Researchers at Canada-based interdisciplinary laboratory Citizen Lab, in its latest report, said that while analysing the phone of a Saudi activist infected with NSO Group’s Pegasus spyware, they discovered a 'zero-day zero-click exploit' against iMessage.The exploit, named Forcedentry, targets Apple’s image rendering library and was effective against Apple iOS, macOS and WatchOS devices.
The researchers said the Israel-based NSO Group used the vulnerability to remotely exploit and infect the latest Apple devices with the Pegasus spyware. The exploit was being used since at least February 2021, the report said.
Using the zero-click method, the spyware can turn on a user's camera and microphone. It can even record calls, messages, texts, and emails. It can even record data sent via end-to-end encryption platforms. All the compromised data is then sent to the NSO clients.
The Citizen Lab also disclosed the vulnerability to Apple, which released a patch or an update on September 13, asking users to update their devices on an emergency basis.
The report says all iPhones, with iOS versions before 14.8, all Mac computers with operating system versions before OSX Big Sur 11.6, Security Update 2021-005 Catalina, and all Apple Watches before watchOS 7.6.2, were affected by the exploit.
How Citizen Lab discovered the exploit?
In March 2021, the researchers at Citizen Lab examined the phone of a Saudi activist, who has chosen to remain anonymous. During the probe, it was found that this device was hacked with NSO Group’s Pegasus spyware.
"Recent re-analysis of the backup yielded several files with the “.gif” extension in Library/SMS/Attachments that we determined were sent to the phone immediately before it was hacked with NSO Group’s Pegasus spyware," the report claims.
The format of the files matched two types of crashes observed on another phone when it was hacked with NSO's Pegasus spyware. The researchers concluded the “.gif” files might contain parts of the exploit chain, also named as Forcedentry chain.
Notably, the 'zero-click' exploit is known as the holy grail of surveillance as it allows exploits to work on anyone's device without even tipping them off.
Meanwhile, Apple has confirmed the files included a zero-day exploit against iOS and macOS. They designated the exploit and described it as “processing a maliciously crafted PDF may lead to arbitrary code execution.”
Why NSO group?
The researchers said the spyware installed by the exploit exhibited a forensic artifact named Cascadefall. It's a bug whereby evidence is incompletely deleted from the phone. "We have only ever seen this type of incomplete deletion associated with NSO Group’s Pegasus spyware, and we believe that the bug is distinctive enough to point back to NSO," the Citizen Lad report said.
The spyware installed by this exploit uses multiple process names, including the name “set framed”. This process name was used in an attack with NSO Group’s Pegasus spyware on an Al Jazeera journalist in July 2020.
The Israel-based controversial NSO group has been called out time and again for selling technology to governments across the world, which further use it for acts that are in violation of international human rights laws.
Pegasus row in India
An international media consortium had recently reported that over 300 verified Indian mobile phone numbers were on the list of potential targets for surveillance using Pegasus spyware.
It alleged that Israeli firm NSO's spyware was used for snooping by government agencies on eminent citizens, politicians and scribes.
Following an uproar in India, several pleas were filed in the Supreme Court, seeking an independent probe on the allegations. The government has, however, denied of all the allegations against it, saying it “nothing to hide”.
Copyright©2021 Living Media India Limited. For reprint rights: Syndications Today