Global Spyware Attacks Spotted Against Both New & Old iPhones

  /     /     /  
Publicated : 23/11/2024   Category : security


Global Spyware Attacks Spotted Against Both New & Old iPhones


Campaigns that wielded NSO Groups Pegasus against high-risk users over a six-month period demonstrate the growing sophistication and relentless nature of spyware actors.



Attackers have been targeting iPhone users around the globe in ongoing Pegasus spyware attacks. They show that cyber-threat actors are targeting both new exploits and older, unupdated devices to circumvent new preventative measures from Apple, researchers have found.
One of the multiple targeted campaigns observed over the last six months involved an iPhone user in the Middle East, and another a journalist in Europe using an iPhone 6 that is not supported by the latest iOS updates, researchers at
Jamf Threat Labs reported
in a recent blog post. Those updates include
new threat Lockdown Mode notifications
by Apple that can help warn someone if there is unusual activity that
could be related to spyware
on their devices.
The attacks demonstrate how threat actors continue to evolve and grow in sophistication even as there is more awareness about spyware and prevention against these attacks, which are often used with malicious intent by governments to target dissidents or others who investigate or are unsupportive of policies or regimes, the researchers said.
Modern spyware is very advanced and, as evidenced by the continued evolution of commercial spyware, continues to leverage
zero-day vulnerabilities
in both old and new devices to ensure any user can be effectively targeted, the researchers wrote in the post.
They also indicate that though the researchers were able to take a deep dive into devices involved in some of the recent attacks, there is no consistency in terms of how the individuals or organizations targeted investigate attacks after the fact. This makes it difficult to respond or prevent further attacks in a timely or comprehensive way, the researchers said.
Moreover, not all users impacted by spyware have been contacted by Apple, illustrating the challenges with maintaining a comprehensive list of indicators of compromise (IoCs) and with extracting relevant data remotely, they wrote.
Researchers specifically detailed two separate attacks that demonstrate how no iPhone is safe from being targeted, despite Apples bolstering of preventative measures in its most recent updates to iOS.
One attack targeted an iPhone 12 Pro Max user in the Middle East who eventually was notified by Apple of suspicious activity on the device, which showed IoCs that
Pegasus
— the notorious spyware from Israels
NSO Group
— was running.
Subsequent analysis from Jamf Threat Labs revealed traces of the libtouchregd process on the device, which
Amnesty International
has identified as an IoC associated with
Pegasus spyware
, the researchers said.
The device also yielded additional IoCs via subsequent analysis of the com.apple.CrashReporter.plist file, which is located within a root folder on iOS and serves as a configuration file for the system daemon, ReportCrash, according to the researchers.
Under normal operating conditions, applications are not granted permission to access or modify this file, the researchers wrote. Alteration of this file could potentially impede the reporting of crash report logs to Apple. Additionally, the existence of the file is rare for normal users.
Apple sent a threat notification to the Middle East user late last year that a potential attack was occurring on the device and recommended updating it to iOS 16.2. The user subsequently engaged with security researchers to better understand the attack timeline and details, which resulted in a determination that Pegasus was used in the attack.
These findings have allowed Jamf Threat Labs to build a more robust profile on a device with proven compromise status, the researchers wrote.
Another spyware attack targeted an iPhone 6 — currently unsupported by the latest version of iOS — used by a journalist in Europe working for a global news agency, the researchers reported. The device also showed evidence of system crashes, similar to the phone in the Middle East scenario, that indicated it had been compromised.
However, even more suspiciously, investigators discovered files at an atypical location within iPhone’s strict file system, with one that was clearly masquerading as a built-in binary, the researchers wrote.
Based on this path and filename, we have strong reason to believe this may be a new indicator that can be used to assess if a device has been targeted, by a specific threat actor, they wrote. Though they could not conclusively identify the threat actor or the use of Pegasus, they said they notified Apple of a potential new IoC by the actor.
Moreover, an attack on an older device thats clearly unsupported by the latest Apple updates — including its enhanced threat-notification program — demonstrates the relentless nature of spyware actors, the researchers said.
The continued targeting of older devices, such as the iPhone 6s, serves as a reminder that malicious threat actors will exploit any vulnerabilities in an organizations infrastructure, attacking wherever possible, they wrote.
Given the advanced and evolving knowledge base around
spyware
, there are numerous ways that organizations can protect users from being attacks. The latest campaigns demonstrate the most basic mitigation tactic, which is to ensure that all devices are running the most current OS and have all available security patches applied, the researchers said.
At the same time, organizations should practice similar hygiene on the corporate network, keeping all applications — both business oriented and personal — up to date and fully patched, as mobile application vulnerabilities are easily exploited and frequently overlooked by security teams, the researchers wrote.
Jamf also recommends running security software to monitor for suspicious activity on mobile devices and reporting it alongside all other endpoint monitoring dashboards to ensure they are treated with the same attention and urgency as desktops, laptops, and servers.
Other steps organizations can take to protect users include: monitoring communications for suspicious downloads, command-and-control (C2) indicators, and data exfiltration, and utilizing automated policy controls to block known bad activity before it can cause further damage.
High-risk users also should receive separate education about the symptoms of spyware — such as performance issues and frequent crashes — and be encouraged to use an iPhones Lockdown Mode if necessary, the researchers said. This protects devices against these extremely rare and highly sophisticated cyberattacks.

Last News

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security

▸ Fully committed to the future world of technology. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Global Spyware Attacks Spotted Against Both New & Old iPhones