Apple has patched Trident, a chain of three zero-day exploits designed to jailbreak a victim device and load it with spyware, after a human rights activist sounded the alarm.
Internationally renowned campaigner Ahmed Mansoor flagged a suspicious looking text message sent to his iPhone containing what turned out to be a malicious link.
Instead of clicking he sent it to Toronto-based rights group Citizen Lab for inspection.
The ensuing investigation, in collaboration with Lookout Security, revealed a highly sophisticated exploit chain designed to deliver Pegasus – what Citizen Lab described as “a government-exclusive ‘lawful intercept’ spyware product designed by Israeli-based “cyber warfare” research firm, NSO Group.
The three zero-day vulnerabilities patched by Apple are: CVE-2016-4655, a kernel base mapping vulnerability that leaks info, allowing an attacker to calculate the kernel’s location in memory; CVE-2016-4656, a kernel-level flaw enabling an attacker to jailbreak the device and install spyware; and CVE-2016-4657 – a Safari WebKit bug which allows an attacker to compromise a device if the user clicks on a link.
Together, the three flaws – dubbed Trident – deliver Pegasus spyware, which Lookout claimed have been in the wild “for a significant amount of time” and “is also being used to attack high-value targets for multiple purposes, including high-level corporate espionage on iOS, Android, and Blackberry.”
The mobile security vendor continued:
“Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile — always connected (WiFi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists. It is modular to allow for customization and uses strong encryption to evade detection.”
The malware allows a remote attacker to monitor emails, texts, location, browsing history, device settings, IM, microphone, phone calls, calendar records – literally anything the victim does on their device.
The shadowy NSO Group, which sold a majority stake to US private equity business Francisco Partners in 2014, appears to be similar to the notorious Hacking Team and UK-based Gamma Group – controversial firms which deal in selling hacking tools to governments.
“What makes this specific type of attack particularly sophisticated is in the amount of vulnerabilities that had to be chained to make it a seamless attack requiring very little user interaction,” explained Rapid7 senior security consultant, Guillaume Ross.
“Jailbreak software is regularly released publicly, and exploits such vulnerabilities, but with a major difference: this software exploits the iOS device locally, over USB or such an interface, and not simply by clicking a link, though that has also occurred in the past.”
The fact that Apple patched within around 10 days of notification proves the seriousness of the flaws, he added.