Israeli spyware maker NSO Group implemented at least three new “no-click” exploits against iPhones in 2022 to infiltrate defenses set up by Apple and use Pegasus, according to recent findings from Citizen Lab.
“NSO Group customers widely deploy at least three iOS 15 and iOS 16 clickless exploit chains against civil society targets worldwide,” University of Toronto-based interdisciplinary laboratory said.
NSO Group is the manufacturer of Pegasus, a sophisticated cyberweapon capable of extracting sensitive information stored on devices – including messages, locations, photos and call logs – in real-time. These are typically delivered to the targeted iPhone using zero-click and/or zero-day exploits.
While it has been established as a tool for law enforcement agencies to combat serious crimes such as child sexual abuse and terrorism, it has also been used illegally by authoritarian governments to spy on human rights defenders, democracy defenders, journalists, dissidents, and others.
Pegasus abuse prompted the US government to add NSO Group to its trade block list in late 2021, with Apple filing its own lawsuit against the company for targeting its users.
In July 2022, it was revealed that spyware was used against Thai activists involved in the country’s pro-democracy protests between October 2020 and November 2021 using two clickless exploits named KISMET and FORCEDENTRY.
Two of the latest campaign targets unearthed by Citizen Lab include human rights defenders from Centro PRODH, which represents victims of the Mexican Army’s extrajudicial killings and disappearances. The intrusion occurred in June 2022.
This entailed using three different exploit chains dubbed LATENTIMAGE, FINDMYPWN, and PWNYOURHOME which weaponized various vulnerabilities in iOS 15 and iOS 16 as zero-days to penetrate the device and finally launch Pegasus –
- LATENTIMAGE (iOS version 15.1.1, detected in January 2022) – Suspected exploit involving iPhone’s Find Own feature and Milestone
- FINDMYPWN (iOS versions 15.5 and 15.6, detected in June 2022) – Two-phase exploit that leverages Find My and iMessage services
- PWNYOURHOME (iOS version 16.0.3, detected in October 2022) – A two-phase exploit that combines the functionality of the built-in HomeKit on iPhone and iMessage to bypass BlastDoor protection
In an encouraging sign, Citizen Lab said it found evidence of Lockdown Mode logging in to thwart attempted PWNYOURHOME attacks, warning users that it blocks unknown parties with Gmail and Yahoo! account from trying to “access Home.”
The development marks the first publicly documented instance where Lockdown Mode, specifically designed to reduce the iPhone’s attack surface, has successfully protected an individual from compromise.
That said, Citizen Lab points out that the NSO Group “may have found a way to fix notification issues, such as with Lockdown Mode fingerprinting.” Apple has shipped several security enhancements to HomeKit in iOS 16.3.1 and is sending notifications to targeted victims in November and December 2022, and March 2023.
This finding is the latest example of NSO’s evolving attack technique to break into iPhones without requiring the target to take any action to trigger an infection.
They also coincide with a new investigation from the New York Times exposed Mexico’s use of Pegasus to target human rights defenders in recent months, detailing how the country became its first and most prolific user of spyware.
In another indication of the widespread nature of such campaigns, the Jamf Threat Lab found evidence of a Middle East-based human rights activist as well as a Hungarian journalist being targeted by spyware. Their names were not disclosed.
The attack targeting the journalist’s iPhone was also significant due to the fact that the device was an iPhone 6s, which was no longer compatible with the latest iOS versions, demonstrating the threat actor’s penchant to exploit known and unknown vulnerabilities to fulfill their goals.
Although Apple did back-port fixes for critical flaws on older devices (the current version supported by iPhone 6s is iOS 15.7.5), it’s important to note that not all vulnerabilities are intended for older devices.
“As a result, threat actors can continue to exploit unpatched vulnerabilities that have already been patched on newer supported devices, potentially giving attackers more time and more information to gain remote access to targeted devices,” Jamf said.
To protect against spyware attacks, it is recommended to apply the latest operating system updates, upgrade older devices to newer iPhone or iPad models, and consider activating Lockout Mode.
UK National Cyber Security Center (NCSC), at a advisor released on April 19, 2023, warned “the proliferation of commercial cyber tools will pose a growing threat to organizations and individuals globally.”
“The commercial proliferation of cyber tools and services lowers entry barriers for state and non-state actors to acquire capabilities and intelligence that they would not be able to develop or acquire otherwise,” the agency said. said.