Citizen Lab researchers have uncovered a new zero-click iMessage exploit that has been used by threat actors to target at least nine Bahraini nationals with NSO group’s Pegasus Spyware. Zero-click means that simply receiving the message is enough to install malware on a targeted iPhone, and does not require any user interaction. The attacks are linked by Citizen Lab, with high confidence, to the Bahraini Government that is using the spyware to track activists. The spyware was deployed on their devices after being compromised using two zero-click iMessage exploits, the 2020 KISMET exploit, and a new never-before-seen exploit dubbed FORCEDENTRY (previously tracked by Amnesty Tech as Megalodon). NSO Group attacks using the new iMessage zero-click exploit circumvents the iOS BlastDoor feature designed to block such exploits, and was first spotted in February 2021. Citizen Lab saw the attack being carried out on Apple devices that were running the newest software update.
Analyst Notes
Currently, there is no fix to this issue until Apple releases a patch that stops this type of access, which may not happen soon. According to Apple’s Ivan Krstić, head of Apple Security Engineering and Architecture, “attacks such as the ones described by Citizen Lab are highly targeted and thus nothing to worry about … for most people, at any rate.” He went on to say that attacks like these are not a threat to the majority of Apple users. Some researchers saw that disabling iMessage and Facetime thwarted these attacks but doing this also stops messages sent between Apple devices from being encrypted. This could lead to a whole other attack from threat actors that can intercept unencrypted messages. If this is the route that someone decides to go down, they should move their text messaging to a secure app that encrypts messages. People should also only accept messages from known contacts and prevent incoming messages from automatically fetching media.
https://www.bleepingcomputer.com/news/apple/new-zero-click-iphone-exploit-used-to-deploy-nso-spyware/
