Attack Methodology<\/a> | Prevention<\/a><\/b><\/p>\n On July 18, 2021, the Pegasus spyware, developed by the Israeli Intelligence agency, NSO Group Technologies, was discovered snooping on the smartphones of journalists and politicians from several countries, including India.<\/p>\n Pegasus is a highly sophisticated cyber espionage spyware prominently used by governments. The malware infects iPhones and Android devices and enables attackers to record calls, secretly activate microphones, extract messages or photos, and access emails and secondary applications without the user\u2019s knowledge.<\/p>\n The earliest version of the Pegasus spyware was discovered <\/a>by researchers at the Citizen Lab in 2016 after it unsuccessfully infected the phone of a UAE-based journalist through spear-phishing messages<\/a>. Apple was made aware of the attack and soon discovered three zero-day vulnerabilities (CVE-2016-4655<\/a>, CVE-2016-4656<\/a>, and CVE-2016-4657<\/a>) chained to exploit the journalist\u2019s phone.<\/p>\n Over two years (from 2016 to 2018), the spyware infected more than 50,000 phones in 45 countries, including\u00a08 Indian telecommunication companies<\/a> such as Bharti Airtel Limited, Hathway IP over Cable Internet, and Mahanagar Telephone Nigam Limited.<\/p>\n On August 23, 2021, a new extortion scam<\/a> was uncovered that leverages the Pegasus iOS spyware attacks to blackmail people into paying a ransom. The scammer threatened to leak sensitive videos of the person to business associates and people on the contact list apart from dark forums, if a sum of money (0.035 bitcoin, approximately $1,600 USD) is not paid within a stipulated time frame.\u00a0<\/strong><\/p>\n<\/blockquote>\n Five Countries Targeted: <\/strong>At least five countries in the region use NSO Group’s Pegasus surveillanceware, which is embroiled in a legal battle with the Israeli government. The disclosure comes after an investigation committee was created in April 2022 to look into alleged violations of EU law following revelations that the company’s Pegasus spyware is being used to snoop on the phones of politicians, diplomats, and members of civil society.<\/p>\n Spanish Prime Minister Targeted:<\/strong> On May 03, 2022, Spanish officials revealed that the cellphones of the Prime Minister and the Defence Minister were infected in May 2021 with the Pegasus spyware that is only available to government agencies in an unauthorized operation.<\/p>\n Apple iMessage vulnerability: <\/strong>The now-patched Apple iMessage vulnerability (CVE-2021-30860), popularly known as the FORCEDENTRY exploit, was not only used by the NSO group but was also separately weaponized by another Israeli firm called QuaDream on February 07, 2022. QuaDream’s spyware, REIGN, was similar to Pegasus in its capabilities and was also used to infect iPhones worldwide.<\/p>\n Finnish Ministry Hacked: <\/strong>On February 02, 2022, after an investigation that commenced in September 2021, the Finnish Ministry for Foreign Affairs discovered that the devices of Finnish diplomats abroad had been hacked and infected with NSO’s Pegasus spyware. The devices included both Apple and Android phones that were infected without any action on the part of the user.<\/p>\n The news comes in the wake of the spyware being discovered targeting the US Department of State employees in early December. The employees’ phones were all infected with Pegasus spyware using the ‘ForcedEntry’ iOS exploit.<\/p>\n Saudi Arabia Targeted: <\/strong>On October 25, 2021, a report<\/a> by the Citizen Lab revealed that a journalist from The<\/em> New York Times<\/em> covering events in Saudi Arabia was repeatedly targeted by the Israeli Pegasus spyware over a period of three years, from 2018 to June 2021. The journalist was working on writing a book about the Saudi Crown Prince, Mohammed bin Salman, at the time of the attacks.<\/p>\n New Trojan Campaign:<\/strong> On October 01, 2021, after the recent wave of Pegasus spyware attacks on iPhones, researchers discovered a new Trojan campaign<\/a> deployed by a group unconnected to the NSO. The Trojan masqueraded as “Amnesty International” and promised an antivirus tool, AVPegasus.<\/p>\n Apple patched the Pegasus iMessage vulnerability on September 13. We urge all users to update their iOS versions as soon as possible and not entertain any antivirus solutions that may seem as being offered by a legitimate source.<\/p>\n FORCEDENTRY Patches:<\/strong> On September 13, 2021, Apple released fixes<\/a> for two zero-day vulnerabilities being exploited in the wild, one of which can be used to install the Pegasus spyware on an iPhone. Tracked as CVE-2021-30860<\/a>, this zero-click zero-day iMessage vulnerability, codenamed FORCEDENTRY<\/a>, allows attackers to bypass the iOS BlastDoor security feature to deploy the spyware. The other vulnerability, CVE-2021-30858<\/a>, is a Webkit use-after-free vulnerability that allows attackers to create a maliciously crafted web page that is executed when visited through an iPhone or iPad. CISA issued an advisory<\/a> as well. We encourage all users to update their iOS versions immediately.<\/p>\n A New Zero-Click Vulnerability:<\/strong> The Pegasus spyware reportedly used a never-before-seen zero-click iMessage vulnerability<\/a> to attack Bahraini dissidents between June 2020 and February 2021. The new zero-click vulnerability can circumvent the Apple BlastDoor feature\u2014a structural improvement to the iOS where it acts as a sandbox for the iMessage app to parse untrusted messages and prevent zero-click exploits. Named FORCEDENTRY because of its ability to bypass the BlastDoor, this vulnerability exists in iOS versions 14.6 and prior. Since it is unlikely that the flaw has been patched yet, it might also affect the latest iOS versions.