Apple releases patch for exploit attributed to hacker-for-hire firm

Apple releases emergency updates to fix flaw that enables spyware to infect iPhones without user action

  •  It was the first time a so-called ‘zero-click’ exploit had been caught and analyzed
  • Researchers identified exploit and quickly notified Apple, which released a patch on Monday to fix the flaw
  • The flaw is a new exploit from the world’s most infamous hacker-for-hire firm, NSO Group, which was used to directly infect the iPhone of a Saudi activist
  • Experts say the average person should not worry about the exploit 

Apple released an emergency software patch on Monday to fix a security vulnerability that researchers said could allow hackers to directly infect iPhones and other Apple devices without any user action.

The exploit was captured by spyware researchers at the University of Toronto’s Citizen Lab who said the flaw is a new exploit from the world’s most infamous hacker-for-hire firm, NSO Group, which was used to directly infect the iPhone of a Saudi activist.

The flaw affected all Apple´s operating systems, the researchers said.

It was the first time a so-called ‘zero-click’ exploit had been caught and analyzed, said the researchers, who found the malicious code on September 7 and immediately alerted Apple. 

Citizen Lab called the iMessage exploit FORCEDENTRY and said it was effective against Apple iOS, MacOS and WatchOS devices.

That process name was used in an attack with NSO Group’s Pegasus spyware on an Al Jazeera journalist in July 2020.  

Apple released an emergency software patch on Monday to fix a security vulnerability that researchers said could allow hackers to directly infect iPhones and other Apple devices without any user action

They said they had high confidence the Israeli company NSO Group was behind the attack, adding that the targeted activist asked to remain anonymous.

‘We’re not necessarily attributing this attack to the Saudi government,’ said researcher Bill Marczak.

In a software update, Apple issued a patch aimed at the Pegasus exploit but did not mention NSO Group. 

Apple instead described the exploit as ‘Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.’

The exploit was captured by spyware researchers at the University of Toronto’s Citizen Lab who said the flaw is a new exploit from the world’s most infamous hacker-for-hire firm, NSO Group, which was used to directly infect the iPhone of a Saudi activist

Although Citizen Lab previously found evidence of zero-click exploits being used to hack into the phones of al-Jazeera journalists and other targets, ‘this is the first one where the exploit has been captured so we can find out how it works,’ said Marczak.

Security experts have previously stated that the average iPhone, iPad and Mac user should not worry about this attack, as they tend to be highly targeted, the discovery is still alarming to security professionals.

Malicious image files were transmitted to the activist’s phone via the iMessage instant-messaging app before it was hacked with NSO´s Pegasus spyware, which opens a phone to eavesdropping and remote data theft, Marczak said. 

It was discovered during a second examination of the phone, which forensics showed had been infected in March. He said the malicious file causes devices to crash.

NSO Group did not immediately respond to an email seeking comment.

In a blog post, Apple said it was issuing a security update for iPhones and iPads because a ‘maliciously crafted’ PDF file could lead to them being hacked.

The tech giant  said it was aware that the issue may have been exploited and cited Citizen Lab. 

Apple didn´t immediately respond to questions regarding whether this was the first time it had patched a zero-click.

Researcher John Scott-Railton said the news highlights the importance of securing popular messaging apps against such attacks. 

‘Chat apps are increasingly becoming a major way that nation-states and mercenary hackers are gaining access to phones,’ he said. 

‘And it´s why it´s so important that companies focus on making sure that they are as locked down as possible.’

The researchers said it also exposes – again – that NSO´s business model involves selling spyware to governments that will abuse it, not just to law enforcement officials chasing cyber criminals and terrorists, as NSO claims.

It was the first time a so-called ‘zero-click’ exploit had been caught and analyzed, said the researchers, who found the malicious code on September 7 and immediately alerted Apple 

‘If Pegasus was only being used against criminals and terrorists, we never would have found this stuff,’ said Marczak.

Facebook´s WhatsApp was also allegedly targeted by an NSO zero-click exploit In October 2019, Facebook sued NSO in U.S. federal court for allegedly targeting some 1,400 users of the encrypted messaging service with spyware.

In July, a global media consortium published a damning report on how clients of NSO Group have been spying for years on journalists, human rights activists, political dissidents – and people close to them, with the hacker-for-hire group directly involved in the targeting.

Amnesty International said it confirmed 37 successful Pegasus infections based on a leaked targeting list whose origin was not disclosed.

One involved the fiancée of Washington Post journalist Jamal Khashoggi, just four days after he was killed in the Saudi Consulate in Istanbul in 2018. 

The CIA attributed the murder to the Saudi government.

The recent revelations also prompted calls for an investigation into whether Hungary’s right-wing government used Pegasus to secretly monitor critical journalists, lawyers and business figures. 

India’s parliament also erupted in protests as opposition lawmakers accused Prime Minister Narendra Modi´s government of using NSO Groups´ product to spy on political opponents and others.

France is also trying to get to the bottom of allegations that President Emmanuel Macron and members of his government may have been targeted in 2019 by an unidentified Moroccan security service using Pegasus. 

Morocco, a key French ally, denied those reports and is taking legal action to counter allegations implicating the North African kingdom in the spyware scandal.

How does Pegasus work? Powerful malware can collect data from a smartphone without a user knowing their device is infected

Pegasus is a powerful piece of ‘malware’ – malicious computer software – developed by private Israeli security firm NSO Group.

This particular form of malware is known as ‘spyware’, meaning it is designed to gather data from an infected device without the owner’s knowledge and forward it on to a third party.

While most spyware is limited in scope – harvesting data only from specific parts of an infected system – Pegasus appears much more powerful, allowing its controller near-unlimited access to and control over an infected device.

This includes accessing contact lists, emails, and text messages, along with stored photos, videos and audio files.

Pegasus can also be used to take control of the phone’s camera or microphone to record video and audio, and can access GPS data to check where the phone’s owner has been.

And it can also be used to record any new incoming or outgoing phone calls. 

Early versions of the virus infected phones using crude ‘phishing’ attacks in which users are conned into downloading the virus on to their own phones by clicking on a malicious link sent via text or email.

But researchers say the software has become much more sophisticated, exploiting vulnerabilities in common phone apps to launch so-called ‘zero-click’ attacks which can infect devices without the user doing anything.

For example, in 2019 WhatsApp revealed that 1,400 people had been infected by NSO Group software using a so-called ‘zero day’ fault – a previously unknown error – in the call function of the app.

Users were infected when a call was placed via WhatsApp to their phones, whether they answered the call or not.

More recently NSO has begun exploiting vulnerabilities in Apple’s iMessage software, giving it backdoor access to hundreds of millions of iPhones. 

Apple says it is continually updating its software to prevent such attacks, though human rights group Amnesty says it has uncovered successful attacks on even the most up-to-date iOS systems – carried out this month.

NSO Group says that Pegasus can also be installed on devices using wireless transceivers located near the target, or can be booted directly on to the device if it is stolen first.  

Source: Read Full Article