A recently observed Pegasus spyware infection campaign targeting tens of Al Jazeera journalists leveraged an iMessage zero-click, zero-day exploit for infection.
The Israel-based NSO Group, which has approximately 600 employees in Israel and abroad, made it to the spotlight several years ago, after security firms identified and analyzed Pegasus, a highly invasive spyware family that allows attackers not only to steal data from infected devices, but also turn on the camera and microphone.
The tool, NSO claims, has been developed for government use only, to help fight terrorism and crime. However, cybersecurity firms and human rights organizations have detailed multiple malicious attacks involving Pegasus, many of them targeting journalists and human rights activities.
In a newly published report, Canadian interdisciplinary laboratory Citizen Lab, which is based at the Munk School of Global Affairs & Public Policy at the University of Toronto, details a new series of attacks in which Pegasus infected “36 personal phones belonging to journalists, producers, anchors, and executives at Al Jazeera.”
The attacks, which were performed in July and August 2020, involved the use of a zero-click exploit in iMessage, a zero-day vulnerability in at least iOS 13.5.1, which allowed attackers to hack Apple’s iPhone 11 devices.
Dubbed KISMET, the exploit was used to target Al Jazeera personnel by at least four Pegasus operators, including two (SNEAKY KESTREL and MONARCHY) that Citizen Lab linked to the United Arab Emirates and Saudi governments, respectively. The former spied on 18 phones, while the latter on 15 phones.
Citizen Lab was able to identify attacks leveraging the KISMET exploit, which allows attackers to deploy malware without user interaction, after Al Jazeera investigative journalist Tamer Almisshal agreed to install a VPN application for Citizen Lab researchers, to monitor traffic metadata.
On July 19, 2020, the device visited a website known to be an installation server for NSO Group’s Pegasus spyware, and analysis of logs revealed hundreds of connections made to iCloud Partitions during a 54 minute timeframe, on the same day, suggesting that this was the infection vector.
Sixteen seconds after the infection occurred, the device was observed connecting to three IPs that it never communicated with before. Over the course of multiple hours, the device sent a total of 270 MB of data to these servers.
Al Araby TV journalist Rania Dridi was also targeted with Pegasus spyware, at least six times, with two of the attacks likely involving zero-day exploits. The first occurred on October 26, 2019, on iOS 13.1.3, while the second happened on July 12, 2020, on iOS 13.5.1. This attack, and another on July 23, used the KISMET zero-click exploit.
In the attacks against the 37 journalists, the NSO spyware operators employed infrastructure located in Germany, France, Italy and the UK. As cloud providers, they used Aruba, Choopa, CloudSigma, and DigitalOcean.
The implant used in these attacks can record audio from the microphone (including encrypted phone calls and ambient sounds), take pictures, track device location, and access stored credentials, including passwords.
The KISMET exploit, Citizen Lab’s researchers note, doesn’t appear to work on iOS 14, which was released with additional security protections. iOS device owners are advised to update to the new platform iteration as soon as possible, to ensure they are safe from attacks employing KISMET.
“The current trend towards zero-click infection vectors and more sophisticated anti-forensic capabilities is part of a broader industry-wide shift towards more sophisticated, less detectable means of surveillance. Although this is a predictable technological evolution, it increases the technological challenges facing both network administrators and investigators,” Citizen Lab concludes.