Pegasus Spyware

Introduction

With each passing day, the world is waking up to new global cybersecurity challenges. The latest one was unearthed this month.

Move over SolarWinds, Microsoft Exchange vulnerabilities, and REvil ransomware. It is now time for Pegasus!

Pegasus is spyware that aids in cyber-espionage developed by the NSO Group of Israel. Recent investigations reveal that Pegasus was used as a surveillance tool targeting high-profile Government representatives, officials, human rights activists, journalists, and even Heads of State. Spyware is software designed to intrude on target devices, gather information about them, and then transfer it to the handlers or Threat Actors via encrypted channels. Threat Actors could be individuals or groups with malicious intent to target flaws in systems for personal or other gains. Threat Actors might be cybercriminals looking for financial gains or groups backed by nation-states. The latter are called Advanced Persistent Threats (APTs). APTs usually have a high level of sophistication, resources, and planning.

The etymology of Pegasus lies in the Greek, mythical winged stallion. It is one of the most recognizable fabled beasts of all time.

Fig: Source: https://www.indiatoday.in/world/story/decoded-nso-pegasus-spyware-greek-meaning-india-mexico-saudi-uae-1831122-2021-07-22

The Bellerophon

The investigation into Pegasus was coordinated by Forbidden Stories (a Paris-based Non-Profit) with the support of Amnesty International and Citizen Lab. Amnesty has a detailed explanation on their GitHub and their home page with all the IOCs and the vectors used by the spyware to infiltrate target devices. It can be accessed here.

Pegasus is designed for mobile devices and is modular, i.e., it has multiple functionalities that can be switched on and off as the Threat Actor desires. Although its iOS variant (“Pegasus”) is in the news, there’s an Android variant as well, dubbed as “Chrysaor.”

Once in a device, the spyware can tap into the camera to snap pictures and record audio through the mic. It can start the GPS and send out the Geolocation Coordinates, giving the Threat Actor the target’s live location.

It can also screenshot the content being viewed, read calendar events, SMS, and Instant Messengers. In addition, the spyware can read your Email, contact lists, and phone calls. It can also do file retrievals and take a peek at your browsing history! If this wasn’t enough, Pegasus can turn into a keylogger. Anything that you type on the phone, every touch on the screen, even the slightest tap, gets registered by the spyware and sent to the Threat Actor. Even End to End Encryption can’t protect devices from the keylogger.

Adios Privacy! Hello Data Leak!

Who was targeted?

The targets mentioned in the recent Pegasus attack coverage were human rights activists, journalists involved in high-profile investigations, ministers and opposition leaders from various countries, and the Heads of State or their associates. The data leak of approximately 50,000 numbers confirmed the potential surveillance targets in multiple countries around the world.

The NSO Group has denied these claims and attributed them to uncorroborated theories.

According to them, “… claims are based on a misleading interpretation of leaked data from accessible and overt basic information.” The Group also clarifies that their tools are only available to Law Enforcement and Governmental Agencies and are used for saving lives by preventing crimes and terror acts.

Fig: NSO Group rapidly shut down many of their Version 3 servers shortly after the Amnesty International and Citizen Lab’s publications on 1 August 2018

Source: https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/

Governments of various countries, including India, Israel, Hungary, Morocco, Rwanda, UAE, Saudi Arabia, Spain, Azerbaijan, Bahrain, Kazakhstan, and Mexico, have been named in the data leak for using Pegasus. Many are yet to comment on these reports. Amnesty International has stated that Pegasus targeted the family members of Jamal Khashoggi, the slain Saudi journalist, before and after his murder. Citizen Lab, an interdisciplinary laboratory based at the University of Toronto, concluded with a “high degree of confidence” that Jamal’s phone was successfully targeted with Pegasus and was used to get information on his communication and whereabouts. Journalists from 20 countries have been currently identified as potential targets for spyware.

Fig: Jamal Khashoggi, who is believed to be assassinated after assailants tracked his phone through Pegasus. (Source: Wikipedia)

Fig: CCCTV footage of Jamal Khashoggi along with his fiancé hours before this death. (Source: https://apnews.com/article/7e17e6cacd144776af0a024cbfab90b1/gallery/media:65d560810c6c4629b1dd878fff009df7)

How the Horse Flies?

Initially, the Pegasus infection spreads through specially crafted links from Emails, Messages, and various social media channels. Once the targeted user clicks the link, Pegasus starts the surveillance routine. In the known case of a Moroccan journalist, the infection spread through a specially crafted SMS.

