Skip to Content

Pagasus Spyware Infection

Updated on 2022-12-01: Spain refuses to answer spyware questions

Esperanza Casteleiro, the director of Spain’s main intelligence agency, declined to answer questions addressed by members of the European Parliament related to Spain’s repeated use of spyware and surveillance products against local political figures and Catalan pro-independence leaders. In a meeting of the EU’s PEGA committee this week, Casteleiro restricted herself to explaining how the Spanish secret services operate and their legal framework but nothing more. In a report released in November, the PEGA committee said that many EU member states are using the blanket excuse of “national security” to cover up the abusive use of spyware for petty political reasons. Read more: All questions and no answers, as Spanish spy chief stays mute on Pegasus hacking scandal

Updated on 2022-11-15: FBI came close to deploying Pegasus

The FBI came close to using commercial spyware from NSO Group as part of its domestic criminal investigations, the New York Times reported. The push allegedly took place in late 2020 and the first half of 2021. Read more: Internal Documents Show How Close the F.B.I. Came to Deploying Spyware

“The FBI eventually decided not to deploy Pegasus in criminal investigations in July 2021, amid a flurry of stories about how the hacking tool had been abused by governments across the globe.”

Updated on 2022-11-02

Part three of a technical analysis of the Pegasus spyware is now live. Parts one and two are here.

Updated on 2022-10-24: India’s spy agency bought NSO Group hardware

The OCCRP reported last week that India’s Intelligence Bureau, the country’s main domestic intelligence agency, bought hardware from the Israeli spyware firm NSO Group that matches the description of equipment used to deploy the Pegasus spyware. Read more: Indian Spy Agency Bought Hardware Matching Equipment Used for Pegasus

Updated on 2022-10-03

An investigation found that Mexican journalists and a human rights defender were infected by zero-click Pegasus spyware. One of the journalists’ devices was compromised by the FORCEDENTRY zero-click exploit. Read more: Mexican journalists targeted by zero-click spyware infections

Pegasus in Indonesia

More than a dozen senior Indonesian government and military officials had iPhone devices targeted with spyware made by NSO Group. Reuters reported on Friday that Chief Economic Minister Airlangga Hartarto, senior military personnel, two regional diplomats, and advisers in Indonesia’s defense and foreign affairs ministries were notified by Apple in November 2021 about the attacks, which allegedly involved the ForcedEntry exploit.

Read more:

Pegasus in Mexico (again)

In the meantime, R3D and Citizen Lab have published reports on new cases where the Pegasus spyware was used against Mexican journalists and human rights defenders. The spying incidents allegedly took place between 2019 and 2021, are believed to have been carried out under the guidance of government officials, and took place after Mexico’s president assured the public the government would stop using the spyware after similar incidents were disclosed in 2017.

Read more:

Updated on September 2022

Polish investigation into use of Pegasus spyware

A Polish court ordered this week a criminal investigation into the use of the Pegasus spyware against prosecutor Ewa Wrzosek. Wrzosek had her phone infected with the spyware last year after she legally challenged an attempt by the Polish ruling populist right-wing government to purge the judiciary branch last year. Investigators and the EU believe the compromise of her device was ordered by the Polish government itself, which has been quiet about the incident and refused to cooperate with EU’s PEGA anti-spyware commission.

Read more in

Pegasus spyware

Part two of a technical analysis of the Pegasus spyware is now live. Part one is here.

Read more in

Updated on August 2022

Israel clears police of NSO wrongdoings

An Israeli government commission said last week that Israeli police forces did not break any laws when they deployed the NSO Group’s Pegasus spyware in some cases. The Israeli government was forced to investigate the police force’s use of the Pegasus spyware after local media claimed they deployed NSO’s tools against political activists and not just criminal suspects.

Updated on July 2022

Citizen Lab: Pegasus Used Against Thai Pro-Democracy Activists

A report published by researchers from the University of Toronto’s Citizen Lab and Digital Watch says that at least 30 Thai pro-democracy activists were targeted with NSO’s Pegasus Spyware. The infections occurred between October 2020 and November 2021. The attacks were revealed when Apple began sending notifications to iPhone users being targeted by the spyware.

Note

Make sure that your users are running the latest iOS versions which close the attack vector used by Pegasus. If you have users who may be targeted, consider the Apple’s Lockdown Mode which will be released with iOS 16 this fall.

