Pegasus Spyware Snoops on Political Figures Worldwide

An Israeli zero-click cyber espionage software called Pegasus has been covertly installed on mobile devices (Apple iOS and Android) of politicians, journalists, anti-regime activists, etc. Securin’s experts investigated the spyware and found that Pegasus exploits three zero-day vulnerabilities. Here is our analysis:

Vulnerability Chaining | Recent Pegasus Attacks | CVE Associations

Attack Methodology | Prevention

On July 18, 2021, the Pegasus spyware, developed by the Israeli Intelligence agency, NSO Group Technologies, was discovered snooping on the smartphones of journalists and politicians from several countries, including India.

Pegasus is a highly sophisticated cyber espionage spyware prominently used by governments. The malware infects iPhones and Android devices and enables attackers to record calls, secretly activate microphones, extract messages or photos, and access emails and secondary applications without the user’s knowledge.

The earliest version of the Pegasus spyware was discovered by researchers at the Citizen Lab in 2016 after it unsuccessfully infected the phone of a UAE-based journalist through spear-phishing messages. Apple was made aware of the attack and soon discovered three zero-day vulnerabilities (CVE-2016-4655, CVE-2016-4656, and CVE-2016-4657) chained to exploit the journalist’s phone.

Over two years (from 2016 to 2018), the spyware infected more than 50,000 phones in 45 countries, including 8 Indian telecommunication companies such as Bharti Airtel Limited, Hathway IP over Cable Internet, and Mahanagar Telephone Nigam Limited.

On August 23, 2021, a new extortion scam was uncovered that leverages the Pegasus iOS spyware attacks to blackmail people into paying a ransom. The scammer threatened to leak sensitive videos of the person to business associates and people on the contact list apart from dark forums, if a sum of money (0.035 bitcoin, approximately $1,600 USD) is not paid within a stipulated time frame. 

Recent Pegasus Attacks

Five Countries Targeted: At least five countries in the region use NSO Group’s Pegasus surveillanceware, which is embroiled in a legal battle with the Israeli government. The disclosure comes after an investigation committee was created in April 2022 to look into alleged violations of EU law following revelations that the company’s Pegasus spyware is being used to snoop on the phones of politicians, diplomats, and members of civil society.

Spanish Prime Minister Targeted: On May 03, 2022, Spanish officials revealed that the cellphones of the Prime Minister and the Defence Minister were infected in May 2021 with the Pegasus spyware that is only available to government agencies in an unauthorized operation.

Apple iMessage vulnerability: The now-patched Apple iMessage vulnerability (CVE-2021-30860), popularly known as the FORCEDENTRY exploit, was not only used by the NSO group but was also separately weaponized by another Israeli firm called QuaDream on February 07, 2022. QuaDream’s spyware, REIGN, was similar to Pegasus in its capabilities and was also used to infect iPhones worldwide.

Finnish Ministry Hacked: On February 02, 2022, after an investigation that commenced in September 2021, the Finnish Ministry for Foreign Affairs discovered that the devices of Finnish diplomats abroad had been hacked and infected with NSO’s Pegasus spyware. The devices included both Apple and Android phones that were infected without any action on the part of the user.

The news comes in the wake of the spyware being discovered targeting the US Department of State employees in early December. The employees’ phones were all infected with Pegasus spyware using the ‘ForcedEntry’ iOS exploit.

Saudi Arabia Targeted: On October 25, 2021, a report by the Citizen Lab revealed that a journalist from The New York Times covering events in Saudi Arabia was repeatedly targeted by the Israeli Pegasus spyware over a period of three years, from 2018 to June 2021. The journalist was working on writing a book about the Saudi Crown Prince, Mohammed bin Salman, at the time of the attacks.

New Trojan Campaign: On October 01, 2021, after the recent wave of Pegasus spyware attacks on iPhones, researchers discovered a new Trojan campaign deployed by a group unconnected to the NSO. The Trojan masqueraded as “Amnesty International” and promised an antivirus tool, AVPegasus.

