Wednesday, April 30, 2025
HomeAppleApple Fixes iMessage Zero-Click Bug That Used to Deploy NSO Pegasus Spyware

Apple Fixes iMessage Zero-Click Bug That Used to Deploy NSO Pegasus Spyware

Published on

SIEM as a Service

Follow Us on Google News

Recently, Apple has published a security update for iPhone, iPad, Mac, and Apple Watch, in which it addresses a number of zero-day vulnerabilities, and also one of which was utilized to bypass OS defenses.

The company reinforced CVE-2021-30858 in WebKit, a post-release exploit vulnerability that enables remote code execution while processing all kinds of malicious web content. 

On the other hand, there is a second vulnerability “CVE-2021-30860” that affects the CoreGraphics element and it can be used to remotely administer code while preparing a malicious PDF document.

- Advertisement - Google News

Previous NSO Zero-Click Exploits

According to the report list, FORCEDENTRY is one of the latest in a string of zero-click exploits that were linked to NSO Group. Moreover, in the year 2019, WhatsApp has eventually fixed CVE-2019-3568, a zero-click vulnerability in WhatsApp calling that NSO Group applied against more than 1400 phones in a time period of two-week.

However, in 2020, NSO Group hired the KISMET zero-click iMessage exploit, but it was claimed that KISMET vulnerability was never recognized, though we assume that the underlying vulnerability can no longer be exploited through iMessage.

Payload

The cybersecurity researchers have pronounced some payload of this vulnerability:-

  • There were 27 copies of the same file with the “.gif” extension. And after the investigation, it came to know that the file is a 748-byte Adobe PSD file. And every file created an IMTranscoderAgent crash on the device. 
  • It also consists of four different files including the “.gif” extension that were the Adobe PDF files including a JBIG2-encoded stream. And among them, Two files has 34-character names, and two had 97-character names.
  • Lastly, the output of the pdfid tool on these four “.gif” files was NB: the stream had a different length.

Vulnerabilities

In total there are two vulnerabilities were detected by the security experts of CISA and here they are mentioned below:-

Discovery and Disclosure

After investigating the vulnerability, the analysts asserted that they have found that the format of the files has matched with two types of crashes. 

It was observed by the experts on another phone, and while observing it got hacked with Pegasus, and they suspected that the “.gif” files might contain parts of FORCEDENTRY exploit chain.

Here, the security researchers have named the FORCEDENTRY exploit CVE-2021-30860, and define it as processing a maliciously crafted PDF that might lead to arbitrary code execution.

Attribution to NSO Group

On proper investigation, they identified and affirmed that they have noted various distinctive elements that enabled them to make a high-confidence attribution to NSO Group:-

  • Initially, the spyware installed by the FORCEDENTRY exploits presented a forensic artifact that was named CASCADEFAIL. It is a bug and all the evidence of it has incompletely been deleted from the phone’s data usage.sqlite file. 
  • Moreover, the spyware installed by the FORCEDENTRY exploits practiced different process names, which also include the name “setframed”. However, this particular process name was practiced in an initiative with NSO Group’s Pegasus spyware on an Al Jazeera reporter in July 2020. 

CISA’s Recommendation

While apart from this, the security analysts at CISA encourages users and administrators to immediately check and apply the newly released security updates for the following products:-

Moreover, they are trying their best to circumvent this kind of attack, but the actual chain of exploitation begins when the victim accepts a text message with a malicious GIF image. 

During an investigation, it has been cleared that this file is really Adobe PSD and PDF documents that create the automatic rendering element to malfunction and affect the device with the Pegasus malware.

Follow us on LinkedinTwitterFacebook for daily Cybersecurity News & Updates

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Trellix Launches Phishing Simulator to Help Organizations Detect and Prevent Attacks

Trellix, a leader in cybersecurity solutions, has unveiled its latest innovation, the Trellix Phishing...

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...

Researchers Reveal Threat Actor TTP Patterns and DNS Abuse in Investment Scams

Cybersecurity researchers have uncovered the intricate tactics, techniques, and procedures (TTPs) employed by threat...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

SonicWALL Connect Tunnel Vulnerability Could Allow Attackers to Trigger DoS Attacks

A newly disclosed vulnerability in SonicWall’s Connect Tunnel Windows Client could allow malicious actors...

Firefox 138 Launches with Patches for Several High-Severity Flaws

Mozilla has officially released Firefox 138, marking a significant update focused on user security....

Zimbra Collaboration GraphQL Flaw Lets Hackers Steal User Information

 A severe Cross-Site Request Forgery (CSRF) vulnerability in Zimbra Collaboration Suite (ZCS) versions 9.0...