News tracing an Apple iOS 14 zero-click exploit was used to deploy mobile spyware from Israeli-based company QuaDream on journalists, political opposition figures and an NGO worker has prompted discussion as to the wider impact of zero-click exploits on businesses at-large.
Just how dangerous are these new zero-click exploits to rank-and-file businesses?
Research issued April 11 by Canada-based Citizen Lab and Microsoft Threat Intelligence found that at least five people were hacked via the zero-click exploit that leverages an iPhone’s calendar to enter the device and infect it with spyware. The report said the victims were from North America, Central Asia, Southeast Asia, Europe and the Middle East.
Shridhar Mittal, chief executive officer at Zimperium, explained that there are two main classes of mobile spyware: nation-state level products like those from organizations such as QuaDream that often leverage zero-click vulnerabilities, and those that leverage less sophisticated delivery techniques — such as social engineering — to infect devices.
“While the delivery techniques vary, there are hardly any differences in the spying capabilities of both classes once the device has been infected,” said Mittal. “There’s no denying that these threats are real and continue to be a growing problem, which isn’t just impacting government entities and high-profile targets like journalists and activists, but it's a threat to all corporate employees.”
Zero-click exploits are cyberattacks that don't require user intervention to trigger the attack. These attacks are automatic and usually go undetected, executed without a trace as soon as the code hits the user’s device.
Chuck Everette, Field CISO at Virsec, said that zero-click exploits are terrifying and are considered the crown jewel of vulnerabilities.
While legitimate software vendors advertise such exploits only to governments and law enforcement, Everette said criminal groups have been found to pay to obtain them through other channels, a strategy that was seen with the Pegasus spyware in 2021.
“What is so disruptive about this spyware is that its ability to monitor, use the camera and geolocation functionalities, access and retrieve files, even get into hardened security areas such as the iOS keychain or even generating one-time passwords that can be used to bypass multi-factor authentication processes,” said Everette. “What makes this spyware variant so destructive is that it’s good at covering its tracks and utilizing Apple’s own native files in a ‘living-off-the-land' type of strategy. This makes it very difficult to detect, let alone protect against.”
Everette added that security teams need to start moving into a preventative mindset, being proactive instead of reactive. He recommends that security pros tell their users not to log-on to unknown websites.
“For a zero-click compromise to succeed it needs to load from a website or downloaded from an application that has been compromised,” said Everette. “For Apple devices running iOS 16 or Mac OS central lockdown mode is available to assist in protecting against attacks.”
On a broader level, Michael Covington, vice president of strategy at Jamf, said his team sees a steady stream of evidence that mobile devices are increasingly targeted by hackers. Because of a misguided perception that modern mobile devices are secure, Covington said organizations often fail to protect remote workers with the same level of attention provided to traditional computer devices.
The combination of increased attacks and an under-secured workforce results in more compromises and longer time periods between exploit and detection, not to mention remediation and post-event clean-up.
“Providing the attribution to QuaDream puts a spotlight on the commercial malware market that goes largely under-reported,” said Covington. “Many organizations make the incorrect assumption that malware, including mobile spyware like the NSO Group’s Pegasus, is a best-effort exercise. The reality is that there are commercial organizations employing full-time developers, consulting engineers, and customer support teams to help paying attackers target victims, silently launch attacks, maintain malware efficacy, and extract maximum value from a pay-to-use malicious service. It’s these well-funded, for-profit organizations that all vendors — not just security vendors — need to consider as they release and maintain products in all sectors.”
Shane Huntley, senior director of Google’s Threat Analysis Group (TAG), added that at this time there are limited options for security teams when it comes to addressing zero-click exploits. Huntley said the most important components are securing and managing devices as best as possible, as well as having strong security controls in place to mitigate any potential compromises.
“It’s the very reason TAG prioritizes countering zero-day exploits and encourages the industry to patch vulnerabilities quickly and efficiently for users and the ecosystem as a whole,” said Huntley. “It’s also why we publish our findings to raise awareness and are vocal in addressing issues surrounding the commercial spyware industry.”
QuaDream came to international attention in a 2022 Reuters report, which cited a company brochure that described its REIGN platform and a list of capabilities. REIGN is a suite of exploits, malware and infrastructure designed to exfiltrate data from mobile devices. Microsoft's report also said that QuaDream uses a zero-click iOS exploit that leverages the same vulnerability seen in NSO Group’s ForcedEntry exploit that deploys Pegasus spyware.