About Us | Contact Us
View Cart

Pegasus Making You Mega-Sus?

By Tanvee Dhir | Monday, August 16, 2021 - Leave a Comment

If Zero days need Zero clicks, are there any secure devices in the mix?

Tanvee Dhir explores the Pegasus spyware.
Another technical post, meant to inspire thought about IT Governance . . . .

news site on tablet and smart phone


Over the past couple of weeks, we have seen multiple stories regarding a powerful piece of spyware called Pegasus sold by the NSO group, an Israeli cyber intelligence company to multiple governments around the world. A leaked database of thousands of telephone numbers believed to be selected targets of the multiple NSO clients was released, supplemented by additional databases, internal documents, interviews, court documents, and other sources, which form the basis of the Pegasus Project.

Although the reports have just started catching the public eye, a journalism nonprofit Forbidden Stories and Citizen Labs have been closely investigating the NSO group and their operations since 2016. Forbidden stories led a collaborated investigation called the ‘The Pegasus Project’ with 17 media organizations in 10 countries which recently revealed a set of more than 50,000 leaked phone numbers believed to be a list of targets of NSO Group’s spyware in nearly 50 countries. The NSO group claims that it strictly caters to governments and builds Pegasus solely for use in counterterrorism and law enforcement. However, several reports and accusations of a it being used for cyber-surveillance and a tool that has led to possible violation of human rights have popped up around the globe.

What does Pegasus do?

Pegasus is a spyware-as-a-service developed by a private contractor for the use of government agencies. It has a novel mechanism to install and hide itself and obtain persistence on the system. The software infects a target’s phone and replicates its functions while sending back data including messages, photos, and audio recordings to the attacker. It ultimately gives the attacker a higher access to a user’s device than the user itself. The developers of Pegasus market its persistence and stealth operations, which means the software cannot be traced back to the government using it.

Pegasus is professionally developed and highly advanced in its use of zero-day vulnerabilities, code obfuscation, and encryption. What makes it even more scary is its capability of ‘zero-click’ infection which allows the device to be infected even without human interaction i.e., the user does not need to click any malicious links for the malware to be downloaded on their phone. It exploits the OS and application layer security in voice/audio calls and apps including Gmail, Apple Mail, Facebook, WhatsApp, Facetime, Viber, WeChat, Telegram, iMessage and others to craftily download the payload without alerting the user and gaining root access.

Technical Analysis

Tanvee Dhir, Data Security Analyst, infotex

The attack is simple in its delivery and slyly delivers the payload. The target device is simply delivered a website URL (through a range of identified apps) which, once clicked (or zero-click at times), delivers a chain of zero-day exploits to penetrate security features on the phone and installs Pegasus without the user’s knowledge or permission. The Pegasus software contains the apps, processes and malicious code that are contacting the operator’s command and control (C&C) servers to receive and execute operators’ commands, and send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps.

All modern devices running either iOS or Android even in their latest versions are susceptible to Pegasus infection. A lot of reporting and forensic analysis has been focused on iPhone devices because they have proven easier to analyze. Android being an open source gives the software a better chance at covering their tracks or does not have the logs needed to analyze.

The malicious links and C&C servers related to Pegasus were discovered to use HTTPS which requires operators to register and maintain domain names. The domain names for the exploit links were found to be impersonating mobile providers, banks and government services which can be initially overlooked as benign.

In response, NSO and their legal team claimed that the released list of numbers looked more like a public list of HLR (Home Location Register) data. HLR data is essentially a database kept by mobile phone companies that allow a real time query of a subscriber’s information. Security researchers argue that HLR lookups have long been used in surveillance of mobile phones because they indicate whether the phone is on, and thus available for hacking, and are also believed to be integrated into the functionality of the Pegasus software.

A detailed technical analysis released by Lookout gives an in-depth examination on how the spyware operates in all stages. Another report, released by Amnesty International, outlines various forensic traces found in the devices post-infection. Citizen’s Lab, which is also a key member in the discoveries related to Pegasus, developed Internet scanning techniques to identify 45 countries where Pegasus operators might be functional and abusing the spyware to target civil society. Based on the geographical placement of the numbers, the investigators were able to identify potential NSO clients in 11 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates (UAE).

