| Executives August 25, 2016


August 25, 2016

3 things CISOs need to know about the Trident iOS vulnerabilities

By Mike Murray

Landing page, header - 2500x600_v3
Earlier today, Lookout and Citizen Lab published findings about a sophisticated, targeted, and persistent mobile attack on iOS using three zero-day vulnerabilities we call “Trident.” The attack allows an adversary to silently jailbreak an iOS device and stealthily spy on victims, collecting information from apps including Gmail, Facebook, Skype, WhatsApp, Calendar, FaceTime, Line, Mail.Ru, and others.

This discovery is further proof that mobile platforms are fertile ground for gathering sensitive information from target victims, and well-resourced threat actors are regularly exploiting that mobile environment.

Lookout PegasusRead Lookout's report here.

Background
According to a new report from Citizen Lab, NSO Group, an organization that claims to specialize in “cyber war,” created a mobile espionage product called Pegasus. Citizen Lab recently caught the first in the wild sample of the iOS version of Pegasus, which uses three previously-unknown vulnerabilities in iOS (we are aware that NSO Group advertises  similar products for Android and Blackberry) to jailbreak the device and spy on victims. Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile: always connected (Wi-Fi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists. Lookout and Citizen Lab worked directly with Apple to fix the vulnerabilities. Apple was very responsive and patched Trident in its 9.3.5 update. All iOS users should update to this version immediately. Lookout will also detect and alert its customers to this attack.
The three key learnings from this attack for enterprise CISOs and CIOs:
  • Mobile devices and enterprise intellectual property are being targeted by sophisticated corporate espionage
The Pegasus sample Lookout observed was deployed against a political target. However, attackers also deploy Advanced Persistent Threats (APTs) against corporations in order to access infrastructure and steal IP, customer data, or perform other espionage. These exploits are ideally suited to perform targeted, enterprise-focused attacks, and we expect that customers of this type of software are using these attacks for that that purpose.
Given the high price tag associated with these attacks — Zerodium paid $1 million for an iOS vulnerability last year — we believe this kind of software is very targeted, meaning the purchaser is likely to be both well-funded and specifically motivated. The going price for Pegasus was roughly $8 million for 300 licenses, so it’s not likely to be used against an average mobile device user, only targets that can be considered of high value.
Screen Shot 2016-08-25 at 8.06.38 AMWhile your CEO or CTO are among those high-value targets, there are many others within your organization who could find themselves in an attackers’ crosshairs. Rank-and-file employees with credentials to access enterprise networks are clearly perceived as valuable targets by global threat actors. Unprotected employee mobile devices with access to sensitive corporate data are now likely to be the lowest hanging fruit for attackers looking to breach an enterprise.
  • SMS phishing is how you’ll get owned
The Pegasus attack starts with an SMS phishing attack using spoofed sender numbers and anonymized domains to deliver malware to the target’s iPhone.
The target’s phone is remotely jailbroken and immediately starts compromising the target’s digital life. Calls, texts, calendar and contacts are all copied and sent to the attacker.  The software is capable of activating a phone’s cameras and microphone to snoop on conversations around the device. It can also track a victim’s movements and steal messages from end-to-end encrypted chat clients. By remotely jailbreaking the target’s iPhone, the attackers would have access to significantly more sensitive information than if they had compromised a laptop.
Screen Shot 2016-08-25 at 8.41.30 AMWhat happens after a threat actor has compromised a target’s smartphone will depend on the identity of the attacker. For example, aggressive corporate competitors and nation state actors could be more interested in credentials and communications and business apps such as Gmail, Skype, WhatsApp, Calendar, and others that may contain confidential technical, financial, or customer information.
Enterprises that have thousands of employees who use their phones for both work and personal communications are susceptible to attacks like Pegasus, which clearly demonstrate how a single tap on a malicious SMS message can give an attacker the “keys to the kingdom.”
  • Lookout Mobile Endpoint Security protects against Pegasus and other mobile threats
The Lookout Mobile Endpoint Security solution’s advanced jailbreak detection is able to detect the indicators of compromise generated by the Pegasus attack, and inform users affected by this highly targeted threat.
To keep enterprise data safe, Lookout Mobile Endpoint Security looks at four important vectors:
  1. Device behavioral anomalies — Mobile Endpoint Security fingerprints the OS and file system and compares it to our dataset to spot when the OS or file system is in an unexpected state.
  2. Vulnerability assessments — Mobile Endpoint Security detects when mobile devices are rooted or jailbroken, whether malicious or user-initiated.
  3. Network security — Mobile Endpoint Security monitors network traffic and determines when a connection is unsafe, alerting admins to compromised connections.
  4. App scans — Mobile Endpoint Security identifies malware, as well as "risky" apps that may leak information a corporate deems sensitive but that are not inherently malicious.
Contact Lookout today to learn if your enterprise is affected and how Lookout Mobile Endpoint Security can protect your organization.
Think you've encountered a suspicious link similar to the Pegasus attack? Email support@lookout.com.

Author

Mike Murray,
Vice President, Security Intelligence

Leave a comment

Submit


2 comments


Julius says:

September 10, 2016 at 4:39 am

I feel like and i think and i believe ive been a victim and still on going eith this Pegasus thing. I am not sure anymore which is which like to protect one's private life. I know and im sure that i am one of the victim cuz ive been using iphone way back. And now i noticed my phone is acting different. Like big time. But anyways im not even sure if this message will go through or other people would be able to read this anymore and or maybe it would made me believe that what i see or read on my phone is real or not.


Monica Zveare says:

September 02, 2016 at 10:51 am

I believe my phone is infected with Pegasus, I did receive a text message with a link that I unfortunately click on it. The phone is acting up, the video will turn on by it self, the phone will shut down by it self, I have Lookout and I got a message saying that Lookout has been disabled, and then the phone turns off again...


Meghan Kelly says:

September 02, 2016 at 1:18 pm

Hi Monica, please get in touch with our support team as soon as possible so we can help you figure out what's going on here. Please include the email address associated with your account. support [at] lookout [dot] com