NSO Group iMessage Zero-Click Exploit – Patched by Apple
On September 13, 2021, researchers at Citizen Labs published a report describing an iMessage zero-click exploit they code-named FORCEDENTRY (CVE-2021-30860). The exploit was discovered based on an analysis of an iPhone of a Saudi activist and does not require user interaction for delivery of the payload. The payload is believed to be the PEGASUS malware built by NSO.
Citizen Labs released the report to coincide with Apple publishing a patch to prevent vulnerability exploitation. All users with a Mac, iPhone, or Apple Watch are advised to update their systems immediately.
NSO’s Pegasus — Discovery
Citizen Lab discovered, and Apple confirmed, a 0-day exploit in PDF processing. Specifically, the exploit is triggered through the CoreGraphics image rendering library. The exploit can be activated through iMessage without user interaction. In past exploits used by NSO, there has typically been some artifact of a message delivering the exploit. However, there would likely be no possibility the user would detect any anomaly in this case.
Severity Level – 7.8 High (NVD)
The iMessage exploit can be discovered without the need for a jailbreak by examining SMS messages attachments in an iTunes backup. Some threat actors might delete these attachments post-exploitation. Citizen Lab also disclosed a method to detect successful exploitation called CASCADEFAIL that highlights an anomaly in SQLite database tables that can be observed through an iTunes backup.
MDM and mobile security software are not sufficient to prevent the exploitation of this vulnerability. PEGASUS malware gives the threat actor practically complete control of an infected device.
Threat actors often accelerate exploitation when they know they are losing access to a vulnerability (e.g., when it is patched. This knowledge should motivate organizations to patch if they were otherwise considering delaying.
Vulnerability Disclosure & Patch
The vulnerability was reported to Apple on September 7, 2021, and the patch was released on September 13, 2021. Citizen Lab is not releasing specific details about how the exploit is triggered in the CoreGraphics library.
Exploitation has been occurring since at least February 2021. Given this fact and the speed of the release, it is entirely possible that Apple patched the specific exploit chain used by NSO while failing to mitigate the underlying vulnerability. If this is the case, we can expect NSO to investigate an alternative exploit chain and repackage it, knowing they are on borrowed time.
What’s Next? – Recommendations for Users
Here are a few considerable recommendations:
- Update any impacted systems immediately. Currently, only iOS was observed being targeted in the wild, but WatchOS and MacOS are also vulnerable. Threat actors may reverse engineer the patch to target devices that do not receive updates quickly. The initial exploit is extremely difficult to discover and weaponize. But obtaining a working exploit from the patch is trivial for advanced threat actors.
- On MacOS, consider deploying a firewall for outbound communication. Any successful exploitation would provide threat actors sufficient permissions to disable the firewall, but this functionality would typically be observed in a follow-on payload. A third-party firewall that blocks outbound communication is marginally more secure than the built-in option (though it is only security through obscurity).
If there is concern that a device was exploited, the best option is to restore the device to factory settings.