FORCEDENTRY ZERO-DAY VULNERABILITY

Priority: Critical

Executive Summary:

Citizen Lab has discovered a zero-day zero click exploit against Apple’s iMessage. The exploit tracked as ForcedEntry, CVE-2021-30860 was identified by Citizen Lab and immediately reported to Apple who released a fix to patch all OS, iOS and watchOS devices. Citizen Lab claims that a Saudi activist was infected with the NSO Group’s Pegasus spyware where the vulnerability has been described as “processing a maliciously crafted PDF may lead to arbitrary code execution”.

Detect:

Citizen Lab informed Apple that the NSO group has created spyware which exploits Apple’s image rendering library with Apple iOS, MacOS and watchOS devices being vulnerable. Citizen Lab suggest that NSO Group exploit the vulnerability to remotely infect Apple devices with the spyware installed since February 2021.

This came to light following an activist contacting Citizen Lab in March of this year who claimed that they had been hacked with the attack being attributed to the NSO group.

Ivan Krstić, head of Security Engineering and Architecture at Apple stated “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals”.

Affected Products:

Citizen Lab confirms ForcedEntry exploit works on all Apple devices running, until today, the latest software.

Prevent:

Apple developed and deployed an immediate fix for all IOS, OS and watchOS devices. Versions are as follows:

macOS Big Sur 11.6
macOS Catalina
watchOS 7.6.2
iOS 14.8 and iPadOS 14.8
Safari 14.1.2

Neil Lappage, Public Sector Solutions Advisor, ITC Secure, released an article last week on the Pegasus project and the key take-aways for the corporate world. This article highlights the types of controls required to detect zero-day attacks such as ForcedEntry.

You can find his article here.

React:

NSO Group states that its spyware is only used by governments to track mobile phones of terrorists and criminals. Since Apple have now released an update to remediate ForcedEntry it is recommended that users of Apple devices take immediate action to prevent any further exposure.

Sources:

[1] https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/ 

[2] https://techcrunch.com/2021/09/13/apple-zero-day-nso-pegasus/?guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvLnVrLw&guce_referrer_sig=AQAAAAprPNf-p-1giPAGiQ1DFcFd4ukhZSRAABlvN-9CIwNK_-njEnlxSW8lJxegwfVpMvdvOwcSYymx9PAVXugareajfn4K86Myg4umZ2-H2aKup2c8Q39umS7CWOu_CZFBX6TFqe3slL88k4Ca1Gxe8SS-r7LSZUzkCIpzlYM4RLab&guccounter=2

[3] https://news.sky.com/story/apple-issues-emergency-software-update-after-discovery-of-zero-click-malware-12407471