NSO Group Used 3 Zero-Click iPhone Exploits Against Human Rights Defenders

According to the latest findings from Citizen Lab, Israeli spyware maker NSO Group will deploy at least three new “zero-click” exploits against iPhones in 2022 to penetrate defenses built by Apple and exploit Pegasus. Expanded.

“NSO Group customers have widely deployed at least three iOS 15 and iOS 16 zero-click exploit chains against civil society targets around the world,” said a multidisciplinary study based at the University of Toronto. place says.

NSO Group is the maker of Pegasus, an advanced cyberweapon capable of extracting sensitive information stored on the device in real time (messages, locations, photos, call history, etc.). It is typically delivered to the targeted iPhone using zero-click or zero-day exploits.

While law enforcement is marketed as a tool to combat serious crimes such as child sexual abuse and terrorism, it is also used by authorities to spy on human rights defenders, democracy defenders, journalists, dissidents, and others. It is being deployed illegally by a dictatorial government.

Pegasus’ misuse prompted the US government to add the NSO group to its trade block list in late 2021, and Apple filed its own lawsuit against the company for targeting users.

In July 2022, the spyware was used by Thais involved in pro-democracy protests in the country between October 2020 and November 2021, using two zero-click exploits named KISMET and FORCEDENTRY. was used against activists in

Two targets of the latest campaign uncovered by Citizen Lab include Centro PRODH human rights defenders, who represent victims of extrajudicial killings and disappearances by the Mexican military. The intrusion occurred in June 2022.

This involved the use of three different exploit chains called LATENTIMAGE, FINDMYPWN and PWNYOURHOME to weaponize various flaws in iOS 15 and iOS 16 as zero-days to compromise the device and ultimately launch Pegasus. –

• latent image (iOS version 15.1.1, detected in January 2022) – Suspected exploits related to iPhone Find My feature and SpringBoard
• FINDMY PWN (iOS versions 15.5 and 15.6, detected in June 2022) – Two-step exploit leveraging Find My service and iMessage
• PWNYOURHOME (iOS version 16.0.3, detected in October 2022) – A two-step exploit that combines the iPhone’s built-in HomeKit functionality with iMessage to bypass BlastDoor protection

In an encouraging sign, Citizen Lab said it found evidence of lockdown mode intervening to thwart PWNYOURHOME attack attempts, warning users that it blocked unknown parties on Gmail and Yahoo! . Prevents accounts from trying to “access home”.

This development is the first public example of how a lockdown mode specifically designed to reduce the iPhone’s attack surface successfully protects individuals from compromise.

That said, Citizen Lab noted that NSO Group “may have found a way to fix the notification issue, such as getting fingerprints for lockdown mode.” Since then, Apple has shipped several security improvements to his HomeKit in iOS 16.3.

This finding is the latest example of NSO’s evolving attack techniques, infiltrating iPhones without the need for a target to take action to cause infection.

A new New York Times investigation also reveals that Mexico has been using Pegasus to target human rights defenders in recent months, and how the country has become the first and most prolific user of spyware. It explains in detail what happened.

In another sign of the prevalence of such campaigns, Jamf Threat Labs found evidence of spyware targeting a Middle East-based human rights activist and a Hungarian journalist. Their names have not been revealed.

The attack targeting the journalist’s iPhone was also significant in the fact that the device was an iPhone 6s, which is no longer compatible with the latest iOS version, allowing the attackers to exploit known and unknown vulnerabilities to achieve their goals. It indicates a propensity to abuse sexuality.

Apple backports fixes for critical flaws to older devices (the current version supported by iPhone 6s is iOS 15.7.5), but not all vulnerabilities for legacy devices have been addressed. It is important to note that

“As a result, threat actors may continue to exploit unpatched vulnerabilities that have been patched on new supported devices, allowing attackers to gain remote access to targeted devices. We may be able to provide more time and information,” said Jamf.

To protect against spyware attacks, we recommend applying the latest operating system updates, upgrading older devices to newer iPhone or iPad models, and considering enabling lockdown mode.

The UK’s National Cyber ​​Security Center (NCSC) warned in an advisory released on 19 April 2023 that “the proliferation of commercial cyber tools will increase the threat to organizations and individuals worldwide”. .

“The commercial proliferation of cyber tools and services lowers the barriers to entry for state and non-state actors to acquire capabilities and intelligence that they could not otherwise develop or acquire,” the agency said.