Apple issued an emergency critical software security update for the vulnerability in its products running iOS 14.8, iPadOS 14.8, watchOS 7.6.2 and macOS Big Sur 11.6. This flaw is related to the zero-click attack exploited by Pegasus Spyware, a sophisticated tool built by NSO Group, an Israeli cybersecurity organization.
On September 13th, they released the security patch for vulnerability designated as CVE-2021-30860 and described it as “processing a maliciously crafted PDF may lead to arbitrary code execution.”
Official Response of Apple on Zero-Click Vulnerability in their Devices:
Apple responded that they are aware that this vulnerability is actively exploited, based on the report submitted by the Citizen Lab. They recommended immediately updating the critical security patch for all the devices.
Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.
Apple Spokesperson
They added the list of devices affected are iPhones with iOS versions prior to 14.8, Macbooks with OS versions prior to OSX Big Sur 11.6, Security Update 2021-005 Catalina, and Apple Watches prior to watchOS 7.6.2.
Along with this, they also released a security fix for WebKit zero-day flaw designated as CVE-2021-30858 that executes arbitrary code when maliciously crafted web content is processed.
Apple also added that they are planning to launch new security protection and safety provisions for iMessage, in its iOS 15 software update later this year.
Here is the official Apple security update advisory report on zero-click vulnerability – About the security content of iOS 14.8 and iPadOS 14.8.
What is Pegasus Spyware?
Pegasus is a spyware hacking software suite basically used for the surveillance of individuals that can be secretly installed on mobile phones and other devices that run iOS and Android operating systems. Once the software is installed, it can run arbitrary code, collect any data from the device and transmit it back to the attacker.
This malicious software has the capability to scan internet activity, hound login credentials, trace person location, and exploit sensitive information. It can make its way into the computing device via an app install package, file attachment, malicious URL, text message, emails, etc.
Read more about the Pegasus spyware discovery, evolution, how it infects the phone and what it can do in detail –> Pegasus – A Sophisticated Spyware Tool.
How Zero Click Exploitation Performed in the Apple Devices:
The exploitation can be done when an attacker sends a text message containing a malicious GIF image which is actually an Adobe PSD (Photoshop Document files) and PDF files that are coded to crash the iMessage component and render images automatically can install the surveillance tool in the victim’s device.
Citizen Lab Discovered the Zero-Click Vulnerability in Apple Devices:
Citizen Lab, a cybersecurity firm of University of Toronto investigated the Apple phone of a Saudi activist who is infected with Pegasus Spyware and discovered a zero-day, zero-click exploit in the iMessage application, an instant messaging service developed by Apple.
A Zero-click attack is a vulnerability where attackers can install the infections on the victim’s devices without any requirements or actions of any inputs from the device owner.
Cybersecurity experts from Citizen Lab named the zero-click exploit as “FORCEDENTRY” that targets Apple’s image rendering library and is affected in the Apple iOS, MacOS and WatchOS devices.
They claimed that this vulnerability was exploited by the NSO Group by using their surveillance tool, Pegasus and has been used since February 2021.
Citizen Lab reported this issue to the Apple team on September 7th and they immediately released a security fix on September 13th. Apple assigned this FORCEDENTRY exploit against CVE-2021-30860.
Our latest discovery of yet another Apple zero-day employed as part of NSO Group’s arsenal further illustrates that companies like NSO Group are facilitating ‘despotism-as-a-service’ for unaccountable government security agencies. This spyware can do everything an iPhone user can do on their device and more. Ubiquitous chat apps have become a major target for the most sophisticated threat actors, including nation-state espionage operations and the mercenary spyware companies that service them.
Citizen Lab Researchers
Here is an official report published by Citizen Lab on zero-day click attack: FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild – The Citizen Lab
Must Read | Pegasus Usage in Different Countries | What is Pegasus Project – A Global Investigation? | Click Here → Pegasus Spyware usage in India and Worldwide
Conclusion:
More than 1.65 billion Apple products worldwide have been vulnerable to NSO’s Pegasus Spyware since March 2021 and Apple has patched security flaws total of 15 zero-day vulnerabilities this year.
Recently, in June also, Apple rolled out a critical security patch for iOS, iPadOS, and macOS devices on 26th July 2021 to fix the zero-day vulnerability issue found in the IOMobileFrameBuffer module that has been already actively being used for exploitation.
Here is the full report on the Apple security fix released on July 2021 – Apple releases Security Patch for Zero-Day Vulnerability in iOS 14.7.1, iPadOS 14.7.1, and macOS 11.5.1.
NSO Group still not responded to the report of Citizens Lab but before they claimed that its products have been effectively used to thwart terrorism, find missing persons, break up criminal missions and assist search and rescue teams. But there are reports from ‘Forbidden Stories’ and ‘Amnesty International’ that the same software is used by authoritarian governments, UAE, Saudi Arabia, India, Mexican drug cartels to spy on opponents and critics.
Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content.