| Executives July 20, 2021
July 20, 2021
By Hank Schless
Note from the author: This write-up is meant to provide an overview on Pegasus, why you should be concerned, how Lookout can help protect you and what actions security admins should take. For additional information, please read our full technical report.
Lookout Customers: If you believe your organization or one of your employees has been compromised by Pegasus, please reach out to our support team immediately.
Updated Aug. 6, 2021: Microsoft Chief Security Advisory Joseph Davis joined us on Endpoint Enigma to discuss Pegasus, why social engineering and spyware are closely connected and how organizations need to ensure mobile security and Zero Trust are key components of their security strategy.
First uncovered by Lookout and Citizen Lab in 2016, the highly advanced mobile spyware Pegasus was confirmed in July 2021 to have been used on business executives, human rights activists, journalists, academics and government officials.
In a joint investigation into a leaked list of more than 50,000 phone numbers, 17 media organizations found a high concentration of individuals from countries known to engage in surveillance. These regions are also known to have been clients of the NSO Group, an Israeli-based company behind the development of Pegasus and a known leader in the unregulated spyware industry.
Even if your phone number isn’t on the list, this revelation illustrates that tablets and smartphones aren’t immune to cyberattacks and spyware doesn’t just target people in government organizations. Android and iOS devices are now an integral part of how we work and manage daily lives. That means cyberattackers can steal a wealth of sensitive data from these devices, including sensitive personal information and proprietary corporate data.
I recommend you tune into our Pegasus podcast episode where I talk with Joseph Davis, Chief Security Advisory at Microsoft, about the interconnectivity between spyware and phishing. We discuss how Zero Trust and mobile security will go a long way to securing organizations from spyware or any other forms of malware.
Once considered the most advanced mobile spyware in the world, Pegasus can be deployed on both iOS and Android devices. Since its discovery, the spyware has continued to evolve. What makes Pegasus highly sophisticated is the control it gives the malicious actor over the victim’s device, the data it can extract, and its evolution into a zero-click payload.
Pegasus can extract highly accurate GPS coordinates, photos, email files and encrypted messages from apps such as WhatsApp and Signal. It can also turn on the devices’ microphone to eavesdrop on private in-room conversations or phone calls and activate the camera to record video.
For years, the NSO Group has denied that Pegasus is used by malicious actors. The firm claims that it only sells Pegasus to the intelligence and enforcement community of about 40 countries and that all prospects' human rights histories are rigorously vetted. The 2018 assassination of journalist Jamal Khashoggi raised significant doubt about this because it was widely believed that the Saudi government tracked Khashoggi by compromising his mobile phone with Pegasus.
This revelation of how widely Pegasus spyware is used should alarm all citizens, not just government entities. The commercialization of spyware, similar to phishing tools, puts everyone at risk. Like what Joseph and I discussed on the podcast, yourself or your employees may not be direct targets of spyware like Pegasus, but you could be caught in the crossfire or become a pivot point for the attacker to get to their target.
Mobile devices can access the same data as a PC from anywhere. This dramatically increases the attack surface and risk for organizations because mobile devices are typically used outside the security perimeter. As pointed out by Joseph, once something like Pegasus gets onto a mobile endpoint, they have access to everything, whether it’s your Microsoft 365 or Google Workspace accounts. At that point, it doesn’t matter whether something is encrypted. The attacker sees what the user sees. This makes any executive or employee with access to sensitive data, technological research or infrastructure, a lucrative target for cybercriminals.
While mobile OS and app developers are constantly improving the security of their products, these platforms are also becoming more complex. This means there will always be room for vulnerabilities to exploit and for spyware like Pegasus to thrive.
As much as things may change, mobile phishing remains the most effective first step for cyberattackers. Just like other mobile malware, Pegasus is typically delivered to its victims through a phishing link. The most effective delivery of phishing links is with social engineering. For example, Pegasus was brought to our attention by a journalist who was sent a link from an anonymous mobile number promising tips about a human rights story they were working on.
While Pegasus has evolved to a zero-touch delivery model — meaning the victim doesn’t need to interact with the spyware for their device to be compromised — the link hosting the spyware still has to reach the device. Considering the countless iOS and Android apps that have messaging functionality, this could be done through SMS, email, social media, third-party messaging, gaming or even dating apps.
The advanced tactics used by Pegasus are similar to many other Advanced Persistent Threats (APTs). Here is how Lookout can help protect your organization in the context of these principal tactics that APTs use to carry out an attack:
The first step for Pegasus and any APT is usually through phishing. Lookout Phishing and Content Protection (PCP) can protect your organization against each of the following scenarios that Pegasus and other APTs use:
Spyware frequently exploits vulnerabilities at both the app and device level in order to gain access to the OS of the device or exfiltrate data from particular parts of the system.
Pegasus and other APTs will silently jailbreak or root the victim’s device. Also, while zero-day exploits by their nature aren’t known, they leave the system in a compromised state. Lookout Mobile Endpoint Security can protect your organization’s mobile fleet from these exploits in the following ways:
Similar to other malware, Pegasus will communicate with a command-and-control (C2) server from which it will take orders from the malicious actor and to which it will send exfiltrated data.
Listen in on our Endpoint Enigma podcast episode about Pegasus and spyware to hear from Microsoft Chief Security Advisory Joseph Davis on why organizations should have Zero Trust and mobile security as part of their security strategy.
This blog was originally published on blog.lookout.com.
Hank Schless Senior Manager, Security Solutions