Dubbed Trident, the newly discovered exploit chain utilizes three “zero-day” iOS vulnerabilities that allow an attacker to remotely jailbreak a user’s iPhone and install spyware capable of accessing the device’s camera, microphone, location information, calls and messages, the pair said.
Citizen Lab said the chain begins when a victim visits a maliciously crafted website – perhaps one that is sent via a phishing text message – opens the door for arbitrary code execution. The second prong of attack comes from an application that may be able to disclose kernel memory while the third element is an application that may be able to execute arbitrary code with kernel privileges.
It’s that last bit that is used to jailbreak a device and essentially turn it into a “digital spy” in the user’s pocket via the installation of spyware software called Pegasus, Citizen Lab said.
“Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile – always connected (WiFi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists,” Lookout wrote in its report.
Citizen Lab and Lookout said Apple was immediately notified about the exploits once they were confirmed on August 15.
Apple on Thursday released a patch in its iOS 9.3.5 update to close the vulnerabilities exploited by Trident. Apple said the fix applies to the iPhone 4s and later, iPad 2 and later and the 5th generation iPod touch and later.
The news comes on the heels of Apple’s announcement earlier this month that would start offering cash rewards of up to $200,000 to hackers who come forward with information about security flaws in the company’s software.
How Trident was discovered
According to Citizen Lab and Lookout, the exploits were discovered by tracing the source of suspicious text messages sent to Ahmed Mansoor, a human rights activist based in the United Arab Emirates (UAE). Mansoor, who had previously been the target of two other spyware attacks in 2011 and 2012, forwarded the dubious message on to Lookout and Citizen Lab for investigation.
Citizen Lab said it recognized the links sent to Mansoor as part of an exploit architecture linked to NSO Group, an American-owned, Israel-based “cyber war” company. NSO is the company behind Pegasus, a government-exclusive spyware product, Citizen Lab said.
In an August 2014 interview with the Wall Street Journal, NSO co-founder Omri Lavie likened the company’s operations to being a “ghost.” Lavie said NSO’s techniques were “totally transparent to the target” and “leave no traces.”
How it works
The initial phase of the infiltration through the one-click vector looks innocent enough.
Citizen Lab said the websites used in the initial link of the exploit chain have used fake domains to impersonate reputable sites – like those of Google, Facebook and WhatsApp as well as news organizations like the BBC, CNN and Univision, telecommunications companies like Mexico’s TelCel and Iusacell and shipment tracking companies like FedEx – to help induce clicks. Researchers found 38 percent of lookalike websites imitated news media, while 25 percent mimicked internet service providers or telcos and 18 percent impersonated streaming or sharing media sites.
But from that initial quick, things quickly – and invisibly – turn ugly.
Once the rest of the exploit chain is completed and Pegasus spyware is installed on the device, an attacker gains full access to a device’s data. Citizen Lab said Pegasus can either actively or passively access a phone’s files, messages, microphone and camera. Targeted data can include regular voice calls or those made through WhatsApp and Viber; SMS messages and messages from apps like Gmail, WhatsApp, Skype, Facebook and others; and personal data like calendar information, contact lists, and passwords, Citizen Lab said.
Based on the evidence found in its investigation with Citizen Lab, Lookout said the Pegasus spyware appears to have been “in the wild” for a while – even dating back to iOS 7. Lookout said it believed the tool was being used to attack “high-value” targets, including “high-level corporate espionage on iOS, Android and Blackberry.”
Citizen Lab said it has found evidence that “state-sponsored actors” have similar tactics to attack a Mexican journalist who outed top-level corruption in that country and an unknown target in Kenya. In Mansoor’s case, Citizen Lab said it concluded the UAE government was the “likely operator” behind the targeting.
Lookout on Thursday urged all Apple users to update to the latest version of iOS immediately to shield themselves from Trident attacks.