Citizen Lab Identifies NSO Spyware On Apple Devices

Spyware from an Israeli cyber intelligence specialist NSO Group is once again in the headlines after a warning from researchers at digital watchdog group Citizen Lab.

Citizen Lab in its advisory said that “last week, while checking the device of an individual employed by a Washington DC-based civil society organisation with international offices, Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware.”

It did not name the victim, but the good news is that Apple has responded very quickly and has just issued an update for Apple products including iPhones, iPads, Mac computers, and Apple Watches. Citizen Lab said it encourages all Apple users to immediately update their devices.

BLASTPASS Exploit

Canadian internet watchdog Citizen Lab said it is labelling the actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware, as the BLASTPASS Exploit Chain.

The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.

What made this exploit chain so concerning was that it was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim.

Citizen Lab said it immediately disclosed its findings to Apple and assisted in their investigation.

The iPhone maker then issued two CVEs related to this exploit chain (CVE-2023-41064 and CVE-2023-41061).

Citizen Lab at the University of Toronto said it expects to publish a more detailed discussion of the exploit chain in the future, but in the meantime it “urge everyone to immediately update their devices.”

“We encourage everyone who may face increased risk because of who they are or what they do to enable Lockdown Mode,” said Citizen Lab. “We believe, and Apple’s Security Engineering and Architecture team has confirmed to us, that Lockdown Mode blocks this particular attack.”

“We commend Apple for their rapid investigative response and patch cycle, and we acknowledge the victim and their organisation for their collaboration and assistance,” it concluded.

Meanwhile a NSO spokesperson told Reuters it did not have any immediate comment on the Citizen Lab research.

Infamous firm

NSO Group and its Pegasus spyware became notorious within cybersecurity circles in recent years, despite the firm insisting it only sold its technology to authorised governments and law enforcement to help them combat terror and crime.

Matters began going downhill for NSO when Facebook’s Whatsapp sued NSO in October 2019, and alleged NSO was behind the cyberattack that infected WhatsApp users with advanced surveillance hacks in May 2019.

Matters became even more serious in December 2020, after a report by Citizen Lab alleged that dozens of Al Jazeera journalists had been hacked with the help of Pegasus, by exploiting a vulnerability in the iPhone operating system.

Worse was to come in July 2021, when the Pegasus Project (a collaboration of more than 80 journalists and media organisations) alleged that NSO’s Pegasus had been used “to facilitate human rights violations around the world on a massive scale.”

It allegedly uncovered evidence that the phone numbers for 14 heads of state, including French President Emmanuel Macron, Pakistan’s Imran Khan and South Africa’s Cyril Ramaphosa, as well as 600 government officials and politicians from 34 countries, had appeared in a leaked database at the heart of the investigative project.

In September 2021 the investigative website Mediapart alleged that traces of Pegasus spyware had even been found on the mobile phones of at least five current French cabinet ministers – deepening the diplomatic fallout.

In April 2022, it was alleged that the UAE may have used NSO Pegasus spyware on Downing Street and Foreign Office computer systems.

US blacklisting

During this time in November 2021 NSO was blacklisted by the US Department of Commerce.

Being placed on the US Entity List, means that exports to NSO Group from US companies have been restricted.

Apple also sued NSO in November 2021, alleging NSO engaged in surveillance and targeting of iPhone users in the US.

In December 2021 NSO reportedly said it was exploring its strategic options, that included shutting the Pegasus unit or selling the entire company.

Then in June 2022 it was reported that US defence contractor L3Harris was in talks to takeover NSO Group’s Pegasus surveillance technology. But that deal would have faced significant challenges, not least of which would be the approval from the US and Israeli governments.

In August 2022 NSO’s CEO stepped down in an reorganisation that saw the Israeli firm refocus to only sell to countries within the NATO alliance.