Application security, Threat Management

NSO Group escalates spyware tactics with 3 new iPhone zero-click exploit chains

NSO Group’s Pegasus Spyware Returns in 2022

The notorious NSO Group’s Pegasus spyware continues to pose a threat, despite reports it was winding down its operations. New zero-click exploits found by watchdogs at Citizen Lab targeted two different remote attack surfaces on iPhones running iOS 15 and 16.

PWNYOURHOME and FINDMYPWN are the first zero-click exploits to remotely and simultaneously target two Apple attack surfaces, according to Citizen Lab researchers. The use of zero-click exploits against iOS is not new, as past research showed similar tactics against iOS 14 devices with the NSO Group's Pegasus spyware.

NSO Group is notorious for the development and distribution of Pegasus spyware, widely used by both the private and government sectors across the globe for surveillance purposes against journalists, human and civil rights activists, politicians and other individuals.

In January, the Supreme Court denied the NSO Group’s petition for a writ of certiorari, which allowed an ongoing lawsuit against the Israeli company to proceed. Meta, which owns WhatsApp, has accused NSO of installing Pegasus on users’ devices through unlawful access of WhatsApp servers to conduct surveillance on 1,400 individuals.

The latest Citizen Lab research found three more zero-click exploits tied to the NSO Group being used to hack iOS 15 and iOS 16 devices. The tactics were discovered during their long-running investigation into NSO’s campaign against several Mexican human rights groups. 

Network defenders should take note that these new tactics demonstrate that NSO Group is escalating its attempts to stop researchers from analyzing their tactics by blocking all traces of infection. Even when they’re not successful, the group is certainly undermining these efforts.

The first, PWNYOURHOME, is an iOS exploit that could enable an attacker to infiltrate the iMessage app to modify the HomeKit software. The issue was disclosed to Apple, which later fixed the vulnerability in the iOS 16.3.1 update.

The attack is deployed in two phases, with each targeting a different iOS process. The first phase uses a daemon crash in the HomeKit app, then moves to download PNG images from the iMessage app, causing BlastDoor to crash. Citizen Lab could not determine how the exploit leaves BlastDoor, but they found the exploit later launches Pegasus through the iOS component called “mediaserverd.”

Fortunately, it appears use of Apple’s Lockdown Mode feature can successfully block PWNYOURHOME attacks levied by the notorious spyware vendor, as the function alerted users to the attempted attack visible through the notification display.

However, there are no indications NSO has stopped using the exploit, suggesting the group “may have figured out a way to correct the notification issue, such as by fingerprinting Lockdown Mode.”

The second exploit, FINDMYPWN, effectively targets the fmfd process on the ‘Find My’ function of iOS 15.5 and iOS 15.6 devices. The exploit enables items to be written and deleted inside of the cache directory. Citizen Lab is limiting the forensic information it releases for the exploit, so as not to inform the NSO Group of possible evasion tactics.

A final exploit was observed after the researchers reassessed earlier forensics. LATENTIMAGE first appeared in January 2022 impacting iOS 15 devices. Evidence suggests the exploit also uses the ‘Find My’ function, but it’s initial access point is not confirmed.

For Citizen Lab, “the use of multiple attack surfaces should encourage developers to think holistically about device security, and treat the entire surface reachable through a single identifier as a single surface.”

What’s more, “modern exploit mitigations like pointer authentication codes significantly reduce attacker freedom to execute arbitrary code on a device,” researchers wrote. But PWNYOURHOME shows that “real-world attackers can, and do, find practical ways around these mitigations, such as by repurposing signed pointers located at known offsets in the iOS shared cache.”

As the NSO group continues these evasive tactics, Citizen Lab stressed that it’s “encouraging” that Lockdown Mode successfully notified targets of ongoing attacks. While no tool is a cure-all, the feature could go far in dampening the impact of similar attack methods.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.