<\/p>\n Vulnerability chaining is a well-established technique used by threat actors during their reconnaissance process, where they identify direct or peripheral vulnerabilities and weaknesses\u2014both in hardware and software\u2014to exploit them at the same time to compromise the target host.<\/p>\n The vulnerability chaining technique used by Pegasus in 2016 and 2021 is popularly referred to as Trident. Apple issued an upgrade <\/a>that patched the security loophole after the 2016 attack, albeit ineffectively.<\/p>\n Yes. Apple had issued patches<\/a> for the security loophole that allowed Pegasus to carry out the phishing attack in 2016. However, Pegasus was still able to use the same Trident vulnerability chaining technique in the recent July 2021 attacks.<\/strong><\/p>\n In the recent attack, Pegasus spyware employed a critical zero-click vulnerability<\/a> (CVE-2019-8646<\/a>) in the Apple iOS v14.6 iMessaging app alongside the Trident vulnerabilities, an exploit called KISMET<\/a>. The iMessage vulnerability allowed Pegasus to create backdoor access to millions of iPhones. A simple phishing text message on iMessage was enough to allow Pegasus attackers to access the target\u2019s device. Although Apple issued patches for other vulnerabilities in its version update on July 22, it did not patch the iMessage vulnerability<\/u><\/a>. Apple has likely patched <\/a>the Pegasus spyware vulnerability in its iOS 14.7.1 update; however, the company has not released any definitive statement.<\/p>\n In 2019, WhatsApp reported that attackers had used NSO\u2019s Pegasus spyware to send malware to more than 1,400 mobiles by exploiting a zero-day bug. The bug allowed attackers to install malicious code without the target clicking on the iMessage app or answering a WhatsApp call.<\/p>\n In the recent July 2021 attack, Pegasus spyware used a series of older vulnerabilities paired with an iMessage vulnerability. Here is our analysis of the vulnerabilities:<\/p>\n CVE-2016-4655<\/strong><\/p>\n CVE-2016-4655<\/a> exists in the kernel in Apple iOS versions before 9.3.5.<\/p>\n<\/li>\n The kernel information leak circumvents the kernel address space layout randomization (KASLR).<\/p>\n<\/li>\n The vulnerability allows attackers to obtain sensitive information from memory via a crafted application.<\/p>\n<\/li>\n Classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), this medium-severity vulnerability has a CVSS v3 score of 5.5.<\/p>\n<\/li>\n CWE-200 appears in MITRE\u2019s latest CWE Top 25 list of vulnerabilities<\/a>.<\/p>\n<\/li>\n A patch for the vulnerability was released in 2016.<\/p>\n<\/li>\n<\/ul>\n CVE-2016-4656<\/strong><\/p>\n CVE-2016-4656<\/a> exists in Apple iOS versions 9.3.4 and earlier.<\/p>\n<\/li>\n The CVE is a kernel-level memory corruption vulnerability that leads to jailbreak and the eventual installation of the surveillance software.<\/p>\n<\/li>\n The vulnerability allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted application.<\/p>\n<\/li>\n Classified under CWE-264 (Permissions, Privileges, and Access Controls), the high-severity vulnerability has a CVSS v3 score of 7.8.<\/p>\n<\/li>\n A patch for the vulnerability was released in 2016.<\/p>\n<\/li>\n<\/ul>\n CVE-2016-4657<\/strong><\/p>\n CVE-2016-4657<\/a> is a memory corruption vulnerability in the Apple Safari Webkit for iOS versions below 9.3.5.<\/p>\n<\/li>\n The vulnerability allows the attacker to execute arbitrary code or cause a denial of service (memory corruption) via a crafted website whenever a user clicks on a specific link.<\/p>\n<\/li>\n Classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), the high-severity vulnerability has a CVSS v3 score of 8.8.<\/p>\n<\/li>\n CWE-119 appears in MITRE\u2019s latest CWE Top 25 list of vulnerabilities<\/a>.<\/p>\n<\/li>\n A patch for the vulnerability was released in 2016.<\/p>\n<\/li>\n<\/ul>\n The Pegasus spyware chains the Trident iOS vulnerabilities\u2014CVE-2016-4655, CVE-2016-4656, and CVE-2016-4657\u2014to jailbreak iPhones during an attack.<\/strong><\/p>\n CVE-2019-8646<\/strong><\/p>\n CVE-2019-8646<\/a> is an out-of-bounds read vulnerability discovered in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, and watchOS 5.3. This vulnerability remained in the iOS till version 14.6.<\/p>\n<\/li>\n The vulnerability lies in the iMessage\u00a0app of a device and can allow memory to be leaked and files to be read remotely.<\/p>\n<\/li>\n The high-severity vulnerability is classified under the weakness enumeration CWE-125 (Out-of-Bounds Read) and has a CVSS v3 score of 7.5. The CWE is also listed in the CWE Top 10 vulnerabilities<\/a> by MITRE.<\/p>\n<\/li>\n The fix<\/a> for the bug was released in July 2019.<\/p>\n<\/li>\n Apple has likely patched <\/a>the Pegasus vulnerability in its iOS 14.7.1 update.<\/p>\n<\/li>\n<\/ul>\n\n
<\/a>Recent Pegasus Attacks<\/b><\/h2>\n
<\/a>What Is Vulnerability Chaining?<\/strong><\/h2>\n
<\/a>Could the Pegasus Spyware Attacks Have Been Avoided?\u00a0<\/strong><\/h2>\n
<\/a>CVE Associations<\/strong><\/h2>\n
\n
\n
\n
\n
![\"Pegasus](\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/pegasus-infographic.png\")
<\/p>\n
![\"Pegasus](\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/pegasus-attack-methodology-_-infographic-2.png\")
<\/p>\n