Apple patched the Pegasus iMessage vulnerability on September 13. We urge all users to update their iOS versions as soon as possible and not entertain any antivirus solutions that may seem as being offered by a legitimate source.

FORCEDENTRY Patches: On September 13, 2021, Apple released fixes for two zero-day vulnerabilities being exploited in the wild, one of which can be used to install the Pegasus spyware on an iPhone. Tracked as CVE-2021-30860, this zero-click zero-day iMessage vulnerability, codenamed FORCEDENTRY, allows attackers to bypass the iOS BlastDoor security feature to deploy the spyware. The other vulnerability, CVE-2021-30858, is a Webkit use-after-free vulnerability that allows attackers to create a maliciously crafted web page that is executed when visited through an iPhone or iPad. CISA issued an advisory as well. We encourage all users to update their iOS versions immediately.

A New Zero-Click Vulnerability: The Pegasus spyware reportedly used a never-before-seen zero-click iMessage vulnerability to attack Bahraini dissidents between June 2020 and February 2021. The new zero-click vulnerability can circumvent the Apple BlastDoor feature—a structural improvement to the iOS where it acts as a sandbox for the iMessage app to parse untrusted messages and prevent zero-click exploits. Named FORCEDENTRY because of its ability to bypass the BlastDoor, this vulnerability exists in iOS versions 14.6 and prior. Since it is unlikely that the flaw has been patched yet, it might also affect the latest iOS versions.

What Is Vulnerability Chaining?

Vulnerability chaining is a well-established technique used by threat actors during their reconnaissance process, where they identify direct or peripheral vulnerabilities and weaknesses—both in hardware and software—to exploit them at the same time to compromise the target host.

The vulnerability chaining technique used by Pegasus in 2016 and 2021 is popularly referred to as Trident. Apple issued an upgrade that patched the security loophole after the 2016 attack, albeit ineffectively.

Could the Pegasus Spyware Attacks Have Been Avoided? 

Yes. Apple had issued patches for the security loophole that allowed Pegasus to carry out the phishing attack in 2016. However, Pegasus was still able to use the same Trident vulnerability chaining technique in the recent July 2021 attacks.

In the recent attack, Pegasus spyware employed a critical zero-click vulnerability (CVE-2019-8646) in the Apple iOS v14.6 iMessaging app alongside the Trident vulnerabilities, an exploit called KISMET. The iMessage vulnerability allowed Pegasus to create backdoor access to millions of iPhones. A simple phishing text message on iMessage was enough to allow Pegasus attackers to access the target’s device. Although Apple issued patches for other vulnerabilities in its version update on July 22, it did not patch the iMessage vulnerability. Apple has likely patched the Pegasus spyware vulnerability in its iOS 14.7.1 update; however, the company has not released any definitive statement.

In 2019, WhatsApp reported that attackers had used NSO’s Pegasus spyware to send malware to more than 1,400 mobiles by exploiting a zero-day bug. The bug allowed attackers to install malicious code without the target clicking on the iMessage app or answering a WhatsApp call.

CVE Associations

In the recent July 2021 attack, Pegasus spyware used a series of older vulnerabilities paired with an iMessage vulnerability. Here is our analysis of the vulnerabilities:

CVE-2016-4655

• CVE-2016-4655 exists in the kernel in Apple iOS versions before 9.3.5.

• The kernel information leak circumvents the kernel address space layout randomization (KASLR).

• The vulnerability allows attackers to obtain sensitive information from memory via a crafted application.

• Classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), this medium-severity vulnerability has a CVSS v3 score of 5.5.

• CWE-200 appears in MITRE’s latest CWE Top 25 list of vulnerabilities.

• A patch for the vulnerability was released in 2016.

CVE-2016-4656

• CVE-2016-4656 exists in Apple iOS versions 9.3.4 and earlier.

• The CVE is a kernel-level memory corruption vulnerability that leads to jailbreak and the eventual installation of the surveillance software.

• The vulnerability allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted application.

