About Us | Contact Us
View Cart

Pegasus Making You Mega-Sus?

By Tanvee Dhir | Monday, August 16, 2021 - Leave a Comment

If Zero days need Zero clicks, are there any secure devices in the mix?

Tanvee Dhir explores the Pegasus spyware.
Another technical post, meant to inspire thought about IT Governance . . . .

news site on tablet and smart phone


Over the past couple of weeks, we have seen multiple stories regarding a powerful piece of spyware called Pegasus sold by the NSO group, an Israeli cyber intelligence company to multiple governments around the world. A leaked database of thousands of telephone numbers believed to be selected targets of the multiple NSO clients was released, supplemented by additional databases, internal documents, interviews, court documents, and other sources, which form the basis of the Pegasus Project.

Although the reports have just started catching the public eye, a journalism nonprofit Forbidden Stories and Citizen Labs have been closely investigating the NSO group and their operations since 2016. Forbidden stories led a collaborated investigation called the ‘The Pegasus Project’ with 17 media organizations in 10 countries which recently revealed a set of more than 50,000 leaked phone numbers believed to be a list of targets of NSO Group’s spyware in nearly 50 countries. The NSO group claims that it strictly caters to governments and builds Pegasus solely for use in counterterrorism and law enforcement. However, several reports and accusations of a it being used for cyber-surveillance and a tool that has led to possible violation of human rights have popped up around the globe.

What does Pegasus do?

Pegasus is a spyware-as-a-service developed by a private contractor for the use of government agencies. It has a novel mechanism to install and hide itself and obtain persistence on the system. The software infects a target’s phone and replicates its functions while sending back data including messages, photos, and audio recordings to the attacker. It ultimately gives the attacker a higher access to a user’s device than the user itself. The developers of Pegasus market its persistence and stealth operations, which means the software cannot be traced back to the government using it.

Pegasus is professionally developed and highly advanced in its use of zero-day vulnerabilities, code obfuscation, and encryption. What makes it even more scary is its capability of ‘zero-click’ infection which allows the device to be infected even without human interaction i.e., the user does not need to click any malicious links for the malware to be downloaded on their phone. It exploits the OS and application layer security in voice/audio calls and apps including Gmail, Apple Mail, Facebook, WhatsApp, Facetime, Viber, WeChat, Telegram, iMessage and others to craftily download the payload without alerting the user and gaining root access.

Technical Analysis

Tanvee Dhir, Data Security Analyst, infotex

The attack is simple in its delivery and slyly delivers the payload. The target device is simply delivered a website URL (through a range of identified apps) which, once clicked (or zero-click at times), delivers a chain of zero-day exploits to penetrate security features on the phone and installs Pegasus without the user’s knowledge or permission. The Pegasus software contains the apps, processes and malicious code that are contacting the operator’s command and control (C&C) servers to receive and execute operators’ commands, and send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps.

All modern devices running either iOS or Android even in their latest versions are susceptible to Pegasus infection. A lot of reporting and forensic analysis has been focused on iPhone devices because they have proven easier to analyze. Android being an open source gives the software a better chance at covering their tracks or does not have the logs needed to analyze.

The malicious links and C&C servers related to Pegasus were discovered to use HTTPS which requires operators to register and maintain domain names. The domain names for the exploit links were found to be impersonating mobile providers, banks and government services which can be initially overlooked as benign.

In response, NSO and their legal team claimed that the released list of numbers looked more like a public list of HLR (Home Location Register) data. HLR data is essentially a database kept by mobile phone companies that allow a real time query of a subscriber’s information. Security researchers argue that HLR lookups have long been used in surveillance of mobile phones because they indicate whether the phone is on, and thus available for hacking, and are also believed to be integrated into the functionality of the Pegasus software.

A detailed technical analysis released by Lookout gives an in-depth examination on how the spyware operates in all stages. Another report, released by Amnesty International, outlines various forensic traces found in the devices post-infection. Citizen’s Lab, which is also a key member in the discoveries related to Pegasus, developed Internet scanning techniques to identify 45 countries where Pegasus operators might be functional and abusing the spyware to target civil society. Based on the geographical placement of the numbers, the investigators were able to identify potential NSO clients in 11 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates (UAE).

