Brian Jackson - Fotolia

Pegasus iOS exploit uses three zero days to attack high-value targets

A new remote iOS exploit called Pegasus leverages three zero days in what appear to be state-sponsored targeted attack campaigns against political dissidents.

Apple has rolled out a patch for a dangerous remote iOS exploit that has been used by governments to attack political dissidents, rights activists and journalists.

Researchers Lookout Inc. and the Citizen Lab, based at the Munk School of Global Affairs at the University of Toronto, have dubbed the iOS exploit Pegasus. They describe it as "the most sophisticated attack we've seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile -- always connected (WiFi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists."

"The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information," Lookout and Citizen Lab wrote. "This, however, happens invisibly and silently, such that victims do not know they've been compromised."

Pegasus takes advantage of three iOS zero-day vulnerabilities -- called Trident by the researchers -- in order to remotely jailbreak a user's device, install sophisticated malware and allow the attacker access to virtually all of the information on the device.

Guillaume Ross, senior security consultant at Rapid7, said the difficulty in exploiting iOS is increasing, but this "doesn't prevent sophisticated attackers from working on new and improved techniques" to crack the system.

"What makes this specific type of attack particularly sophisticated is in the amount of vulnerabilities that had to be chained to make it a seamless attack requiring very little user interaction," Ross told SearchSecurity. "This attack basically exploits an issue in Safari, exploits the kernel to effectively jailbreak the phone, and then persists on the device. Jailbreak software is regularly released publicly, and exploits such vulnerabilities, but with a major difference: This software exploits the iOS device locally, over USB or such an interface, and not simply by clicking a link, though that has also occurred in the past."

The information vulnerable to theft can vary because Pegasus spyware was described as "highly configurable" in order to meet the needs of the malicious actor that purchases the iOS exploit, including access to messages, calls, emails, logs and information from apps like Gmail, WhatsApp or Calendar.

"The kit appears to persist even when the device software is updated and can update itself to easily replace exploits if they become obsolete," the researchers wrote. "We believe that this spyware has been in the wild for a significant amount of time based on some of the indicators within the code (e.g., a kernel mapping table that has values all the way back to iOS 7). It is also being used to attack high-value targets for multiple purposes, including high-level corporate espionage on iOS, Android, and Blackberry."

Patrick Hevesi, research director at Gartner, noted that the potential impact on older versions of iOS could be significant because Apple has said there are more than one billion active iOS devices in the wild.

"The bigger issue is that some of earlier versions of the attack were written against iOS 7. The impact there is about 13% of devices that are not on iOS 9 due to either lack of hardware support or not patching by the end user" Hevesi said, adding that Apple could improve update adoption. "This is one area where there can be improvements since there is no concept of alerting the users of the severity of the update other than text saying there is an important security update available."

However, Citizen Lab said it recognized the links in Pegasus "as belonging to an exploit infrastructure connected to NSO Group, an Israel-based cyberwar company" and made it clear the attacks using the Pegasus iOS exploit were limited to high-value targets.

Pegasus was reportedly sold exclusively to governments as a "lawful intercept spyware product" and the Citizen Lab found evidence the iOS exploit was used in state-sponsored attacks against political dissidents, including a Mexican journalist who reported on corruption by Mexico's head of state, as well as Ahmed Mansoor, an internationally recognized human rights defender, based in the United Arab Emirates (UAE).

Travis Smith, senior security research engineer at Tripwire, said that although the attacks were targeted now, that could change.

"Any zero day, which can remotely take control of a device, is incredibly dangerous. The fact that this particular exploit took advantage of three vulnerabilities to accomplish complete control shows how advanced and committed the authors are," Smith told SearchSecurity. "While what we've seen exploited in the wild thus far has been targeted toward high profile targets, exploits eventually trickle down into less skilled hands who eventually target a larger audience."

The researchers said Apple was able to create and roll out patches just 10 days after the initial notification.

"Once we confirmed the presence of what appeared to be iOS zero days, Citizen Lab and Lookout quickly initiated a responsible disclosure process by notifying Apple and sharing our findings. Apple responded promptly, and notified us that they would be addressing the vulnerabilities," Citizen Lab wrote. "We are releasing this report to coincide with the availability of the iOS 9.3.5 patch, which blocks the Trident exploit chain by closing the vulnerabilities that NSO Group appears to have exploited and sold to remotely compromise iPhones."

Apple released a statement saying: "We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5. We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits."

Peter Tran, general manager and senior director at RSA, the security division of EMC, said this type of spyware could be seen as a shift in surveillance.

"The ability for Pegasus to drop inline quietly as a jailbreak can be dangerous business from a spyware perspective, but it is important to understand the Pegasus malware represents a technologically evolved method for potential uses within intelligence and surveillance environments based on shifts from old to new in IT and telecommunication platforms," Tran told SearchSecurity. "We are essentially seeing the shift from tapping wire line phones to tapping the hub-and-spoke of iOS -- different requirements."

Next Steps

Learn more about an international spyware operation linked to the NSA.

Find out about the Netherlands considering hacking powers for the police.

Get info on if a state-sponsored attack on a mobile device can be traced. 

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing