TLP:GREEN - PWNYOURHOME, FINDMYPWN, LATENTIMAGE: 3 iOS Zero-Click exploits used by NSO Group in 2022
Summary:
“A new report from Citizen Lab states that the Israeli surveillance firm NSO Group used at least three zero-click zero-day exploits to deliver its Pegasus spyware. In 2022, the Citizen Lab analyzed the NSO Group activity after finding evidence of attacks on members of Mexico’s civil society, including two human rights defenders from Centro PRODH, which represents victims of military abuses in Mexico. The researchers discovered that in 2022, NSO Group customers used at least three iOS 15 and iOS 16 zero-click exploit chains against civil society targets worldwide. One of the iOS zero-click used in 2022, called by Citizen Lab “PWNYOURHOME,” was used against iPhones running iOS 15 and iOS 16 starting in October 2022. The researchers believe PWNYOURHOME is a novel two-step zero-click exploit. The first step targets the HomeKit process, while the second step targets iMessage. Another zero-click exploit dubbed FINDMYPWN was used by the surveillance firm against iOS 15 since June 2022. FINDMYPWN is a two-step exploit that targets the iPhone’s Find My feature and the step targets iMessage. Another two-step exploit, which targets the Find My feature and iMessage, has been dubbed FindMyPwn. This zero-click exploit has been used against iPhones running iOS 15 since at least June 2022. The third zero-click exploit discovered by Citizen Lab is LATENTIMAGE, it was found on a single target’s phone and experts believe it was the first new exploit used by NSO Group in 2022. The researchers shared their findings with Apple in October 2022 and in January 2023. Apple notified targets of the attacks in November and December 2022, and March 2023. Citizen Lab noticed that NSO Group, for a brief period, targeted devices with iOS 16’s Lockdown Mode feature enabled. The owners of these devices received real-time warnings when the threat actors attempted to use the PWNYOURHOME exploit against their devices. The bad news is that NSO Group may have improved its exploit to avoid the real-time warning, and the researchers have not seen PWNYOURHOME successfully used against any devices on which Lockdown Mode is enabled. “It is encouraging to see that Apple’s Lockdown Mode notified targets of in-the-wild attacks. While any one security measure is unlikely to blunt all targeted spyware attacks, and security is a multi-faceted problem, we believe this case highlights the value of enabling this feature for high-risk users that may be targeted because of who they are or what they do.” concludes the report. “We highly encourage all at-risk users to enable Lockdown Mode on their Apple devices. While the feature comes with some usability cost, we believe that the cost may be outweighed by the increased cost incurred on attackers.” Recently Citizen Lab researchers reported that at least five civil society members were victims of spyware and exploits developed by the Israeli surveillance firm QuaDream” (SecurtityAffairs, 2023).
Analyst Comments:
The victims include journalists, political opposition figures, and an NGO worker located in North America, Central Asia, Southeast Asia, Europe, and the Middle East. The researchers also believe that the threat actors used a suspected iOS 14 zero-click exploit to deploy QuaDream’s spyware. The zero-day exploit, dubbed ENDOFDAYS, appears to work against iOS versions 14.4 and 14.4.2, and possibly other versions. ENDOFDAYS relies on invisible iCloud calendar invitations sent from the spyware’s operator to victims. “Further analysis yielded additional indicators, which were then applied to analyze additional devices in the global pool of 2022 Pegasus victims to uncover more details about NSO Group’s 2022 exploits.” reads the report. “These indicator overlaps allow us to attribute the 2022 zero-click chains to NSO Group’s Pegasus spyware with high confidence. Overall, we believe NSO Group deployed at least three zero-click chains in 2022 (Figure 2), exploiting a variety of apps and features on the iPhone. We have observed cases of some of the chains deployed as zero-days against iOS versions 15.5 and 15.6 (FINDMYPWN), and 16.0.3 (PWNYOURHOME).”
Mitigation:
Zero-click attacks are sophisticated attacks that do not require user interaction to be initiated. They can exploit vulnerabilities in software or hardware to gain access to devices and steal sensitive information. Here are some tips to protect yourself against zero-click attacks:
- Keep your software up-to-date: Install the latest security patches for your operating system, software, and apps. This will help prevent attackers from exploiting known vulnerabilities in your software.
- Use antivirus software: Antivirus software can help detect and prevent malware infections on your device.
- Be cautious with email and messages: Don't click on links or download attachments from unknown sources, as they could contain malicious code that could infect your device.
- Use two-factor authentication: Two-factor authentication adds an extra layer of security to your accounts by requiring a second factor, such as a code sent to your phone, in addition to your password.
- Use a virtual private network (VPN): A VPN encrypts your internet connection, making it more difficult for attackers to intercept your data.
- Use a password manager: Password managers generate strong, unique passwords for each of your accounts, which can help prevent attackers from guessing your passwords.
- Keep sensitive data encrypted: Use encryption to protect your sensitive data, such as your personal information, financial data, and login credentials.