Read more in

L3Harris ends talks to buy NSO Group’s surveillance technology

Looks like U.S. defense firm L3Harris is dropping its bid to buy NSO Group’s surveillance technology — the maker of the mobile spyware Pegasus. It comes not long after the White House warned any deal raised “serious counterintelligence” concerns because of the company’s close ties with the Israeli government, months after NSO was put on a U.S. sanctions list, and was almost certainly the deal’s death knell. The Guardian’s @skirchy reports some government-insider bickering over the deal, but without the blessing from the U.S. government, L3Harris had no way but to back away from the table, leaving NSO’s future in doubt.

Read more in

https://twitter.com/skirchy/status/1546411858147643395

L3Harris Will Not Pursue Purchase of NSO Group

L3Harris, a US defense contractor, has reportedly dropped its efforts to buy NSO Group, which makes Pegasus spyware and hacking tools. L3Harris began negotiations with NSO in June. The US Department of Commerce placed NSO on its entity blacklist in November 2021; the Biden administration recently raised security concerns about the potential purchase, which reportedly prompted L3Harris to call off its negotiations.

Note

  • SANS instructor Heather Mahalik, at the RSA Conference SANS New Threats and Attacks keynote panel, discussed why you need to look at the risks of “stalkerware” with Pegasus as the prime example. There is a need for intelligence community tools to track bad actors, really powerful stalkerware will always be used there and almost as powerful stalkerware will be used commercially, too – but done under the name of “marketing AI.” For really high value users, like CEO, CFO, board, etc. extraordinary protection will be required – see previous NewsBites comments on Apple’s LockDown feature coming for iPhones.
  • Counterintelligence concerns and suggestions should be factored in as risks in your decision-making process. This doesn’t mean you have to accept their recommendation; it means don’t discount it without careful consideration. Additionally, there are financial consequences for disregarding DOC sanctions, such as blacklisting an entity. The point is to make an informed decision rather than being blindsided by unintended consequences.

Read more in

Updated on June 2022

Pegasus used by at least five EU countries, NSO Group tells lawmakers

A memorable hearing in the European Parliament this week after NSO admitted that five EU countries use the notorious NSO spyware Pegasus — including Poland, Spain, and Hungary — with one country having their agreement terminated following abuse, though NSO wouldn’t say which state. But that’s about as much as NSO did say during the hours-long hearing, and was roundly criticized by lawmakers for rampant contradictions and for seemingly using made-up scores used to rank governments’ human rights records. Dutch MEP and privacy buff @SophieintVeld said NSO’s responses were “an insult to our intelligence.”

Read more in

NSO Group: At Least Five European Countries Use Pegasus Surveillance Tool

NSO Group has admitted that its Pegasus surveillance tool has been used by at least five European countries. NSO Group also said it terminated a contract with one country that was abusing the Pegasus software.

Read more in

More NSO Group drama in Europe

A lawyer from Israeli spyware vendor NSO Group told the EU officials this week that at least five EU member countries have bought its tools. The executive, NSO Group’s General Counsel Chaim Gelfand, was answering questions at a European Parliament committee looking into the use of spyware in Europe. Gelfand did not provide the names of the countries and promised to get back to EU officials with an official number of member states who used its tools. Read more: Pegasus used by at least 5 EU countries, NSO Group tells lawmakers

Dutch Police Used Pegasus Spyware

According to a news report, Dutch law enforcement used Pegasus spyware to keep tabs on the country’s most-wanted criminal in 2019. Dutch daily newspaper Volkskrant said the spyware was used against other targets as well, but did not identify them.

Note

  • This highlights the struggle between using available tools to support a legitimate investigation and ethical or legal constraints. Making certain a clear authorization has been granted, particularly as these tools may violate relevant privacy laws, as well as careful consideration that collateral damage, or otherwise exceeding that permission doesn’t happen; may not be sufficient to prevent blow-back when the investigation becomes known. Be sure to consider the worst-case scenario as well as every legal option; triple check those giving permission truly can.

Read more in

Pegasus Airlines

Security researchers said this week that Pegasus Airlines, a Turkey-based low-cost airline, accidentally leaked more than 6.5 TB of internal files after it left an AWS bucket exposed online.

