Apple has released an emergency software patch to plug a security hole Citizen Lab researchers discovered affecting all its operating systems, exploited to infect the iPhone of a Saudi activist with NSO Group’s Pegasus spyware.

Shortly after the citizen Lab disclosed the vulnerability, Apple released security updates for a zero-day vulnerability that affects every iPhone, iPad, Mac and Apple Watch and urged users to update devices immediately. 

Citizen Lab discovered the zero-day zero-click exploit while analyzing the phone of a Saudi activist infected with NSO Group’s Pegasus spyware. The exploit, which Citizen Lab calls FORCEDENTRY, targets Apple’s image rendering library.

Researchers at Citizen Lab determined that the mercenary spyware company NSO Group used the vulnerability to remotely exploit and infect the latest Apple devices with the Pegasus spyware. Researchers believe that FORCEDENTRY has been in use since at least February 2021.

Citizen Lab disclosed the vulnerability and code to Apple, which has assigned the FORCEDENTRY vulnerability CVE-2021-30860 and describes the vulnerability as “processing a maliciously crafted PDF may lead to arbitrary code execution.”

“Despite promising their customers the utmost secrecy and confidentiality, NSO Group’s business model contains the seeds of their ongoing unmasking. Selling technology to governments that will use the technology recklessly in violation of international human rights law ultimately facilitates the discovery of the spyware by investigatory watchdog organizations, as we and others have shown on multiple prior occasions, and as was the case again here,” said Citizen Lab researchers.

Here’s what security experts are saying:

Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based endpoint-to-cloud security company:

Since Lookout and The Citizen Lab first discovered Pegasus back in 2016, it has continued to evolve and take on new capabilities. It can now be deployed as a zero-click exploit, which means that the target user doesn’t even have to tap a malicious link to install the surveillanceware. While the malware has adjusted its delivery methods, the basic exploit chain remains the same. Pegasus is delivered via a malicious link that’s been socially engineered to the target, the vulnerability is exploited, and the device is compromised, then the malware is communicated back to a command-and-control (C2) server that gives the attacker free reign over the device. Many apps will automatically create a preview or cache of links to improve the user experience. Pegasus takes advantage of this functionality to infect the device silently. 

NSO has maintained the stance that the spyware is only sold to a handful of intelligence communities within countries that have been thoroughly vetted for human rights violations. Their proactive statements about the Citizen Lab are just another attempt at maintaining this narrative in the media. The recent exposure of 50,000 phone numbers linked to targets of NSO Group customers was all people needed to see right through what NSO claims. 

This exemplifies how important it is for both individuals and enterprise organizations to have visibility into their mobile devices’ risks. Pegasus is an extreme but easily understandable example. There are countless pieces of malware out there that can easily exploit known device and software vulnerabilities to gain access to your most sensitive data. From an enterprise perspective, leaving mobile devices out of the greater security strategy can represent a major gap in protecting the entire infrastructure from malicious actors. Once the attacker has control of a mobile device or even compromises the user’s credentials, they have free access to your entire infrastructure. Once they enter your cloud or on-prem apps, they can move laterally and identify sensitive assets to encrypt for a ransomware attack or exfiltrate to sell to the highest bidder.

Kevin Dunne, President at Pathlock, a Flemington, New Jersey-based provider of unified access orchestration:

Businesses often focus on their servers and workstations as the primary targets for hacking and espionage. However, mobile devices are now used broadly and contain sensitive information that needs to be protected. Spyware is primarily targeting these mobile devices and providing critical information to unauthorized parties.

To protect themselves against spyware, businesses should look at their mobile device security strategy. In the past, users could be trained to avoid spyware infections by looking out for suspicious SMS messages and not clicking on links from any numbers they did not recognize. However, spyware attackers have now engineered zero-click attacks, which can get full access to a phone’s data and microphone/camera by using vulnerabilities in third-party apps or even built-in applications. Organizations need to ensure control over what applications users download onto their phones and ensure they are up to date, so any vulnerabilities are patched.

John Bambenek, Principal Threat Hunter at Netenrich, a San Jose, Calif.-based digital IT and security operations company:

Once again, we see what looks like NSO Group tooling being involved in targeting activists and journalists with exploits that bypass even Apple’s sophisticated security. At some point, the cybersecurity industry will have to reckon with our over-emphasis on exploitation and finding bugs that are fueling increasingly brazen human-rights abuses enabled by technology.

Richard Melick, Director, Product Strategy for Endpoint Security at Zimperium:

What’s most concerning about this threat is the number of mobile devices that are susceptible. Threats like these will continue to target mobile devices because of the inherent principles that make them mobile: always connected and always on. Mobile phones are largely unprotected against advanced threats and exploits like these even though they are chock-full of personal, private, and corporate data. Unlike traditional laptops and desktops with advanced security installed, security in the mobile ecosystem is not considered a problem. But cybercriminals and malicious organizations like NSO will take advantage of the lack of security and oversight with mobile devices to steal the data they want when they want. With the amount of data stored on and accessible from a mobile device, there is no reason we should not be securing mobile phones with the same diligence we employ to protect our traditional desktops and laptops.