Posted: 3 Min ReadThreat Intelligence

Pegasus Spyware Takes Flight Again

Symantec solutions help detect, filter, and block the threat.

The recent iOS 14.8 update fixes a zero-day, zero-click exploit for a vulnerability affecting every mobile iOS device. The flaw, dubbed FORCEDENTRY (CVE-2021-30860), resided in Apple’s iMessage and, according to a report by The Citizen Lab, was used to push NSO Group’s Pegasus spyware to mobile iOS devices dating back to as far as February 2021. 

Pegasus has been around for some years now but has been back in the spotlight recently following reports from both The Citizen Lab and Amnesty International about the spyware targeting journalists, activists, and others.

One of the main concerns with FORCEDENTRY is that it can be used in what is called a zero-click attack, meaning it requires no user interaction. An attacker exploiting the flaw only needs the Apple ID of a device in order to silently compromise it

This post will cover what is currently known about the Pegasus threat, how common it is, and how Symantec, a part of Broadcom Software, is keeping its customers safe from the spyware.

The Pegasus Threat

Developed by Israeli cyber arms firm NSO Group, Pegasus is a sophisticated and elusive mobile spyware that has been around for some years now. Pegasus has the ability to read messages, track calls, track device location, collect passwords, and access the target device's microphone and camera. 

According to NSO Group, Pegasus is sold to nation-states and law enforcement to help in the fight against crime and terrorism, and to maintain public safety. Despite this statement, misuse of the software has been flagged over the years and Symantec has had a long-standing capability to detect it. 

A recent report uncovered attacks exploiting vulnerabilities in Apple's iMessage service in order to install Pegasus. The attack only needs the Apple ID - an email or phone number - to infect the targeted mobile device.

The attack payload uses iMessage fields that are "hidden" from the user; in fact, if the iMessage text field is blank, no alerts or notifications are shown at all. This type of iMessage zero-click attack dates back to iOS 11 and research done by the Google Project Zero team.

The payload exploits vulnerabilities in the iMessage framework, such as exploiting the PDF processor by sending a maliciously crafted PDF to achieve arbitrary code execution (fixed in the iOS 14.8 update). Further, the attack execution takes place entirely inside the iMessage framework’s sandbox processes and is wiped when the device restarts. 

How Common is the Threat? 

Suffice to say, this makes measuring the scope of the Pegasus threat challenging. The best clue left behind by a FORCEDENTRY attack is the resulting web traffic it generates when it tries to download Pegasus spyware framework files.

Reports from Amnesty International listed known Pegasus infection URLs. We ran that list against the Symantec WebPulse URL reputation service used by Symantec Endpoint Protection Mobile to identify and block suspect web traffic. We found close to 1 in 150,000 iOS devices attempting to access a known Pegasus infection URL. While this number might seem low, this is only one part of the kill chain and the list of known infection URLs is by no means exhaustive.

In any case, Symantec WebPulse was able to identify the URLs as potential risks or malicious, and stop the infection and kill chain - even if it contained zero-day exploits and required zero user clicks - dead in its tracks. 

How is Symantec Solving the Problem?  

Symantec Endpoint Protection Mobile analyzes links contained within SMS messages, shielding users from attacks by checking URLs (even those that might be hidden to the user) against the threat intelligence in Symantec WebPulse, part of the Symantec Global Intelligence Network.

Symantec Endpoint Protection Mobile provides protection against network content threats, filtering and blocking communication to known command-and-control servers used in Pegasus campaigns (the same WebPulse global URL intelligence information is embedded in both our Windows and Mac Symantec Endpoint Protection agents). It can also identify and protect vulnerable iOS & Android devices. For more details around coverage see the Pegasus Spyware Protection Bulletin from the Symantec Security Center. 

Patches for FORCEDENTRY are available for macOS, iOS, iPadOS, and watchOS, and users are advised to apply these patches as soon as possible.

Conclusion

Apple addressed the FORCEDENTRY vulnerability quickly with its iOS 14.8 update. However, with the iMessage framework increasingly a target for threat hunters, we expect many more fixes to come. We also expect the number of attacks targeting iOS devices will follow similar attack patterns used by Pegasus. Unfortunately, with limited visibility into the attack payload and kill chain, attackers know they can easily evade detection. 

All this highlights how important it is to have mobile endpoint protection as part of a layered network defense strategy to prevent known and unknown (zero-day) attacks targeting mobile devices. 

About the Author

Kevin Watkins

Security Researcher

Kevin is a security researcher in Symantec's Modern OS Security (MOS) division. He's constantly researching new and innovative ways to automate discovery of threats impacting mobile users.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.