Updated on May 2022

Over 200 Spanish mobile numbers ‘possible targets of Pegasus spyware’

The Moroccan government is likely behind the mobile hacking of 200 Spanish phone numbers, including Spain’s prime minister and defense minister, in mid-2021. The hacks happened at a turbulent time for Spanish politics, given the divisive pardons of nine Catalan independence leaders and a separate diplomatic spat with Morocco. Their numbers were on a leaked list of phone numbers said to be possible targets of NSO’s Pegasus spyware, but also Candiru spyware, according to Citizen Lab’s report last month. This week also saw a leading Catalan separatist politician say that Spain’s spy chief “acknowledged” that her agency hacked into the phones of “some” of the Catalonian pro-independence party members. So, to recap: Morocco is likely hacking politicians in Spain, and Spain is likely hacking politicians in Catalonia.

Read more in

Updated on April 2022

Citizen Lab: NSO Spyware Found on Devices of Catalan Groups, UK PM’s Office

The Citizen Lab says it found NSO Pegasus spyware on devices of at least 65 individuals, including “Members of the European Parliament, Catalan Presidents, legislators, jurists, and members of civil society organisations. Family members were also infected in some cases.” The spyware was also found on devices associated with the UK Prime Minister’s Office and Foreign Commonwealth and development office.

Note

  • While the spotlight is currently on NSO Spyware, we should take these stories as a reminder that there are groups actively looking for weaknesses in the security of mobile devices. NSO are not the only threat actors at play here; they happen to be the one that has been recently caught out. As such, we need to ensure that we have appropriate security mechanisms and controls in place, be they technical, personal, and process driven, to secure mobile devices.
  • Catalan is a community in north-eastern Spain and its economy represents a significant portion of Spain’s GDP. This seems to be the latest step in the dispute between Catalan and Spain for full autonomy. Attackers used multiple initial attack vectors including HOMAGE or Kismet which leveraged a zero-click iMessage flaw in version of iOS 13, SMS and the 2019 WhatsApp exploit to deliver Pegasus. These weaknesses were fixed in newer iOS and App updates. Even if you’re not a target, some off-target infections have been noted. Make sure that you’re keeping your device and apps updated. Consider using loaner/burner devices when traveling to foreign countries of higher risk.

Read more in

Updated on February 2022

FBI Says They Tested but Did Not Use Pegasus Spyware

In a statement to the Washington Post, the FBI confirmed that while it tested the NSA Group’s Pegasus Spyware, they never used it in an investigation. The FBI obtained a license to test the software in 2019, and decided not to use it two years later at roughly the same time that journalists published an investigation about the use of Pegasus to target human rights activists, politicians, and journalists worldwide.

Note

  • Not sure what the fuss is about here. NSO provided capabilities to be used by ethical governments. The general beef with NSO is how its capabilities have been used, not the fact that they exist. It is crazy expensive to develop implants and exploit capabilities against platforms like iOS and WhatsApp. If the federal government can buy those capabilities cheaper than they can develop them, they absolutely should. None of this should be taken to excuse the obviously vacant oversight by NSO on who its technologies were sold to and how they were used.
  • We have all deployed pilots of software we’re investigating for broader use, and they don’t always work out. Make sure you clearly document the scope of the pilot, including any needed authorization from the provider, outcomes, and discoveries, closing it out fully if implementation doesn’t go forward to protect yourself from any claims of impropriety.

Read more in

FBI Considered Using Pegasus Spyware

The FBI considered using NSO Group’s Pegasus spyware. NSIO Group had initially developed Pegasus so that it could not be used against US phones; in its pitch to the FBI, NSIO Group offered a workaround known as Phantom that would allow US phones to be targeted Ultimately, the FBI decided not to move forward with the plan.

Note

  • Assume intelligence agencies have tools like Pegasus and Phantom; take actions to mitigate the risk, even if you don’t think you’re targeted. This means use loaner phones with minimal data, strong authentication, current OS and applications and verified security settings when going to risky foreign locations. Don’t update the devices while on those trips and consider them suspect upon return. This scenario is not a time for BYOD.
  • One should not be surprised that such discussions took place. One would like to think that the FBI would use such a tool only with warrants based upon probable cause. However, recent experience with airborne IMSI-catchers raises some doubt. Even the “good guys” are vulnerable to temptation. The “usual suspects” must take into account the security limitations that all technology, but particularly general purpose communication devices, has.

