Wed | Sep 13, 2023 | 5:45 AM PDT

Alarming details have emerged about the exploitation of two Zero-Day vulnerabilities to deploy NSO Group's Pegasus commercial spyware on iPhones.

These vulnerabilities, tracked as CVE-2023-41064 and CVE-2023-41061, were actively abused as part of a zero-click exploit chain, according to security researchers at The Citizen Lab

In response to this threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent warning to government agencies, emphasizing the need to secure iPhones and other Apple devices against this insidious spyware.

Citizen Lab uncovers Pegasus Zero-Day on iPhones

Citizen Lab, based at The University of Toronto's Munk School, uncovered the exploitation of two Zero-Day vulnerabilities that allowed attackers to compromise fully-patched iPhones running iOS 16.6. The group discussed how they discovered these vulnerabilities in the wild:

"Last week, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices, Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group's Pegasus mercenary spyware. 

We refer to the exploit chain as BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim.

The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim."

Citizen Lab says that it immediately disclosed these findings to Apple and assisted in its investigation. Apple followed up with a security update last week.

In response to the seriousness of the situation, CISA acted swiftly by adding these Zero-Day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. 

Federal Civilian Branch Agencies (FCEBs) were given a deadline of October 2, 2023, to patch the vulnerabilities on iPhones, iPads, and Macs specified by Apple. CISA's actions reflect the critical need for government agencies to secure their devices promptly, given the potential implications of a successful compromise.

Saeed Abbasi, Manager of Vulnerability and Threat Research at Qualys, shared his thoughts on the vulnerabilities and why most iPhone users shouldn't have any cause for alarm:

"These highly-sophisticated and targeted attacks are generally designed to compromise specific individuals or groups, possibly orchestrated by entities with substantial resources and expertise at their disposal.

If individuals or organizations do not patch their devices promptly, the vulnerabilities could potentially be exploited by other malicious actors, which might lead to a broader spread. This could be worsened if the details of the exploit become public knowledge, allowing other groups to utilize similar tactics."

Pegasus spyware and the controversial NSO Group

Over the past few years, NSO Group, an Israeli spyware company, has been at the center of numerous controversies. Its infamous spyware tool, Pegasus, has been utilized by both criminal organizations and nation-states to target high-profile individuals, including activists, journalists, politicians, and business leaders.

In 2021, the United States government took a strong stance against NSO Group by blacklisting the company. This action was prompted by NSO's knowledge of their spyware being used maliciously by foreign governments.

In 2022, it came to light that several senior officials within the European Union had fallen victim to the Pegasus spyware. Despite NSO Group's denial of involvement, Apple has initiated legal proceedings against the company, referring to them as an "abusive state-actor." This legal action is in response to NSO's ability to exploit previously unknown, or Zero-Day, vulnerabilities to hack iPhones.

Amidst the turmoil and scrutiny the company has faced, NSO Group's long-standing CEO, Shalev Hulio, made the decision to step down in August of 2022. The company also let go of 100 employees, when the company was only 700 employees large.

While some might have thought the company would be turning over a new leaf in 2023, many others had a feeling that the group would find a way to remain controversial. Georgia Weidman, Security Architect at Zimperium, was one of those people. She discussed the NSO Group with SecureWorld News:

"When we talk about nation-state adversaries, NSO is one of the companies that sells exploits to the nation-states. It's no surprise that they have more, and it will be no surprise that they will have more in the future.

The good news about offensive cybersecurity companies is that they treat their exploits as their crown jewels and do not allow them to be widely used and only use them in a targeted fashion. When they slip up and we find out about them, vendors patch, they use their backup set up exploits, and we continue the arms race.

While there is the case with NSO in particular, there are other groups that are less economically motivated and more interested in creating chaos and disruption. Because the NSO Group's customers are nation-states, they can afford to hoard exploits that might otherwise net them a million-dollar bug bounty from Apple or Google."

The recent findings by Citizen Lab, coupled with the swift response from CISA and Apple, underscore the ever-present and evolving nature of cybersecurity threats.

Government agencies, as well as individuals and organizations, must prioritize security measures and remain vigilant against such highly sophisticated attacks.

Timely patching, adopting Apple's Lockdown Mode when necessary, and staying informed about emerging threats are critical steps in safeguarding against threats such as Pegasus spyware. The collaboration of cybersecurity experts, government agencies, and technology vendors remains essential in the ongoing battle to secure digital ecosystems.

Follow SecureWorld News for more stories related to cybersecurity.