Users in multiple countries have been affected by spyware associated with NSO Group’s Pegasus malware over the past six months.
Research by Jamf Threat Labs suggests that the observed attacks were highly targeted, with each scenario producing a unique indicator of compromise (IOC).
“The variation in compromised hardware and software shows that new exploits continue to be discovered as security patches are issued and the number of vulnerable devices grows,” the company said Monday. Read the advisory.
Jamf also clarified that while Apple is actively monitoring devices for compromise, it has not contacted all users affected by these spyware attacks.
“[This shows] The challenge of maintaining a comprehensive list of IOCs and […] It remotely extracts relevant data,” the company explains.
Additionally, the fact that high-risk individuals and organizations do not consistently perform thorough investigations based on threat indicators also contributes to the difficulty in comprehensively mapping these attacks.
Jamf looks into two sophisticated spyware attacks in its latest advisory. The first to be affected was the iPhone 12 Pro Max, which a Middle East-based human rights activist used as a daily communication tool.
On this device the spyware left traces of a process called “libtouchregd”. This process was previously associated with the Pegasus spyware.
According to Jamf security researchers, the same person or group that created Pegasus may be behind the attack.
More information on Pegasus can be found here: New privilege escalation bug class found on macOS and iOS
Further analysis of the device showed signs that the iPhone had been tampered with. This could mean that someone has tried to access sensitive information on your phone. In this case, the user received a warning from her Apple about the possible attack and updated her phone to protect herself.
The second device the team analyzed was an Apple 6s (not receiving the latest Apple update) owned by a European journalist working for Global News.
“Similar to Middle Eastern iPhones, European iPhones also showed evidence of significant system crashes,” Jamf wrote. “More suspiciously, the European iPhones contained files found in unusual locations within the iPhone’s strict file system.”
Based on observed IOCs, the Jamf team was unable to conclusively determine that this iPhone was compromised by a specific attacker. Still, the company says targeting older devices like this should serve as a reminder that malicious threat actors exploit vulnerabilities in an organization’s infrastructure.
“As a general best practice, we strongly recommend upgrading older devices to newer iPhone or iPad models running the latest available updates and operating system versions,” the advisory states. I’m here.
The publication comes a year after Spanish government regulators began investigating allegations that authorities used Israeli spyware to spy on separatist politicians in the Catalan region.
Editorial image credit: mundissima / Shutterstock.com
