If Zero days need Zero clicks, are there any secure devices in the mix?
Tanvee Dhir explores the Pegasus spyware.
Another technical post, meant to inspire thought about IT Governance . . . .
Over the past couple of weeks, we have seen multiple stories regarding a powerful piece of spyware called Pegasus sold by the NSO group, an Israeli cyber intelligence company to multiple governments around the world. A leaked database of thousands of telephone numbers believed to be selected targets of the multiple NSO clients was released, supplemented by additional databases, internal documents, interviews, court documents, and other sources, which form the basis of the Pegasus Project.
Although the reports have just started catching the public eye, a journalism nonprofit Forbidden Stories and Citizen Labs have been closely investigating the NSO group and their operations since 2016. Forbidden stories led a collaborated investigation called the ‘The Pegasus Project’ with 17 media organizations in 10 countries which recently revealed a set of more than 50,000 leaked phone numbers believed to be a list of targets of NSO Group’s spyware in nearly 50 countries. The NSO group claims that it strictly caters to governments and builds Pegasus solely for use in counterterrorism and law enforcement. However, several reports and accusations of a it being used for cyber-surveillance and a tool that has led to possible violation of human rights have popped up around the globe.
What does Pegasus do?
Pegasus is a spyware-as-a-service developed by a private contractor for the use of government agencies. It has a novel mechanism to install and hide itself and obtain persistence on the system. The software infects a target’s phone and replicates its functions while sending back data including messages, photos, and audio recordings to the attacker. It ultimately gives the attacker a higher access to a user’s device than the user itself. The developers of Pegasus market its persistence and stealth operations, which means the software cannot be traced back to the government using it.
Pegasus is professionally developed and highly advanced in its use of zero-day vulnerabilities, code obfuscation, and encryption. What makes it even more scary is its capability of ‘zero-click’ infection which allows the device to be infected even without human interaction i.e., the user does not need to click any malicious links for the malware to be downloaded on their phone. It exploits the OS and application layer security in voice/audio calls and apps including Gmail, Apple Mail, Facebook, WhatsApp, Facetime, Viber, WeChat, Telegram, iMessage and others to craftily download the payload without alerting the user and gaining root access.
The attack is simple in its delivery and slyly delivers the payload. The target device is simply delivered a website URL (through a range of identified apps) which, once clicked (or zero-click at times), delivers a chain of zero-day exploits to penetrate security features on the phone and installs Pegasus without the user’s knowledge or permission. The Pegasus software contains the apps, processes and malicious code that are contacting the operator’s command and control (C&C) servers to receive and execute operators’ commands, and send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps.
All modern devices running either iOS or Android even in their latest versions are susceptible to Pegasus infection. A lot of reporting and forensic analysis has been focused on iPhone devices because they have proven easier to analyze. Android being an open source gives the software a better chance at covering their tracks or does not have the logs needed to analyze.
The malicious links and C&C servers related to Pegasus were discovered to use HTTPS which requires operators to register and maintain domain names. The domain names for the exploit links were found to be impersonating mobile providers, banks and government services which can be initially overlooked as benign.
In response, NSO and their legal team claimed that the released list of numbers looked more like a public list of HLR (Home Location Register) data. HLR data is essentially a database kept by mobile phone companies that allow a real time query of a subscriber’s information. Security researchers argue that HLR lookups have long been used in surveillance of mobile phones because they indicate whether the phone is on, and thus available for hacking, and are also believed to be integrated into the functionality of the Pegasus software.
A detailed technical analysis released by Lookout gives an in-depth examination on how the spyware operates in all stages. Another report, released by Amnesty International, outlines various forensic traces found in the devices post-infection. Citizen’s Lab, which is also a key member in the discoveries related to Pegasus, developed Internet scanning techniques to identify 45 countries where Pegasus operators might be functional and abusing the spyware to target civil society. Based on the geographical placement of the numbers, the investigators were able to identify potential NSO clients in 11 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates (UAE).
Investigation at a glance
The Pegasus Project identified over 1,000 phone numbers and linked them to their owners, which included a range of politicians and government workers (including 3 presidents, 10 prime ministers and a king), 189 journalists, and 85 human rights activists. Amnesty International’s security lab, as the technical support to the Pegasus Project, examined data from 67 phones from the list. 37 of these devices showed forensic traces of Pegasus network activity, out of which 23 were successfully infected and 14 had traces of attempted targeting. The remaining devices had inconclusive results due various factors including insufficient data or replaced devices.
NSO Group’s clients mostly selected people from their own countries for targeting, but they did occasionally target foreign numbers, including those belonging to politicians and journalists. As mentioned in a blog by OCCRP:
“In many of these cases, the phone numbers identified were consistent with persons of interest to governments, including both legitimate security threats like terrorists and hundreds of independent journalists, dissidents, and members of the political opposition. Furthermore, some of these numbers appeared on the list during time periods corresponding to real world events — such as elections, arrests, or the release of compromising private information — in ways that suggest a correlation with the data.”
There is no hard evidence of where and how the list originated or how it was used. There are hundreds of phone numbers included which may have no traces of infection at all or where an attempted infection was successful. In other words, just because a number was included in the list doesn’t necessarily mean it’s compromised.
Over the coming weeks, the coalition of media partners of The Pegasus Project – including The Guardian, Le Monde, Süddeutsche Zeitung and The Washington Post – will be running a series of stories exposing details of how world leaders, politicians, human rights activists, and journalists have been selected as potential targets of this spyware. The Frontline also has a live blog covering the global stories from all the media partners in the Pegasus Project.
What can you do?
Amnesty International released a tool called the Mobile Verification Toolkit (MVT) along with identified Indicators of Compromise to analyze the device for possible Pegasus infection. Due to the advancement of the hack to achieve zero-click access, there are only a few things a user can do. Keeping the OS and applications up to date is the primary requirement as the spyware looks to exploit any available vulnerability on the device. The primary method of infection still remains malicious links and phishing attempts hence we should always practice caution while clicking on unknown links and downloading unknown applications.
Original article by Tanvee Dhir CEH. Data Security Analyst, infotex