Apple has released an emergency security update for iOS devices to resolve three zero-day vulnerabilities leveraged in targeted attacks against human rights activists, journalists, and other persons of interest.
Named Trident, the vulnerabilities were exploited by a piece of high-end surveillance software dubbed Pegasus, which researchers classify as “the most sophisticated attack seen on any endpoint.” The spyware is modular, highly customizable, and uses strong encryption to avoid being detected. The software is sold by NSO Group Technologies Ltd, a Herzelia, Israel-based company that has been founded in 2010.
More importantly, it takes advantage of how integrated mobile devices are in people’s lives, while also being capable of leveraging “the combination of features only available on mobile — always connected (WiFi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists,” mobile security firm Lookout explains.
The Trident Vulnerabilities
The vulnerabilities leveraged by this piece of malware were patched in iOS 9.3.5, which was released on Thursday, Aug. 25, 2016. The three security issues include CVE-2016-4655 and CVE-2016-4656, both affecting the Kernel, and CVE-2016-4657, which affects WebKit. According to Apple’s advisory, iPhone 4s and later, iPad 2 and later, and iPod touch (5th generation) and later are affected by these security bugs.
CVE-2016-4655 is an information leak in the Kernel that could result in information being leaked to the attacker, thus allowing them to calculate the kernel’s location in memory. To address the issue, Apple has improved input sanitization to ensure that the kernel cannot be mapped out.
CVE-2016-4656, on the other hand, is a memory corruption bug that could lead to jailbreak. The 32 and 64-bit iOS kernel-level vulnerability can be triggered silently, thus allowing an attacker to jailbreak the device and install surveillance software without user knowledge. Apple addressed this bug through improved memory handling.
Vulnerability CVE-2016-4657 is a memory corruption bug in the Safari WebKit, which allows an attacker to compromise the device when a user clicks on a link. By crafting a special website and tricking the user into visiting it, an attacker could execute arbitrary code on the device. This security issue was also addressed through improved memory handling.
The attack sequence and the NSO Group
To leverage these vulnerabilities, an attacker uses a classic phishing scheme: a text message with a URL is sent to the victim. When the browser is launched to access the link, the malicious webpage exploits the vulnerabilities and installs a persistent application to exfiltrate information. All without user’s consent or knowledge, of course.
The exact same scheme was attempted on Aug 10 and 11 against Ahmed Mansoor, an internationally recognized human rights defender, Citizen Lab reveals. Mansoor received a text message promising information about detainees tortured in United Arab Emirates (UAE) jails. To access the purported details, he was supposed to click on an included link.
Instead, Mansoor sent the messages to Citizen Lab researchers who, in collaboration with Lookout, discovered that the link “led to a chain of zero-day exploits that would have jailbroken Mansoor’s iPhone and installed sophisticated malware.” Mansoor has been targeted with similar “lawful malware” before, in 2011 with the FinFisher spyware, and in 2012 with Hacking Team spyware, researchers reveal.
Citizen Lab explains that the link Mansoor received earlier this month is believed to be part of an exploit infrastructure provided by the NSO Group and notes that the same infrastructure has been also leveraged by the UAE-based Stealth Falcon APT group.
“NSO Group appears to be owned by a private equity firm with headquarters in San Francisco: Francisco Partners Management LLC, which reportedly acquired it in 2014 after approval from the Israeli Defense Ministry,” Citizen Lab notes. Unlike other similar organizations, NSO Group tried to avoid media attention, doesn’t have a website, and there appears to be no prior technical analysis of its products.
The Pegasus software
The Pegasus spyware used by the NSO Group has been mysterious, with few technical details on it available online until now, although it was previously linked to a few attacks. “Much of the publicly available information about Pegasus seems to be rumor, conjecture, or unverifiable claims made to media about capabilities,” Citizen Lab says.
However, documentation found in the Hacking Team materials that leaked online last year suggests that the software might have been created in 2013 by Guy Molho, the Director of Product Management at NSO Group. Apparently, the group was offering two remote installation vectors for the spyware: zero-click and one-click. The latter was used against Mansoor.
The former, however, requires sending the malicious link via a special type of SMS message, like a WAP Push Service Loading (SL) message, which causes the phone to automatically open the link in a browser, without user interaction. However, newer phone models have started to ignore this type of messages and network operators might soon block them altogether, researchers say.
The software’s documentation also explains that the malicious website used for the spyware’s installation communicates with a Pegasus Installation Server located on the operator’s premises. When the victim visits the website, a request is forwarded to the server, which determines whether the device can be exploited and sends the appropriate exploit chain, such as Trident, to attempt infection. If the infection fails, the victim is redirected to a legitimate website, to avoid raising suspicion.