Pegasus employs a “zero-click” model of infection that does not require any interaction from the target to begin the attack. It happens in the following steps.

  1. Threat Actor utilizes a Zero-Day vulnerability designed for a particular device.
  2. Threat Actor crafts a specially designed message containing the link for the intended target and sends it to them.
  3. The target opens the link, and the vulnerability gets triggered, thereby instantly infecting the device.
  4. Spyware says Hi, and Data bids goodbye!

Since “Zero Day” vulnerability refers to a flaw in the system that Threat Actors have discovered that may or may not have been known to the developer/OEM, there is no way of patching or fixing them.  In the case of Pegasus, the intended targets receive a link that redirects to multiple Zero Day exploits being executed on the device. These Zero Days include an iMessage vulnerability, Apple Music vulnerability, and an Apple Photos vulnerability. Pegasus is known to work with a fully patched iPhone running iOS 14.6. All the data and information that Pegasus taps into is relayed to its Command and Control servers (CnC), ergo the Threat Actors. CnC are systems controlled by the TAs that send out commands to be executed on the devices and receive data.

The spyware’s detection and subsequent analysis revealed experienced and professional handling of the codebase. Pegasus uses obfuscation (for concealing itself), encryption, and anti-reverse engineering techniques (impossible to recreate). This makes it harder for cybersecurity professionals to understand what it does, how it is made, the infrastructure used, and the intent behind the attack. When the need arises, the TAs may simply ask the spyware to delete itself, and it does so with surprising ease leaving behind very few traces of its existence. While in the device, the spyware disguises itself as System services to evade detection.

Prevention & Mitigation

Since it is challenging to detect the presence of Pegasus once it infects a system, prevention is the best defense. Here are a few things to keep in mind to protect devices from Pegasus.

  1. Open links only from trusted sources.
  2. If you need to check a link, make sure you use a reputed Search Engine and follow the link mentioned in the search results.
  3. Contact your IT support immediately if you spot something amiss in any of your devices.
  4. Always have an up-to-date Antivirus solution from a reputed security organization on your device.
  5. Be aware of any new services, apps that have come up on your device recently.
  6. Constantly update your device with the latest version of the software patch released by the OEM (Original Equipment Manufacturer).

In case you are suspicious of a Pegasus attack, you can use tools like the one shared by Amnesty International called the Mobile Verification Toolkit or MVT that can decrypt iOS backups, process and parse records from iOS systems, generate JSON logs, amongst other things, to identify a potential infection and compromise. Amnesty has published the Indicators of Compromise (IOCs) on their GitHub page. A potential compromise on the phone can be easily identified through the MVT and the STIX2 formatted IOCs.

Fig: Pegasus IOC. Source – https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso

An Afterthought

The list of harmful capabilities of spyware like Pegasus raises an important question. Mass surveillance is not a new concept. Regimes have been doing it since ancient times to keep certain elements of society in check. They have even been used to topple governments. The power these TAs have over their targets is enormous. TAs can track where their targets go, who their targets are talking to, scan their surroundings and even listen in on their conversations. Spyware like Pegasus are an antithesis in a  society that upholds privacy and the individual’s control over their data.

This raises an important question. Is information collection under the pretext of the greater good, without the knowledge of the individuals or organizations who own that information good or bad? Sure, in the hands of a good actor, it can be used to prevent crimes, stop human trafficking, and even deter terrorism. In the hands of a bad actor, the collected information can be disastrous, as is evident with the recent spate of Ransomware attacks against corporations and governments. The data leaks we have seen in recent years have been more harmful to ordinary people than the targeted organizations. Can we uphold the privacy of average citizens when agencies are allowed to use spyware like Pegasus?

Till we find an answer to such complex questions, do not click on any unknown links!

References

https://en.wikipedia.org/wiki/Pegasus
https://www.amnesty.org/en/latest/news/2021/07/the-pegasus-project/
https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/
https://preview.redd.it/5tkb1p3sp3531.jpg?width=960&crop=smart&auto=webp&s=f9572ba94fb90c9e1dcfff74264484732cff7a6f
https://www.nsogroup.com/Newses/following-the-publication-of-the-recent-article-by-forbidden-stories-we-wanted-to-directly-address-the-false-accusations-and-misleading-allegations-presented-there/
https://www.fireeye.com/current-threats/what-is-a-zero-day-exploit.html
https://github.com/mvt-project/mvt
https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso
https://oasis-open.github.io/cti-documentation/stix/intro.html

  •  
  •  
  •  
  • 2
  •  
  •  
  •