Read more in

Finland Says Diplomats Phones Infected with Pegasus Spyware

Finnish officials say that phones belonging to Finnish diplomats serving outside the country have been infected with Pegasus spyware. Finland’s Ministry for Foreign Affairs says that the espionage campaign is “no longer active.”

Note

  • Apple released fixes in iOS 15 which address NSO’s ForcedEntry exploit, make sure your devices are updated. While Apple says they will notify those targeted with this exploit, in accordance with best practices, take proactive steps to minimize the risk before heading abroad.

Read more in

Updated on January 2022

Pegasus Spyware Found on El Salvadoran Journalists’ Devices

Digital rights organizations Citizen Lab and Access Now have published a report detailing their investigation into the use of NSO Group’s Pegasus spyware against journalists and civil rights activists in El Salvador.

Note

  • This is sadly unsurprising and continues to highlight that either NSO is incapable of policing its customers or (more likely) no commercial spyware company can ensure its software isn’t abused.
  • The report sets the stage and background which lead to use of the spyware in that country and provides context for those actions. While these efforts currently target journalists and the NSO infection vector is a zero-click attack path, we still need to be vigilant, keeping our devices fully updated, keep them under our control, remove unneeded or unused applications, use loaner devices for high-risk situations and use caution with links and attachments.

Read more in

Updated on December 2021

Egyptian Politician’s iPhone Infected with Two Types of Spyware

Researchers from the University of Toronto’s Citizen Lab found that the iPhones of two Egyptians – an exiled politician and a television news show host – were infected with spyware. Both iPhones were infected with Cytrox’s Predator spyware in June 2021; the politician’s phone was also infected with NSO Group’s Pegasus spyware. Meta is removing hundreds of Facebook and Instagram accounts linked to Cytrox.

Note

  • These devices were infected prior to the releases of iOS that closed the attack vector. The report from Citizen Lab gives insight into how the devices were infected, leveraging messaging with cultural biases and claims of a trusted source, much as we see with Business Email Compromise. Make sure your messaging security training includes SMS or other message platform, e.g., WhatsApp, not just email. Mitigate future compromise by keeping devices updated. Ask your MDM provider if it can detect these compromises. Then enable it along with reporting. Replacing compromised devices and carefully restoring data (if at all) is going to be easier than attempting to clean those which have been hacked.
  • If you have been following the Verizon Data Breach Incident Report (VZ DBIR) for several years, you will notice a repeated theme in their findings when it comes to mobile devices. It’s comparatively much harder to infect a mobile device than standard computers. In fact, there are two types of mobile devices that are most commonly infected: old outdated Android devices with dodgy mobile apps and highly-targeted individuals where threat actors are willing to pay hundreds of thousands of dollars to infect the device. This is a good example of the latter.
  • I highly recommend reading Google Project Zero’s blog post on Pegasus.
    googleprojectzero: A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution

Read more in

Updated on September 2021

Apple Updates Address Zero-Day Flaws

Apple has released iOS 14.8, which addresses several vulnerabilities that are being actively exploited. Among those is a flaw that was could be exploited without the user clicking on anything.

Note

  • So far, this vulnerability appears to have been exclusively exploited by the NSO Group’s “Pegasus” tool. We often see exploits like the one used by Pegasus trickle down over time to become commodity exploits. With more details available now, the race is on between you, the user, and the attacker to see who is first: patching or exploit development. Don’t let them outrun you. You have a bit of time here, but not much. Apple is likely going to release a major update for its operating systems in a month (or less). The patch will likely be included in that update as well.

Read more in

Updated on August 2021

Pegasus Spyware

The most recent version of Pegasus can be installed in targeted mobile devoices without user interaction and without notification. The targeted device must have a vulnerable operating system or app. Once installed, Pegasus can access virtually everything on the device. Pegasus manufacturer NSO Group maintains that it sells the spyware only for government use in tracking criminals and terrorists. Information recently released by the Pegasus project, a consortium of media organizations and journalists from 10 countries, indicates that the spyware has been used to target heads of state, activists, and journalists.

Note

  • The Amnesty International Security Labs report provides insight as to where and how Pegasus is introduced onto mobile devices. They have released both their IOCs as well as their MVT tool for analysis of Android devices and iOS backups. You may want to leverage these to double-check devices, particularly for potentially targeted individuals.

