NSO Group's Pegasus Spyware Found on High-Risk iPhones

Written by

Users in multiple countries have been impacted by spyware previously linked with NSO Group’s Pegasus malware over the past six months.

The findings by Jamf Threat Labs suggest the observed attacks to be highly targeted, yielding unique indicators of compromise (IOC) in each scenario.

“Variations in the compromised hardware and software indicate that new exploits continue to be discovered as security patches are issued, expanding the population of vulnerable devices,” reads an advisory published by the company on Monday.

Jamf also clarified that while Apple actively monitors devices for compromise, the tech giant has not contacted all users impacted by these spyware attacks.

“[This shows] the challenges with maintaining a comprehensive list of IOCs and [...] extracting relevant data remotely,” the company explained.

Additionally, the fact that high-risk individuals and organizations do not consistently execute complete investigations based on threat indicators also contributes to difficulties in comprehensively mapping these attacks.

Jamf examines two sophisticated spyware attacks in its latest advisory. The first affected an iPhone 12 Pro Max used as the daily communications tool by a Middle East-based human rights activist.

On this device, the spyware left traces of a process called “libtouchregd,” previously associated with the Pegasus spyware.

According to Jamf security researchers, the same person or group who created Pegasus may be behind the attack. 

Read more on Pegasus here: New Privilege Escalation Bug Class Found on macOS and iOS

Further analysis of the device showed signs that the iPhone had been tampered with, which could mean someone was trying to access sensitive information on the phone. In this case, the user received a warning from Apple about a potential attack and updated their phone to protect themselves.

The second device analyzed by the team was an Apple 6s (no longer receiving the latest Apple updates) belonging to a journalist in Europe working for a global news agency. 

“Like the Middle East iPhone, the Europe iPhone showed evidence of critical system crashes,” Jamf wrote. “Even more suspiciously, the Europe iPhone included files found at an atypical location within the iPhone’s strict filesystem.”

Based on the observed IOCs, the Jamf team could not conclusively determine that this iPhone was compromised by a specific threat actor. Still, the company said the targeting of older devices like this should serve as a reminder that malicious threat actors will exploit any vulnerabilities in an organization’s infrastructure.

“As a general best practice, we strongly recommended upgrading outdated devices to newer iPhone or iPad models that are running the latest available updates and operating system versions,” reads the advisory.

Its publication comes a year after Spanish government regulators started investigating claims that the authorities used Israeli spyware to snoop on separatist politicians from the Catalonia region.

Editorial image credit: mundissima / Shutterstock.com

What’s hot on Infosecurity Magazine?