Trident - Sophisticated, persistent mobile attack against high-value targets on iOS
https://blog.lookout.com/blog/2016/08/25/trident-pegasus/
More from: blog.lookout.com
show/hide source |
https://blog.lookout.com/blog/2016/08/25/trident-pegasus/
Citizen Lab and Lookout have uncovered an active threat (called "Trident") of state-sponsored actors using a combination of three zero-days in iOS to essentially perform a stealth jailbreak in a target device and exfiltrate all communication (calls, texts, email, and other app specific data). The entry point is via spear-phishing (email, text), in which the victim clicks on a link that exploits the first vulnerability in WebKit:
CVE-2016-4655: Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.Apple has already provided fixes for these, so install iOS 9.3.5 ASAP. Tags: ios vulnerability trident pegasus
CVE-2016-4656: Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel’s location in memory.
CVE-2016-4657: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software.
More from: blog.lookout.com
show/hide source |
August 25, 2016
Sophisticated, persistent mobile attack against high-value targets on iOS
By Lookout and Citizen Lab
0 Comments
Persistent, enterprise-class spyware is an underestimated problem on mobile devices. However, targeted attack scenarios against high-value mobile users are a real threat.
Citizen Lab (Munk School of Global Affairs, University of Toronto) and Lookout have uncovered an active threat using three critical iOS zero-day vulnerabilities that, when exploited, form an attack chain that subverts even Apples strong security environment. We call these vulnerabilities Trident. Our two organizations have worked directly with Apples security team, which was very responsive and immediately fixed all three Trident iOS vulnerabilities in its 9.3.5 patch.
All individuals should update to the latest version of iOS immediately. If youre unsure what version youre running, you can check Settings > General > About > Version. Lookout will send an alert to a customers phone any time a new update is available. Lookouts products also detect and alert customers to this threat.
Trident is used in a spyware product called Pegasus, which according to an investigation by Citizen Lab, is developed by an organization called NSO Group. NSO Group is an Israeli-based organization that was acquired by U.S. company Francisco Partners Management in 2010, and according to news reports specializes in cyber war. Pegasus is highly advanced in its use of zero-days, obfuscation, encryption, and kernel-level exploitation.
We have created two reports that discuss the use of this targeted attack against political dissidents and provide a detailed analysis of the malicious code itself. In its report, Citizen Lab details how attackers targeted a human rights defender with mobile spyware, providing evidence that governments digitally harass perceived enemies, including activists, journalists, and human rights workers. In its report, Lookout provides an in-depth technical look at the targeted espionage attack that is actively being used against iOS users throughout the world.
The overview
Ahmed Mansoor is an internationally recognized human rights defender and a Martin Ennals Award Laureate (sometimes referred to as a Nobel prize for human rights), based in the United Arab Emirates (UAE). On August 10th and 11th, he received text messages promising secrets about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. Recognizing the links as belonging to an exploit infrastructure connected to NSO group, Citizen Lab collaborated with Lookout to determine that the links led to a chain of zero-day exploits that would have jailbroken Mansoors iPhone and installed sophisticated malware.
This marks the third time Mansoor has been targeted with lawful intercept malware. Previous Citizen Lab research found that in 2011 he was targeted with FinFisher spyware, and in 2012 with Hacking Team spyware. The use of such expensive tools against Mansoor shows the lengths that governments are willing to go to target activists.
Citizen Lab also found evidence that state-sponsored actors used NSOs exploit infrastructure against a Mexican journalist who reported on corruption by Mexicos head of state, and an unknown target or targets in Kenya.
The NSO group used fake domains, impersonating sites such as the International Committee for the Red Cross, the U.K. governments visa application processing website, and a wide range of news organizations and major technology companies. This nods toward the targeted nature of this software.
The Pegasus spyware
Pegasus is the most sophisticated attack weve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile always connected (WiFi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists. It is modular to allow for customization and uses strong encryption to evade detection. Lookouts analysis determined that the malware exploits three zero-day vulnerabilities, or Trident, in Apple iOS:
CVE-2016-4655: Information leak in Kernel A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernels location in memory.
CVE-2016-4656: Kernel Memory corruption leads to Jailbreak 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software.
CVE-2016-4657: Memory Corruption in Webkit A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.
The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information. This, however, happens invisibly and silently, such that victims do not know theyve been compromised.
In this case, the software is highly configurable: depending on the country of use and feature sets purchased by the user, the spyware capabilities include accessing messages, calls, emails, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, Viber, FaceTime, Calendar, Line, Mail.Ru, WeChat, SS, Tango, and others. The kit appears to persist even when the device software is updated and can update itself to easily replace exploits if they become obsolete.
We believe that this spyware has been in the wild for a significant amount of time based on some of the indicators within the code (e.g., a kernel mapping table that has values all the way back to iOS 7). It is also being used to attack high-value targets for multiple purposes, including high-level corporate espionage on iOS, Android, and Blackberry.
To learn more
Our reports provide in-depth information about the threat actor as well as their software and the vulnerabilities exploited Citizen Lab has tracked the actors political exploits around the world, while Lookout has focused on the technical details of the malware from the beginning of the exploit chain to its use. Our reports include detailed analysis of the Trident iOS vulnerabilities that are patched in the 9.3.5 release from Apple, as well as the various components of the espionage software.
Lookout customers: Read this document on how to tell if youre impacted by this attack.
Think youve encountered a suspicious link such as the ones described above? Email support@lookout.com.
Research teams:
Citizen Lab: Bill Marczak and John Scott-Railton, Senior Fellows
Lookout: Max Bazaily, Andrew Blaich, Kristy Edwards, Michael Flossman, Seth Hardy, Staff Security Researchers, Mike Murray, VP of Security Research
Other Recent Entries
August 25, 2016
3 things CISOs need to know about the Trident iOS vulnerabilities
August 17, 2016
Gartner Market Guide for Mobile Threat Defense Solutions what you need to know
August 15, 2016
Linux flaw that allows anyone to hijack Internet traffic also affects 80% of Android devices
Leave a comment
Click here to cancel reply.
Categories
#Data
Alerts
Lookout News
Mobile Tips + Tricks
Security
Archives
2016
August
July
June
May
April
March
February
January
2015
December
November
October
September
August
July
June
May
March
February
January
2014
December
November
October
September
August
July
June
May
April
March
February
January
2013
December
November
October
September
August
July
June
May
April
March
February
January
2012
December
November
October
September
August
July
June
May
April
March
February
January
2011
December
November
October
September
August
July
June
May
April
March
February
January
2010
December
November
October
September
August
July
June
May
April
March
January
2009
November
July
June
May
April
February
January
2008
December
November
Twitter
Tweets by @Lookout
Follow @Lookout on Twitter
Follow our founder, John Hering @johnhering
LOOKOUT SECURITY FOR THE POST-PC ERA
Download Free
Subscribe
Stay up to date with the latest in mobile security. Subscribe to our RSS feed.
Lookout is a cybersecurity company focused on mobile. Protecting individuals and enterprises alike, Lookout fights cybercriminals by predicting and stopping mobile attacks before they do harm.
Contact Us
Company
About Us
Leadership
Careers
Press
Privacy & Security
What We Make
Lookout for Android
Lookout for iPhone
Enterprise Mobile Security
Government Solutions
Predictive Security Technology
Lookout Labs
Download Mobile Security
Lookout Plans & Pricing
Connect
Customer Help
Contact Us
Lookout Blog
Mobile Security Reports
Mobile 101
Top Threats
2016 Lookout, Inc. Lookout and the Shield Logo are registered trademarks of Lookout, Inc.
Legal
Privacy
Terms