• Classified under CWE-264 (Permissions, Privileges, and Access Controls), the high-severity vulnerability has a CVSS v3 score of 7.8.

• A patch for the vulnerability was released in 2016.

CVE-2016-4657

• CVE-2016-4657 is a memory corruption vulnerability in the Apple Safari Webkit for iOS versions below 9.3.5.

• The vulnerability allows the attacker to execute arbitrary code or cause a denial of service (memory corruption) via a crafted website whenever a user clicks on a specific link.

• Classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), the high-severity vulnerability has a CVSS v3 score of 8.8.

• CWE-119 appears in MITRE’s latest CWE Top 25 list of vulnerabilities.

• A patch for the vulnerability was released in 2016.

The Pegasus spyware chains the Trident iOS vulnerabilities—CVE-2016-4655, CVE-2016-4656, and CVE-2016-4657—to jailbreak iPhones during an attack.

CVE-2019-8646

• CVE-2019-8646 is an out-of-bounds read vulnerability discovered in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, and watchOS 5.3. This vulnerability remained in the iOS till version 14.6.

• The vulnerability lies in the iMessage app of a device and can allow memory to be leaked and files to be read remotely.

• The high-severity vulnerability is classified under the weakness enumeration CWE-125 (Out-of-Bounds Read) and has a CVSS v3 score of 7.5. The CWE is also listed in the CWE Top 10 vulnerabilities by MITRE.

• The fix for the bug was released in July 2019.

• Apple has likely patched the Pegasus vulnerability in its iOS 14.7.1 update.

IoCs for the jailbreaks used in the Pegasus spyware

/–early-boot /var/root/test.app /private/var/tmp/crw /private/var/tmp/cr /private/var/tmp/st_data

 

Pegasus Spyware—Attack Methodology

Pegasus spyware takes advantage of how mobile devices and their related features, such as Wi-Fi and mobile data, voice calls, cameras, email and text messaging services, GPS, and passwords, have become integrated with daily life. As a result, Pegasus spyware is highly configurable and can be adapted based on region, language, country of use, and applications installed on the target device.

A Pegasus spyware attack sequence has three distinct stages. Here is a detailed look at the stages:

• Stage 1

Attackers send a phishing text message to the target’s device, using the iMessage vulnerability (CVE-2019-8646), and gain initial access to the target’s smartphone. Older methods of compromising a target’s phone included giving a missed call on WhatsApp.

• Stage 2

Once attackers gain initial access to the target’s phone, they initiate the Trident iOS vulnerabilities (CVE-2016-4655, CVE-2016-4656, and CVE-2016-4657) to jailbreak the mobile device secretly.

• Stage 3

Once the mobile device has been jailbroken, the attackers install and execute the surveillance software that gathers information and helps in persistence attacks.

Check for Compromise and Upgrade Your Devices.

The NSO Group, the creators of the Pegasus spyware, was hacked on July 20, 2021, and details about its spyware-as-a-service tools were leaked to the public. Researchers at Amnesty then developed a toolkit for iOS versions 7 to 14.6 that could help people identify if their phones had been compromised.

The Mobile Verification Tool (MVT) is a forensic tool to look for signs of infection in a smartphone device. The tool works on iPhones and Android devices, albeit a little differently. iPhone users are at an advantage as they can take a complete backup of their files if any indicators of compromise (IoCs) are discovered on their phones.

Apple released a spyware detector and file transfer tool of its own called iMazing, inspired by the MVT, which makes it easier for iPhone and iPad users to detect traces of the Pegasus spyware. Apple also released a version update, iOS v14.7.1, that seemingly patches the memory corruption vulnerability that the spyware was actively exploiting.

As more people consume information on smartphone devices, the dangers and risks of sophisticated spyware (such as Pegasus) snooping on encrypted information continue to grow. Therefore, organizations and individuals need to equip themselves with the skills necessary to keep their information systems secure and adopt a risk-based approach to boost their security posture. 

Unsure if there are any gaps in your security that can lead to a cyberattack?

We can help shrink your attack surface. Talk to us!