fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

New Zero-Click iPhone Exploit Used to Deploy NSO Spyware

New Zero-Click iPhone Exploit Used to Deploy NSO Spyware

Digital threat researchers at Citizen Lab have uncovered a new zero-click iMessage exploit used to deploy NSO Group’s Pegasus spyware on devices belonging to Bahraini activists.

In total, nine Bahraini activists (including members of the Bahrain Center for Human RightsWaadAl Wefaq) had their iPhones hacked in a campaign partially orchestrated by a Pegasus operator linked with high confidence to the government of Bahrain by Citizen Lab.

The spyware was deployed on their devices after being compromised using two zero-click iMessage exploits (that do not require user interaction): the 2020 KISMET exploit and a new never-before-seen exploit dubbed FORCEDENTRY (previously tracked by Amnesty Tech as Megalodon).

New iPhone zero-click exploit in use since February 2021

While protecting against the iMessage exploits would only require disabling iMessage and FaceTime, NSO Group has also used exploits targeting other messaging apps, including WhatsApp.

Furthermore, disabling iMessage will lead to other issues, including sending unencrypted messages that a resourceful threat actor could easily intercept.

Unfortunately, until Apple issues security updates to address the flaws targeted by NSO Group’s FORCEDENTRY exploit, the only thing potential targets could do to protect themselves is to disable all apps the Israeli surveillance firm could potentially target.

Also Read: Top 3 Common Data Protection Mistakes, Revealed

NSO Group’s Pegasus used in high-profile attacks

The attacks revealed by Citizen Lab in today’s report are part of just one of a long string of reports and papers documenting NSO Group’s Pegasus spyware used to spy on journalists and human rights defenders (HRDs) worldwide.

Pegasus, a spyware tool developed by Israeli surveillance firm NSO Group, is marketed as surveillance software “licensed to legitimate government agencies for the sole purpose of investigating crime and terror.”

Two years ago, Facebook sued Israeli cyber-surveillance firm NSO Group for creating and selling a WhatsApp zero-day exploit used to infect the devices of high-profile targets such as government officials, diplomats, and journalists with spyware.

Also Read: The Financial Cost of Ransomware Attack

Citizen Lab revealed in 2018 that they discovered some Pegasus licensees using it for cross-border surveillance in countries with state security services that had a history of abusive behavior.

Last but not least, Human rights non-governmental organization Amnesty International and non-profit project Forbidden Stories revealed in a separate July report that NSO Group-made spyware was deployed on iPhones running Apple’s latest iOS release using zero-click iMessage exploits targeting multiple iOS zero-days.

Citizen Lab independently observed Pegasus deployed on an iPhone 12 Pro Max running iOS 14.6 (the OS’s latest release), hacked using a zero-day zero-click iMessage exploit, which did not require interaction from the targets.

“The mechanics of the zero-click exploit for iOS 14.x appear to be substantially different than the KISMET exploit for iOS 13.5.1 and iOS 13.7, suggesting that it is in fact a different zero-click iMessage exploit,” Citizen Lab said at the time.

“These most recent discoveries indicate NSO Group’s customers are currently able to remotely compromise all recent iPhone models and versions of iOS,” Amnesty International and Forbidden Stories added.

An Apple spokesperson was not available for comment when contacted by BleepingComputer earlier today.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us