Citizen Lab and Lookout have uncovered an active threat (called "Trident") of state-sponsored actors using a combination of three zero-days in iOS to essentially perform a stealth jailbreak in a target device and exfiltrate all communication (calls, texts, email, and other app specific data). The entry point is via spear-phishing (email, text), in which the victim clicks on a link that exploits the first vulnerability in WebKit:
CVE-2016-4655: Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.Apple has already provided fixes for these, so install iOS 9.3.5 ASAP. Tags: ios vulnerability trident pegasus
CVE-2016-4656: Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel’s location in memory.
CVE-2016-4657: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software.
More from: blog.lookout.com
show/hide source |
August 25, 2016 Sophisticated, persistent mobile attack against high-value targets on iOS By Lookout and Citizen Lab 0 Comments Persistent, enterprise-class spyware is an underestimated problem on mobile devices. However, targeted attack scenarios against high-value mobile users are a real threat. Citizen Lab (Munk School of Global Affairs, University of Toronto) and Lookout have uncovered an active threat using three critical iOS zero-day vulnerabilities that, when exploited, form an attack chain that subverts even Apples strong security environment. We call these vulnerabilities Trident. Our two organizations have worked directly with Apples security team, which was very responsive and immediately fixed all three Trident iOS vulnerabilities in its 9.3.5 patch. All individuals should update to the latest version of iOS immediately. If youre unsure what version youre running, you can check Settings > General > About > Version. Lookout will send an alert to a customers phone any time a new update is available. Lookouts products also detect and alert customers to this threat. Trident is used in a spyware product called Pegasus, which according to an investigation by Citizen Lab, is developed by an organization called NSO Group. NSO Group is an Israeli-based organization that was acquired by U.S. company Francisco Partners Management in 2010, and according to news reports specializes in cyber war. Pegasus is highly advanced in its use of zero-days, obfuscation, encryption, and kernel-level exploitation. We have created two reports that discuss the use of this targeted attack against political dissidents and provide a detailed analysis of the malicious code itself. In its report, Citizen Lab details how attackers targeted a human rights defender with mobile spyware, providing evidence that governments digitally harass perceived enemies, including activists, journalists, and human rights workers. In its report, Lookout provides an in-depth technical look at the targeted espionage attack that is actively being used against iOS users throughout the world. The overview Ahmed Mansoor is an internationally recognized human rights defender and a Martin Ennals Award Laureate (sometimes referred to as a Nobel prize for human rights), based in the United Arab Emirates (UAE). On August 10th and 11th, he received text messages promising secrets about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. Recognizing the links as belonging to an exploit infrastructure connected to NSO group, Citizen Lab collaborated with Lookout to determine that the links led to a chain of zero-day exploits that would have jailbroken Mansoors iPhone and installed sophisticated malware. This marks the third time Mansoor has been targeted with lawful intercept malware. Previous Citizen Lab research found that in 2011 he was targeted with FinFisher spyware, and in 2012 with Hacking Team spyware. The use of such expensive tools against Mansoor shows the lengths that governments are willing to go to target activists. Citizen Lab also found evidence that state-sponsored actors used NSOs exploit infrastructure against a Mexican journalist who reported on corruption by Mexicos head of state, and an unknown target or targets in Kenya. The NSO group used fake domains, impersonating sites such as the International Committee for the Red Cross, the U.K. governments visa application processing website, and a wide range of news organizations and major technology companies. This nods toward the targeted nature of this software. The Pegasus spyware Pegasus is the most sophisticated attack weve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile always connected (WiFi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists. It is modular to allow for customization and uses strong encryption to evade detection. Lookouts analysis determined that the malware exploits three zero-day vulnerabilities, or Trident, in Apple iOS: CVE-2016-4655: Information leak in Kernel A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernels location in memory. CVE-2016-4656: Kernel Memory corruption leads to Jailbreak 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software. CVE-2016-4657: Memory Corruption in Webkit A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link. The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information. This, however, happens invisibly and silently, such that victims do not know theyve been compromised. In this case, the software is highly configurable: depending on the country of use and feature sets purchased by the user, the spyware capabilities include accessing messages, calls, emails, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, Viber, FaceTime, Calendar, Line, Mail.Ru, WeChat, SS, Tango, and others. The kit appears to persist even when the device software is updated and can update itself to easily replace exploits if they become obsolete. We believe that this spyware has been in the wild for a significant amount of time based on some of the indicators within the code (e.g., a kernel mapping table that has values all the way back to iOS 7). It is also being used to attack high-value targets for multiple purposes, including high-level corporate espionage on iOS, Android, and Blackberry. To learn more Our reports provide in-depth information about the threat actor as well as their software and the vulnerabilities exploited Citizen Lab has tracked the actors political exploits around the world, while Lookout has focused on the technical details of the malware from the beginning of the exploit chain to its use. Our reports include detailed analysis of the Trident iOS vulnerabilities that are patched in the 9.3.5 release from Apple, as well as the various components of the espionage software. Lookout customers: Read this document on how to tell if youre impacted by this attack. Think youve encountered a suspicious link such as the ones described above? Email firstname.lastname@example.org. Research teams: Citizen Lab: Bill Marczak and John Scott-Railton, Senior Fellows Lookout: Max Bazaily, Andrew Blaich, Kristy Edwards, Michael Flossman, Seth Hardy, Staff Security Researchers, Mike Murray, VP of Security Research Other Recent Entries August 25, 2016 3 things CISOs need to know about the Trident iOS vulnerabilities August 17, 2016 Gartner Market Guide for Mobile Threat Defense Solutions what you need to know August 15, 2016 Linux flaw that allows anyone to hijack Internet traffic also affects 80% of Android devices Leave a comment Click here to cancel reply. Categories #Data Alerts Lookout News Mobile Tips + Tricks Security Archives 2016 August July June May April March February January 2015 December November October September August July June May March February January 2014 December November October September August July June May April March February January 2013 December November October September August July June May April March February January 2012 December November October September August July June May April March February January 2011 December November October September August July June May April March February January 2010 December November October September August July June May April March January 2009 November July June May April February January 2008 December November Twitter Tweets by @Lookout Follow @Lookout on Twitter Follow our founder, John Hering @johnhering LOOKOUT SECURITY FOR THE POST-PC ERA Download Free Subscribe Stay up to date with the latest in mobile security. Subscribe to our RSS feed. Lookout is a cybersecurity company focused on mobile. Protecting individuals and enterprises alike, Lookout fights cybercriminals by predicting and stopping mobile attacks before they do harm. Contact Us Company About Us Leadership Careers Press Privacy & Security What We Make Lookout for Android Lookout for iPhone Enterprise Mobile Security Government Solutions Predictive Security Technology Lookout Labs Download Mobile Security Lookout Plans & Pricing Connect Customer Help Contact Us Lookout Blog Mobile Security Reports Mobile 101 Top Threats 2016 Lookout, Inc. Lookout and the Shield Logo are registered trademarks of Lookout, Inc. Legal Privacy Terms