Read more in

Updated on July 2021

Amnesty International Calls for Surveillance Tech Moratorium

The recent release of a report from the Pegasus Project revealed that NSO Group’s Pegasus surveillance technology has been used to spy on government officials, human rights activists, journalists, and others around the world. “Amnesty International is calling for an immediate moratorium on the export, sale, transfer and use of surveillance technology until there is a human rights-compliant regulatory framework in place.”

Note

  • As long as the surveillance technology use risk remains, the best stance is to provide users with training to be proactive in securing their mobile devices. Keep them updated, only install apps from Apple/Google/corporate app stores, don’t leave them unattended, block unknown callers and texters, use loaner devices on foreign travel, implement device sanitization and verification processes to support international use.
  • There is little chance that a “regulatory framework” will deter nation states from surveillance of their citizens.

Read more in

Amnesty International Spyware Report

Amnesty International’s Security Lab “has uncovered widespread, persistent and ongoing unlawful surveillance and human rights abuses perpetrated using NSO Group’s Pegasus spyware.” The Forensic Methodology Report also includes a forensic tool to detect the spyware’s presence on mobile devices.

Note

  • Great report by Amnesty and a must read for anybody doing IR on mobile devices. Remember that the exploits used may be “high end” now, but they tend to trickle down the food chain. For the rest of us, the lesson to learn is that you absolutely need to keep your mobile devices up to date, and yes, a text message may be used to run arbitrary code on your device.
  • iPhones and Android phones have been harder targets to compromise than Windows PCs but this Pegasus use points out they are far from impenetrable. In the SANS 2021 New Threat and Attack report, SANS instructor Heather Mahalik points out many of the key issues and action steps.
  • While far from mass surveillance, and while most of the targets were political, some appeared to be targeted for mere celebrity. While such surveillance might not be illegal in all the countries engaged in it, it qualifies as abuse and misuse everywhere. Here it would require a warrant issued by a court based upon probable cause to believe a crime.

Read more in

Apple Updates for Multiple Products

Apple has released updates for iOS, watchOS, tvOS, iPadOS, and macOS. While the iOS update (iOS 14.7) includes fixes for 37 security issues, it does not fix the zero-click vulnerability in iMessenger that can be exploited by Pegasus spyware.

Note

  • Probably the most notable fix is the patch for the WiFi SSID format string vulnerability. Initially, this was only considered a DoS issue. But Apple confirmed that this can be used to execute code. On relatively recent iOS versions, this requires the user to join the oddly named WiFi network. But on older versions, this exploit will execute without user interaction.
  • While these updates don’t include the patch for Pegasus, there are enough other issues to warrant applying the patches immediately, particularly for iOS and iPadOS as some of the flaws are remotely exploitable. The NSO group, who are behind the Pegasus spyware, are investing heavily in exploits to maintain visibility into mobile devices, which hopefully will drive increases in security options to reduce their attack surfaces.

Read more in

Amnesty International Loses Bid to Revoke NSO Export License

An Israeli court has denied Amnesty International’s petition to revoke the export license of NSO Group, which sells surveillance software. Amnesty International filed the lawsuit in 2019, alleging that NSO group’s Pegasus software had been used against an Amnesty International employee.

Read more in:

Updated on 2020-06-27

NSO Group Spyware Used to Track Moroccan Journalist, Says Amnesty International

An Amnesty International investigation revealed evidence that spyware made by NSO Group was used to target Moroccan journalist and activist Omar Radi between January 2019 and January 2020. Attacks against Radi’s phone to install the Pegasus spyware occurred on at least three dates. One of the attacks occurred just three days after “NSO Group publicly committed to abiding by the UN Guiding Principles on Business and Human Rights.”

Read more in

Overview: Citizen Lab and Amnesty International: Spyware Campaign Targeted Indian Human Rights Activists

A joint report from Citizen Lab and Amnesty International describes a spyware scheme that targeted human rights defenders in India. The nine individuals, who are lawyers, activists, and journalists, were targeted with spear-phishing emails crafted to install malware that tracked their communications. Three of the nine people are also believed to have been targeted by NSO’s Pegasus spyware.

Read more in

    Ads Blocker Image Powered by Code Help Pro

    Ads Blocker Detected!!!

    This site depends on revenue from ad impressions to survive. If you find this site valuable, please consider disabling your ad blocker.