In 2022, NSO Group, the Israeli firm notorious for its spyware technology, reemerged with a slew of zero-click exploit chains designed for iOS 15 and iOS 16.
These sophisticated chains of exploits, targeted at iPhones and iPads, were deployed against human rights activists in Mexico and worldwide.
In a recent press release, Citizen Lab published the results of its investigation into recent activities of the NSO Group.
3 iOS Zero-Click Exploits
The investigative team at Citizen Lab has uncovered compelling evidence linking NSO Group to a digital espionage campaign aimed at human rights organizations in Mexico.
Specifically, they’ve identified three exploit chains that launched Pegasus spyware attacks on groups like Centro PRODH, a legal advocacy group fighting against alleged abuses committed by the Mexican military.
Here below, we have mentioned the three iOS 15 and iOS 16 zero-click exploit chains that were used to launch Pegasus spyware:-
- PWNYOURHOME
- FINDMYPWN
- LATENTIMAGE
Since then, Apple has made a HomeKit security update available with iOS 16.3.1.
There has been a long history of the military and government of Mexico engaging in the following illicit activities:-
- Grave human rights abuses
- Extrajudicial killings
- Disappearances
Targets
Furthermore, it has come to light that two individuals dedicated to promoting and protecting human rights, employed at Centro PRODH, have fallen victim to the notorious Pegasus spyware.
Pegasus targeted Centro PRODH during important events related to human rights violations by the Mexican Army, indicating an attempt to weaken their impact.
Jorge Santiago Aguirre Espinosa, Centro PRODH’s Director, had his device infected with Pegasus. He was previously targeted in 2017 when Citizen Lab discovered Pegasus infection attempts via a text message sent to his device in 2016.
In 2022, he was infected by the FINDMYPWN exploit at least twice. His device was infected with spyware between June 22, 2022, and July 13, 2022, when the spyware was active on it.
Mr. Aguirre’s phone was first infected on June 22, 2022, which coincided with the launch of Mexico’s truth commission on the Dirty War. The ceremony was held at a military camp witnessing many abuses.
After the ceremony, another member of the Centro PRODH, María Luisa Aguilar Rodríguez, who is the International Coordinator at Centro PRODH, became infected on June 23, 2022.
Her device was infected twice more using the FINDMYPWN exploit, and it was active on her phone between September 24 and 29, 2022.
Recommendation
Citizen Lab has refrained from disclosing additional details about Pegasus indicators to preserve their ability to identify infections. They suspect NSO Group of making concentrated efforts to avoid detection, which they continue to observe.
In October 2022 and January 2023, Citizen Lab notified Apple about their observations regarding these exploit chains.
As a recommendation, the cybersecurity researchers at Citizen Lab have urged all users who are at risk to enable the Lockdown Mode on their Apple devices.
Despite the potential for reduced usability, they believe the benefits of the feature may outweigh this cost by making it more expensive for attackers.
Building Your Malware Defense Strategy – Download Free E-Book
Related Read:
