Zero-Click iPhone Exploit Drops Pegasus Spyware on Exiled Russian Journalist

  /     /     /  
Publicated : 23/11/2024   Category : security


Zero-Click iPhone Exploit Drops Pegasus Spyware on Exiled Russian Journalist


The exploit is one of many that government and intelligence agencies have to infect target devices with the notorious surveillance tool.



A report this week about Pegasus spyware showing up on an iPhone belonging to award-winning Russian journalist Galina Timchenko has highlighted again the seemingly myriad ways that government and law enforcement agencies appear to have to deliver the odious surveillance tool on target devices.
Timchenko is an exiled Russian investigative journalist and co-founder of Meduza, a Russian- and English-language news site headquartered in Riga, Latvia. On June 22, Apple sent Timchenko a
threat notification
that warned her that her device is likely the target of a state-sponsored attack. Apple earlier this year rolled out
the spyware threat notifications
, which are designed specifically to assist users that the company determines are being individually targeted because of what they do.
Meduzas technical director reached out to the University of Torontos Citizen Lab for help understanding what the alert might have been about. Researchers at Citizen Lab, who have earned a reputation over the years for their ability to conduct investigations into incidents of digital espionage, analyzed forensics artifacts from Timchenkos phone and quickly determined that someone had installed Pegasus on it in February.
Citizen Lab
and
Access Now
, a nonprofit that advocates for human rights in the digital age, collaborated on the investigation of the incident and released two separate reports on it this week.
We believe the infection could have lasted from days up to weeks after the initial exploitation, Citizen Lab said. The infection was conducted via a zero-click exploit, and forensic traces lead us to assess with moderate confidence that it was achieved via the
PWNYOURHOME
exploit targeting Apples HomeKit and iMessage. Neither Citizen Lab or Access Now attributed the attack to any specific nation-state actor.
PWNYOURHOME is one of
three iOS 15 and iOS 16 zero-click exploits
that Citizen Lab previously determined NSO Groups clients to have used in 2022 to drop Pegasus on target iPhones. The two-phase zero-click exploit first targets the HomeKit smart home functionality built into iPhones, and then uses the iMessage process to essentially breach device protections and enable Pegasus delivery on it.
The other two exploits that Citizen Lab uncovered were: FINDMYPWN, a two-phased exploit that targets the iPhones Find My feature and iMessage functionality; and LatentImage, another exploit that involves the iPhones Find My feature.
The exploits are among a growing number targeting iPhone users. Just earlier this month, Citizen Lab reported finding a threat actor chaining together
two no-click zero-day vulnerabilities in iOS 16.6
— the latest version — to deliver Pegasus. Citizen Lab, which is
tracking the exploit as Blastpass
, described it as enabling Pegasus delivery without any user interaction and urged everyone to immediately update their devices.
In recent months, others have discovered other vulnerabilities in iOS that attackers actively exploited before Apple became aware of them and fixed them.
Earlier this year, for instance, Kaspersky uncovered a
multiyear spying campaign on iOS users
, where a likely nation-state threat actor exploited as many as
three zero-days
in Apples mobile operating system to break into target devices. Russias intelligence agency, the Federal Security Service of the Russian Federation (FSB), blamed the attacks — without any evidence — on the US National Security Agency (NSA) and claimed it had impacted thousands of the countrys diplomats and other individuals.
Theres no reporting so far to suggest that any of NSO Groups clients exploited those zero-day flaws that Kaspersky reported to deliver Pegasus. But the flurry of exploits and vulnerabilities that researchers in general have discovered in the iOS environment recently suggest that adversaries — especially those with three-letter acronyms — have multiple ways to get the spyware on targeted devices.
Meduza, which also posted a report on the incident Wednesday, described the spyware on Timchenkos iPhone as likely having allowed the perpetrator to access everything on her device. This included corporate passwords, correspondence, the names of Meduza staff, bank account details, and most concerningly, the identities of those collaborating with the news site who live in Russia. They got everything, the report quoted Meduzas editor-in-chief Ivan Kolpakov as saying. Everything they wanted.
Pegasus is a controversial surveillance tool for mobile devices from NSO Group, an Israeli firm that develops and sells surveillance and cyber intelligence tools to government, intelligence, and law enforcement. The spyware allows customers to access and extract pretty much anything they want from an iPhone, Android smartphone, or other mobile device. Once installed on a target device, Pegasus can intercept and transmit messages, emails, media files, passwords, and detailed location information. It also employs several sophisticated techniques to evade detection by antivirus and other threat detection tools.
The NSO Group itself has maintained it only sells the technology to authorized agencies for legitimate crime-fighting and surveillance purposes.
But critics have heavily criticized the tool and the NSO group for enabling governments, especially in countries with poor human rights practices, to spy on and attempt to silence journalists, dissidents, rights activists, and political opponents. In 2021, a
leaked database of more than 50,000 phone numbers
that various NSO Group clients had selected for surveillance listed some 180 journalists from countries like India, Hungary, and Mexico. The database also contained phone numbers belonging to numerous human rights activists, lawyers, union leaders, doctors, politicians, and diplomats.
Meduza quoted a senior researcher at Citizen Lab as saying NSO clients typically spend tens of millions of dollars and potentially more for access to Pegasus.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Zero-Click iPhone Exploit Drops Pegasus Spyware on Exiled Russian Journalist