author photo
By Bruce Sussman
Tue | Sep 14, 2021 | 3:45 AM PDT

Do any of your employees use iPhones for organizational apps, data, or messaging?

If so, you'll want to know about Citizen Lab's September bombshell and consider what it may mean for your organization.

The Toronto-based research group works to protect journalists and activists from cyberattacks and spyware. And oftentimes, they come across new tech-enabled spying efforts from Israel-based NSO Group, which claims to carefully vet sales of its spyware. 

This time, they discovered something new, something that led to an urgent patch for iPhones and some other Apple devices.

Here is what we know so far.

Citizen Lab discovers Zero-Day and zero-click spyware

Think of the efforts you put into your security awareness program. You want to make your end-users the strongest line of defense possible and convince them not to click.

But in this case, that is irrelevant. Citizen Lab explains how a recently discovered piece of spyware operates, one that does not require users to click anything:

"While analyzing the phone of a Saudi activist infected with NSO Group's Pegasus spyware, we discovered a zero-day zero-click exploit against iMessage. The exploit, which we call FORCEDENTRY, targets Apple's image rendering library, and was effective against Apple iOS, MacOS and WatchOS devices.

We determined that the mercenary spyware company NSO Group used the vulnerability to remotely exploit and infect the latest Apple devices with the Pegasus spyware. We believe that FORCEDENTRY has been in use since at least February 2021.

The Citizen Lab disclosed the vulnerability and code to Apple, which has assigned the FORCEDENTRY vulnerability CVE-2021-30860 and describes the vulnerability as processing a maliciously crafted PDF may lead to arbitrary code execution.

Today, September 13th, Apple is releasing an update that patches CVE-2021-30860. We urge readers to immediately update all Apple devices."

What tipped off the Citizen Lab researchers? There were a number of clues, but they discovered the spyware's payload making 27 copies of an identical file with a ".gif" extension. So they looked deeper. And despite the ".gif" extension, each file was actually a 748-byte Adobe Photoshop file. 

Here are the devices and operating systems affected by this spyware:

  • All iPhones with iOS versions prior to 14.8
  • All Mac computers with operating system versions prior to OSX Big Sur 11.6
  • Security Update 2021-005 Catalina
  • All Apple Watches prior to watchOS 7.6.2.

NSO spyware: what does it mean for organizations?

So what does news of Zero-Day and zero-click spyware mean for organizations, as they consider the prevalence of Apple-powered endpoints across the organization?

Hank Schless, Senior Manager of Security Lookout, thinks of it in this way:

"This exemplifies how important it is for both individuals and enterprise organizations to have visibility into the risks their mobile devices present. Pegasus is an extreme, but easily understandable example.

There are countless pieces of malware out there that can easily exploit known device and software vulnerabilities to gain access to your most sensitive data."

To mitigate these risks, Schless says you need both strategy and implementation: 

"From an enterprise perspective, leaving mobile devices out of the greater security strategy can represent a major gap in the ability to protect the entire infrastructure from malicious actors.

Once the attacker has control of a mobile device or even compromises the user's credentials, they have free access to your entire infrastructure.

Once they enter your cloud or on-prem apps, they can move laterally and identify sensitive assets to encrypt for a ransomware attack or exfiltrate to sell to the highest bidder."

And Kevin Dunne, President at Pathlock, says cases like this one are a reminder about where security teams should be putting resources:

"Businesses often focus on their servers and workstations as the primary targets for hacking and espionage. However, mobile devices are now used broadly and contain sensitive information that needs to be protected. Spyware is primarily targeting these mobile devices and providing critical information to unauthorized parties."

And Dunne says this makes rapid patching even more crucial: 

"Organizations need to make sure they have control over what applications users download onto their phones, and can ensure they are up to date so any vulnerabilities are patched."

See the urgent patch details for iOS 14.8 and iPadOS 14.8

Citizen Lab conclusion: messaging platforms a 'soft hacker target'

Going beyond the organizational level, Citizen Lab zooms all the way out to criticize NSO Group and the "customers" who pay for the kind of extreme and silent access the group just revealed:

"Our latest discovery of yet another Apple zero-day employed as part of NSO Group's arsenal further illustrates that companies like NSO Group are facilitating 'despotism-as-a-service' for unaccountable government security agencies. Regulation of this growing, highly profitable, and harmful marketplace is desperately needed."

And it warns journalists, activists, and organizations alike: messaging platforms are a constant target of NSO spyware:

"Our finding also highlights the paramount importance of securing popular messaging apps. Ubiquitous chat apps have become a major target for the most sophisticated threat actors, including nation-state espionage operations and the mercenary spyware companies that service them.

As presently engineered, many chat apps have become an irresistible soft target. Without intense engineering focus, we believe that they will continue to be heavily targeted, and successfully exploited."

Read the complete Citizen Lab report here.