Targeted iOS Spyware: What you need to know to protect your organization from Pegasus and Trident
On August 25, The New York Times, Wall Street Journal, Washington Post and many other media outlets covered Lookout and Citizen Lab’s striking find: the most sophisticated, targeted, and persistent mobile attack ever found on iOS.
The attack allows an adversary to silently jailbreak an iOS device and stealthily spy on victims, collecting information from voice communications, camera, email, messaging, GPS, passwords, and contact lists.
This discovery is further proof that mobile platforms are fertile ground for gathering sensitive information from target victims, and well-resourced threat actors are regularly exploiting that mobile environment.
What are Pegasus and Trident?
Lookout and Citizen Lab uncovered an active, targeted mobile spyware threat called Pegasus that uses three critical and previously-unknown (“zero-day”) iOS vulnerabilities. The vulnerabilities, when exploited, form an attack that subverts even Apple’s strong security environment. We call these vulnerabilities “Trident.” Once Pegasus uses the Trident vulnerabilities to infect the device, the spyware causes catastrophic data loss, and can access all messages, calls, emails, logs, and data from apps including end-to-end encrypted applications.
Lookout worked directly with Apple’s security team to immediately patch all three Trident iOS vulnerabilities in Apple’s 9.3.5 update. The Pegasus spyware appears to persist even if you update the device’s software, however, and can self destruct if it believes its stealthy position is at risk, preventing victims from ever finding the compromise and addressing the breach that has occurred.
Who do attackers target?
Threat actors will use this kind of targeted and expensive spyware to attack “high-value” individuals who have access to important, sensitive, and confidential information. The Pegasus attack reported in the media targeted a political activist, but it is also likely being used to attack specific targets for multiple purposes, including high-level corporate espionage. CEOs, CFOs, executive administrators, and financial teams, are often in the crosshairs of a targeted attack as they usually access confidential data, especially via their mobile devices
As TechCrunch writes, “Apple zero-days mark a new era of mobile hacking.”Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of: 1. How integrated mobile devices are in our lives2. The combination of features only available on mobile — always connected, voice communications, camera, email, messaging, GPS, passwords, and contact lists. It also includes information that could be answers to your security questions like birthdays, addresses, and children’s information.
What is latest exploit ?
The vulnerability (documented here) was discovered by the Facebook-owned WhatsApp in early May, the company confirmed to TechCrunch. It apparently leveraged a bug in the audio call feature of the app to allow the caller to allow the installation of spyware on the device being called, whether the call was answered or not.
The spyware in question that was detected as having been installed was Israel-based NSO Group’s Pegasus, which is usually (ostensibly) licensed to governments looking to infect targets of investigations and gain access to various aspects of their devices.