NSO Group’s Spyware Targets iPhones with New Zero-Click Exploits
Recent findings from Citizen Lab reveal that NSO Group, an Israeli spyware manufacturer, executed at least three new “zero-click” exploits against iPhones in 2022. These advanced techniques were employed to bypass Apple’s robust security measures and deploy the notorious Pegasus spyware. This information raises significant alarms regarding the vulnerabilities faced by mobile devices and their users.
According to the report from Citizen Lab, NSO Group’s spyware was effectively used against civil society figures worldwide, particularly those involved in human rights advocacy. Targeted individuals included members from Centro PRODH, an organization that represents victims of extrajudicial killings by the Mexican Army, with attacks documented as recently as June 2022.
The methods employed in these attacks involved intricate exploit chains leveraging vulnerabilities in iOS versions 15 and 16, ultimately facilitating Pegasus deployment. Among these exploits were LATENTIMAGE, FINDMYPWN, and PWNYOURHOME. Each targeted specific features within iOS, utilizing vulnerabilities in the Find My service and iMessage functionality, thereby circumventing essential security protocols like BlastDoor.
This revelation is particularly pertinent in light of NSO Group’s controversial history. Although presented as a tool for law enforcement to combat severe offenses such as terrorism and child exploitation, Pegasus has been disproportionately misused by authoritarian regimes to surveil journalists, activists, and dissidents. Consequently, the U.S. government placed NSO Group on its trade blacklist in late 2021, with Apple initiating legal actions against the firm.
The implications of NSO’s tactics extend beyond immediate surveillance concerns. For instance, recent evidence suggests that the newly introduced Lockdown Mode on iPhones successfully thwarted a PWNYOURHOME attack. This event marks a significant milestone, being the first documented instance where the mode has effectively protected a user from a compromise.
Despite these measures, experts caution that NSO Group may have adapted their strategies to bypass Lockdown Mode’s notifications, increasing the importance of consistent software updates and proactive cybersecurity practices. Jamf Threat Labs also highlighted ongoing targeting of individuals, including a journalist with an older iPhone model, illustrating that even legacy devices are not impervious to exploited vulnerabilities.
The ongoing threat posed by advanced spyware reinforces the necessity for all users, particularly business owners, to remain vigilant. The UK’s National Cyber Security Centre recently warned of the rising threat posed by commercially available cyber tools, indicating that both state and non-state actors could exploit these capabilities to facilitate espionage activities.
In light of these findings, it is imperative for organizations to adopt proactive cybersecurity measures, such as regular updates and, where viable, enabling Lockdown Mode to reduce exposure to potential attacks. The evolution of techniques employed by groups like NSO underscores an urgent need for enhanced awareness and responsiveness in the face of emerging cyber threats. Understanding the potential MITRE ATT&CK tactics—such as initial access and privilege escalation—will further equip businesses to better defend against these sophisticated targets.