Once a device has been compromised, the Pegasus spyware can survive on it even after the operating system has been updated. The Trident exploit chain is re-run locally on the phone at each boot and the spyware also disables Apple’s automatic updates, while searching for and removing other jailbreaks from the device, to ensure persistence. Moreover, the program can update itself to replace obsolete exploits.
Data collection and exfiltration
The spyware was built to actively record or passively gather a broad range of data on the infected device. The operator has full access to the phone’s files, messages, microphone and video camera, thus being able to turn it into a silent spying device.
While observing the variant used to target Mansoor, researchers were able to confirm this functionality and to determine what kind of data the attackers were after: phone calls (including those made via WhatsApp and Viber); SMS and messages sent via popular apps like Gmail, Facebook, Skype, WhatsApp, Viber, FaceTime, Calendar, Line, Mail.Ru, WeChat, SS, Tango, KakaoTalk, Telegram, and others; and personal data such as calendar data, contact lists, and passwords, including Wi-Fi passwords.
Collected data is sent to a Pegasus Data Server using the PATN (Pegasus Anonymizing Transmission Network), which appears to be a proxy chain system intended to obfuscate the identity of the government client associated with a particular operation. In the observed attack, two PATN nodes were used, aalaan.tv and manoraonline.net.
Exploit infrastructure and other victims
The NSO Group has established an exploit infrastructure that has been already used against other targets, researchers reveal. The group has been using fake domains impersonating websites such as the International Committee for the Red Cross, the U.K. government’s visa application processing website, and multiple news organizations and major technology companies to conduct its nefarious operations.
The researchers also identified a series of common themes indicating the type of bait content the group was using against victims, most of which pointed toward the use of fake news articles to distribute the spyware. Other themes included online accounts, document sharing, shipment tracking, corporate account portals, and ISPs, similar to other spear-phishing attacks.
According to researchers, while the UAE and Mexico were the most targeted countries, other geographies were also prevalent, including Turkey, Israel, Thailand, Qatar, Kenya, Uzbekistan, Mozambique, Morocco, Yemen, Hungary, Saudi Arabia, Nigeria, and Bahrain.
Among the other identified targets, Citizen Lab researchers name journalist Rafael Cabrera, who recently reported on the Casa Blanca controversy. Last year, Cabrera received messages supposedly coming from UNO TV, and which also included malicious links that match domains linked to the apparent NSO Group infrastructure.
Citizen Lab also found a past tweet discussing the opposition in Kenya, which contained a link to the NSO Group exploit infrastructure. The message was sent by a “Senior Research Officer” in the Office of the Senate Minority Leader and references Moses Wetangula who is the current Minority Leader of Kenya’s Senate.
Zero-days and surveillance software
The attack on Mansoor, researchers say, is clearly connected to the NSO Group’s Pegasus spyware suite, which is sold exclusively to government agencies. The investigation into the group’s activities, however, wasn’t triggered by this attack, as Citizen Lab had already mapped out a set of 237 servers linked to NSO Group before that.
What the attack did, however, was to allow researchers to visit the malicious links and to observe the exploits in action and to find the zero-day vulnerabilities and report them to Apple. Two weeks after the incident, a patch for these security bugs is already available for download.
“Apple has been highly responsive, and has worked very quickly to develop and issue a patch in the form of iOS 9.3.5, approximately 10 days after our initial report to them. Once an iPhone is updated to this most recent version, it will be immediately protected against the Trident exploit chain used in this attack. While we assume that NSO Group and others will continue to develop replacements for the Trident, we hope that our experience encourages other researchers to promptly and responsibly disclose such vulnerabilities to Apple and to other vendors,” Citizen Lab researchers note.
Zero-day exploits remain an important tool in any threat actor’s arsenal, mainly because they are rare and tend to be highly expensive, “especially one-click remote jailbreak exploits for iPhones, like the Trident,” researchers say. Last year, exploit acquisition company Zerodium was willing to pay up to $3 million on iPhone exploits and ended up paying $1 million for a “remote browser-based untethered jailbreak” affecting iOS 9.1 and 9.2 beta. Earlier this month, Exodus Intelligence said it would pay up to $500,000 for iOS 0-day vulnerabilities.
When it comes to surveillance software, zero-days appear critical for continuous operations, and last year’s breach at the Hacking Team proved that. Among the hundreds of gigabytes of data stolen from the organization’s servers, researchers identified several exploits, including a zero-day for Adobe Flash Player.
As soon as the next month, the European Union is expected to propose tighter rules on the export of dual-use technologies, such as those from companies like Germany's FinFisher GmbH and Italy's Hacking Team, which have been used by repressive regimes to target activists and journalists.