhone and iPad users to detect traces of the Pegasus spyware. Apple also released a version update, iOS v14.7.1, that seemingly patches the memory corruption vulnerability that the spyware was actively exploiting.


As more people consume information on smartphone devices, the dangers and risks of sophisticated spyware (such as Pegasus) snooping on encrypted information continue to grow. Therefore, organizations and individuals need to equip themselves with the skills necessary to keep their information systems secure and adopt a risk-based approach to boost their security posture. 

 

Click here to download our Cyber Risk Reports

Unsure if there are any gaps in your security that can lead to a cyber attack?

We can help shrink your attack surface. Talk to us!

 

 

Test your defense to know how secure you are…