An investigation titled the Pegasus Project by 17 media organizations and Amnesty International's Security Lab uncovered that surveillance software from NSO Group purportedly used by governments to target criminal and terror suspects is actively being utilized to target journalists, activists and dissidents. As a result, the security industry has dubbed this, the Pegasus Spyware, which bears a remarkably similar resemblance to the recent spyware activity surrounding FinSpy.
What is the Pegasus spyware?
Pegasus, developed by Israeli surveillance firm NSO Group, is one of the most powerful pieces of targeted spyware affecting mobile devices today. According to a recent Amnesty International investigation, it:
“allows an attacker complete access to the device’s messages, emails, media, microphone, camera, calls and contacts.”
The earliest version of Pegasus, discovered by researchers in 2016, infected phones via a spearphishing attack, which required users to click on a malicious link sent to them via text or email. Since then, Pegasus has become more advancedand can now be delivered through “zero-click” attacks, which do not require any user interaction to deliver their payload. These attacks typically exploit zero-day vulnerabilities or unknown bugs in the operating system that have yet to be patched by the manufacturer.
In 2019, WhatsApp revealed that Pegasus had been used to attack more than 1,400 devices with spyware by exploiting a zero-day vulnerability. In a report by the The Guardian, a malicious WhatsApp call to a victim’s device would install Pegasus, even without the victim answering the call.
Bad actors have recently been using Pegasus to exploit vulnerabilities in iMessage, potentially gaining backdoor access toiPhone 11 and iPhone 12 models. Amnesty International reports that “thousands of iPhones have potentially been compromised” in the wild. In a statement to the Guardian, Apple says that “Apple unequivocally condemns cyber-attacks against journalists, human rights activists, and others seeking to make the world a better place” while also emphasizing that they “continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
Pegasus, which can infect iPhones and Android devices, effectively turns a smartphone into a surveillance device. It can reportedly copy messages you send or receive, collect your photos and record your calls. It can activate the microphone to listen in on calls, or silently turn on the camera to record what’s going on around you. Using the vast amounts of data collected by devices, it can also potentially pinpoint your current location as well as where you’ve been and with whom.
Many organizations and security teams may rightly see this as a risk to not only the privacy, integrity and confidentiality of their employees, processes, infrastructure but also their data. As such, Pegasus and its associated vulnerabilities, are now top of mind for much of the security world as potential threats that needs to be mitigated within their organizations.
Various organizations are actively working to mitigate the risk associated with Pegasus more broadly. Amazon, for example, has reportedly shut down various services that Pegasus relied on earlier today according to a report by Reuters.
Our analysis of the Pegasus spyware and its supporting infrastructure indicates that this specific attack is currently being blocked for customers who activate network security policies in Jamf Protect. However, given the elusive nature of the software and that this exploit is now known to a wide range of malicious attackers, we anticipate variations to emerge that attempt to circumvent these and other controls being put in place until the exploited vulnerability is patched.
Affected devices and indicators of compromise
At this time, it is known iOS or iPadOS 14.6 and earlier are vulnerable to the iMessage exploit mentioned above. Android devices are also assumed vulnerable at this time, but the focus of recent exploitation by Pegasus seems to be on Apple’s mobile devices based on iOS.
A full technical investigation into Pegasus including details on detection logistics can be found on Amnesty’s Security Lab.
As with all zero-day vulnerabilities, their power and value lie in the fact that they are not currently known to the software developer or there may not be a patch available to mitigate the risk. As of this blog’s publishing, Apple has not yet released a patch to this vulnerability.
We strongly suggest that organizations actively monitor their mobile device’s log activity for indicators of compromise. This will help detect any impacted devices and allow for a quick response and remediation effort.
Additionally, there are a number of security recommendations based on industry best practices that also apply to mobile devices in helping to mitigate risks like this one, and other future threats, that you may want to consider:
- Device Security:
- Ensure all devices are running the latest software. Yes, even for mobile devices, the “patch fast, patch often” mantra applies. Ensure that you have an organized process to roll out OS and app updates across your mobile fleet just as quickly as you do for your other devices.
- Implement a vulnerability monitoring and patch management process to improve timely responses to future exploits. Yes - even on mobile devices.
- Implement an app vetting workflow that ensures only approved apps have access to corporate data. By strictly controlling what apps are available on devices you can reduce the attack surface further.
- Data Security:
- Review managed app permissions for excessive data collection, if an app is exploited and it hasn’t been given access to contacts, calendar, photos, camera, microphone, etc, then the threat is easier to contain.
- Implement conditional access policies that prevent work applications (with sensitive data) from being accessed when the mobile device has risky apps installed. Conditional access policies implemented on the device can be highly effective even with unmanaged devices.
- Network Security:
- Deploy a security solution with inspection capabilities at the network layer to identify transactions that are indicative of a compromised device. Ensure that network visibility is active on all network interfaces and not just when the device is on the corporate campus.
- Utilize network security policies to block malicious downloads, command and control (C2) traffic, and data exfiltration.
- Deploy a mobile security solution with zero-day detection capabilities to monitor at scale for anomalous behavior (such as a sudden pattern of communication with untrusted foreign servers).
- When a new threat is identified, attempt to isolate the threat and limit its ability to function. When WhatsApp was being used by Pegasus a while back, Wandera customers were able to respond by blocking WhatsApp connections at the network level to manage the risk while they waited for a patch. Since the current round of attacks seem to be focused on iMessage, consider what the impact to your organization and your employees would be were you to disable iMessage traffic, for example.
As you read through this list of potential remediation options, you’ll notice a trend. All of these are strategies we commonly employ for Mac, Windows and Linux devices or VMs. Mobile devices are a primary vector for an attacker to infiltrate your organization and we have to start securing them with the same strategies we use for other computing devices.
Learn more about protecting mobile devices with Jamf Protect.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.