Citizen Lab and Lookout researchers detected an active spyware capable of exploiting three iOS zero-day vulnerabilities.
The vulnerabilities, collectively dubbed Trident, were combined into a malware named Pegasus by the NSO Group, an organization that reportedly specializes in “cyber war,” according to an August 25 Lookout blog post.
Pegasus is highly advanced in its use of zero-days, obfuscation, encryption and kernel-level exploitation and the malware has been active for some time, the post said. Researchers believe the spyware has already been used in the wild for state-sponsored activities, including against a Mexican journalist who reported on corruption by Mexico's head of state, and an unknown number of targets in Kenya.
The malware is spread, the post said, through a basic phishing attack sequence which includes a text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information
The issue was disclosed to Apple 10 days before the update was rolled out and judging by the speed by which Apple responded, the vulnerabilities were treated as critical within Apple, Guillaume Ross, a senior security consultant at Rapid 7, told SCMagazine.com via emailed comments.
“This attack basically exploits an issue in Safari, exploits the kernel to effectively jailbreak the phone, and then persists on to the device,” Ross wrote. “Jailbreak software is regularly released publicly, and exploits such vulnerabilities, but with a major difference: this software exploits the iOS device locally, over USB or such an interface, and not simply by clicking a link, though that has also occurred in the past.”
Ross said detecting attacks such as this is extremely difficult after the fact. "We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5.,” an Apple representative told SCMagazine.com on Thursday via emailed comments. “We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits"
Zero-days attacks like Trident are extremely valuable in a world where IT is used as a weapon, and the vulnerabilities are especially valuable to nation-states looking to obtain data, Cesare Garlati, chief security strategist at the prpl Foundation, told SCMagazine.com on Thursday via emailed comments.
“The one thing that surprises me is the ease with which we attribute vulnerabilities to mistakes/errors in coding,” Garlati said. “I'm more and more convinced that some of these vulnerabilities are introduced on purpose, without the knowledge of the vendor, to serve nation-states.”
California Congressman Ted Lieu (D-Ca.) said in an Aug 25. press release that he is alarmed but not surprised by the discovery of the vulnerability.
“I am pleased that Apple was able to quickly address this security breach, but it is clear that Congress must do more to address the issues of mobile security,” Lieu said. “I believe a congressional hearing is in order and plan to work with my colleagues to examine these critical security concerns.”