Investigation at a glance

The Pegasus Project identified over 1,000 phone numbers and linked them to their owners, which included a range of politicians and government workers (including 3 presidents, 10 prime ministers and a king), 189 journalists, and 85 human rights activists. Amnesty International’s security lab, as the technical support to the Pegasus Project, examined data from 67 phones from the list. 37 of these devices showed forensic traces of Pegasus network activity, out of which 23 were successfully infected and 14 had traces of attempted targeting. The remaining devices had inconclusive results due various factors including insufficient data or replaced devices.

NSO Group’s clients mostly selected people from their own countries for targeting, but they did occasionally target foreign numbers, including those belonging to politicians and journalists. As mentioned in a blog by OCCRP:

“In many of these cases, the phone numbers identified were consistent with persons of interest to governments, including both legitimate security threats like terrorists and hundreds of independent journalists, dissidents, and members of the political opposition.  Furthermore, some of these numbers appeared on the list during time periods corresponding to real world events — such as elections, arrests, or the release of compromising private information — in ways that suggest a correlation with the data.”

There is no hard evidence of where and how the list originated or how it was used. There are hundreds of phone numbers included which may have no traces of infection at all or where an attempted infection was successful. In other words, just because a number was included in the list doesn’t necessarily mean it’s compromised.

Over the coming weeks, the coalition of media partners of The Pegasus Project – including The Guardian, Le Monde, Süddeutsche Zeitung and The Washington Post – will be running a series of stories exposing details of how world leaders, politicians, human rights activists, and journalists have been selected as potential targets of this spyware. The Frontline also has a live blog covering the global stories from all the media partners in the Pegasus Project.

What can you do?

Amnesty International released a tool called the Mobile Verification Toolkit (MVT) along with identified Indicators of Compromise to analyze the device for possible Pegasus infection. Due to the advancement of the hack to achieve zero-click access, there are only a few things a user can do. Keeping the OS and applications up to date is the primary requirement as the spyware looks to exploit any available vulnerability on the device. The primary method of infection still remains malicious links and phishing attempts hence we should always practice caution while clicking on unknown links and downloading unknown applications.

Original article by Tanvee Dhir CEH. Data Security Analyst, infotex



Latest News
    The joint cybersecurity advisory includes the 15 most exploited vulnerabilities reported in 2021… An article review.  While a lot of attention is focused on previously undisclosed or “zero day” attacks, some of the most likely attack vectors are vulnerabilities that have been widely known for weeks or even months.  That’s according to a new joint […]
    Threats are changing, EDR can help us adapt . . . Today’s advanced persistent threat (APT) understands that the IT landscape has changed. In the post-COVID age, more and more organizations have adopted some form of work from home.  While WFH offers many conveniences, it also imparts increased risks. BitSight conducted a 2021 study of […]
    The Five Precepts of IT Vendor Management Webinar-Movie We’re going back to basics on Vendor Management. This webinar will give you a training tool to help out that new person that is starting to take on the gargantuan task that is Vendor Management.
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]
    You think you’ve finally found stability in your to-do list. Your goals are set, and you’re even making great progress on them all. Audit findings: all addressed. Management requests: Under control. Heck, you might even be able to leave the office five minutes early at least once this year. Then BAM! A press release from […]
    Software Bill of Materials (SBOMs) are becoming more and more important. . . We are all very familiar with one aspect of the software supply chain – updates.  New features, bug fixes, and performance upgrades are a regular occurrence to any device’s lifecycle, however what if these kinds of updates also include deliberately malicious code? […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    According to a new survey, more organizations than ever are reporting problems with cybersecurity staffing… An article review. While pandemic related mandates and restrictions are gradually being lifted across the country, many organizations are still feeling the effects in one important area: staffing.  That’s according to ISACA’s annual State of Cybersecurity survey, which asked over […]
    Understanding Banking Trojans… Another Technical Article by Tanvee Dhir! What are Banking Trojans? A trojan is a malicious program that masquerades as a genuine one. They are often designed to steal sensitive information from users (login passwords, account numbers, financial information, credit card information, etc.). A banking trojan is a malicious computer program designed to […]
    Top Seven Risks . . . that small bank Information Security Officers face in 2022! Once again, we compile this list in preparation for updating our normal board of directors awareness training presentation and movies and such.  This list is meant for community-based banks but could apply to small businesses.  How this works can be illustrated […]