Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Citizen Lab researchers have discovered two independent Pegasus malware campaigns, that targeted the prime minister’s office and other official UK government networks as well as the Catalan presidents and members of civil society organizations.
What Happened?
Citizen Lab’s digital threat experts have identified a new zero-click iMessage attack that may be used to install NSO Group malware on iPhones belonging to Catalan lawmakers, journalists, and activists, according to the company.
HOMAGE is a previously undiscovered zero-click security issue in iOS that affects various versions of the operating system prior to iOS 13.2. (the latest stable iOS version is 15.4).
We identified evidence of HOMAGE, a previously-undisclosed iOS zero-click vulnerability used by NSO Group that was effective against some versions prior to 13.2.
— Citizen Lab (@citizenlab) April 18, 2022
Between 2017 and 2020 HOMAGE was utilized in a campaign that targeted at least 65 individuals with NSO’s Pegasus spyware, as well as the Kismet iMessage attack and a WhatsApp issue, according to the report published by the researchers.
We saw evidence that multiple zero-click iMessage exploits were used to hack Catalan targets’ iPhones with Pegasus between 2017 and 2020.
We have identified signs of a zero-click exploit that has not been previously described, which we call HOMAGE. The HOMAGE exploit appears to have been in use during the last months of 2019, and involved an iMessage zero-click component that launched a WebKit instance in the com.apple.mediastream.mstreamd process, following a com.apple.private.alloy.photostream lookup for a Pegasus email address. The WebKit instance in the com.apple.mediastream.mstreamd process fetched JavaScript scaffolding that we recovered from an infected phone. The scaffolding was fetched from /[uniqueid]/stadium/goblin. After performing tests, the scaffolding then fetches the WebKit exploit from /[uniqueid]/stadium/eutopia if tests succeed.
Catalan Members of the European Parliament (MEPs), every Catalan president since 2010, as well as Catalan lawmakers, jurists, journalists, and members of civil society groups, as well as their families, became victims of these assaults.
There have been no zero-day or zero-click vulnerabilities launched targeting Catalan targets since iOS 13.1.3 and before iOS 13.5.1, according to the researchers.
The university research lab has disclosed the vulnerability and given Apple the forensic artifacts required to conduct an investigation into it. The lab claims that there is no proof that Apple customers using the most recent versions of iOS are vulnerable to HOMAGE assaults.
Among Catalan targets, we did not see any instances of the HOMAGE exploit used against a device running a version of iOS greater than 13.1.3. It is possible that the exploit was fixed in iOS 13.2. We are not aware of any zero-day, zero-click exploits deployed against Catalan targets following iOS 13.1.3 and before iOS 13.5.1.
The Citizen Lab has reported the exploit to Apple and provided them with relevant forensic artifacts. At this time, we do not have evidence to suggest that Apple device users on up-to-date versions of iOS are at risk.
As BleepingComputer explained, a suspected infection on a device belonging to a member of the Prime Minister’s Office was associated with Pegasus operators linked to the United Arab Emirates, while attacks on the UK’s Foreign and Commonwealth Office were associated with Pegasus operators linked to the United Arab Emirates, India, Cyprus, and the Kingdom of Jordan.
Finland’s Ministry of Foreign Affairs said in January that smartphones belonging to Finnish diplomats had been infected with NSO Group’s Pegasus spyware, after the discovery of the same malware on iPhones belonging to workers of the United States Department of State.
The spyware covertly penetrates mobile phones (and other devices) and is capable of reading texts, listening to calls, collecting passwords, tracking locations, accessing the target device’s microphone and camera, and harvesting information from apps.
Encrypted calls and chats can also be monitored. The technology can even maintain access to victims’ cloud accounts after the infection has ended.
Did you enjoy this article? Follow us on LinkedIn, Twitter, Facebook, Youtube, or Instagram to keep up to date with everything we post!
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.