Investigation at a glance

The Pegasus Project identified over 1,000 phone numbers and linked them to their owners, which included a range of politicians and government workers (including 3 presidents, 10 prime ministers and a king), 189 journalists, and 85 human rights activists. Amnesty International’s security lab, as the technical support to the Pegasus Project, examined data from 67 phones from the list. 37 of these devices showed forensic traces of Pegasus network activity, out of which 23 were successfully infected and 14 had traces of attempted targeting. The remaining devices had inconclusive results due various factors including insufficient data or replaced devices.

NSO Group’s clients mostly selected people from their own countries for targeting, but they did occasionally target foreign numbers, including those belonging to politicians and journalists. As mentioned in a blog by OCCRP:

“In many of these cases, the phone numbers identified were consistent with persons of interest to governments, including both legitimate security threats like terrorists and hundreds of independent journalists, dissidents, and members of the political opposition.  Furthermore, some of these numbers appeared on the list during time periods corresponding to real world events — such as elections, arrests, or the release of compromising private information — in ways that suggest a correlation with the data.”

There is no hard evidence of where and how the list originated or how it was used. There are hundreds of phone numbers included which may have no traces of infection at all or where an attempted infection was successful. In other words, just because a number was included in the list doesn’t necessarily mean it’s compromised.

Over the coming weeks, the coalition of media partners of The Pegasus Project – including The Guardian, Le Monde, Süddeutsche Zeitung and The Washington Post – will be running a series of stories exposing details of how world leaders, politicians, human rights activists, and journalists have been selected as potential targets of this spyware. The Frontline also has a live blog covering the global stories from all the media partners in the Pegasus Project.

What can you do?

Amnesty International released a tool called the Mobile Verification Toolkit (MVT) along with identified Indicators of Compromise to analyze the device for possible Pegasus infection. Due to the advancement of the hack to achieve zero-click access, there are only a few things a user can do. Keeping the OS and applications up to date is the primary requirement as the spyware looks to exploit any available vulnerability on the device. The primary method of infection still remains malicious links and phishing attempts hence we should always practice caution while clicking on unknown links and downloading unknown applications.

Original article by Tanvee Dhir CEH. Data Security Analyst, infotex



Latest News
    New changes will decrease the amount of time an organization has to report incidents to regulators and customers… An article review. Citing the increasing frequency and pace of cyberattacks in recent years, the FDIC, Federal Reserve Board of Governors and the OCC have issued a Final Rule requiring financial organizations to notify their primary regulator […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    Thanks for being interested in our Webinars! The FFIEC’s latest guidance: The Architecture, Infrastructure, and Operations, has brought many changes to exactly how a small financial institution may look at their Technology Planning for 2022. Included in that will be the opportunity to write your first Architecture Plan and we intend to show you what […]
    Has the security effectiveness of VPNs passed? Another Technical Article by Tanvee Dhir! Why under scrutiny? VPNs (Virtual Private Networks) have been a cardinal piece for secure internet browsing for decades. They offer a secure and encrypted tunnel to transfer your data over the network whether in a home or an enterprise environment. Different vendors […]
    Happy Halloween! Here are some scary facts that you probably don’t want know about cybersecurity!
    How Do We Know What We Know? Making Sure You Can Understand What Happened in an Incident. Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Until I reclined on my front yard, looking at the sky, following the instructions on how not to look […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    President Biden recently signed a bill tasking the agency with evaluating the unique risks that schools face… An article review. Taking note of the unique challenges educational institutions face in securing their networks, President Biden has signed a bill into law directing the Cybersecurity and Infrastructure Security Agency (CISA) to look into ways that they can […]
    Thanks for being interested in our Technology Planning Webinars! This year‘s annual update to our annual Technology Planning webinar will include a panel discussion, a review of the previous years’ movies that are already available, and a discussion about alternative tactics that have arisen from recent conferences as well as the impact of the AIO […]