3 iOS Zero-Click Exploits Exploited by NSO Group to Deploy Spyware

In 2022, NSO Group, the Israeli firm notorious for its spyware technology, reemerged with a slew of zero-click exploit chains designed for iOS 15 and iOS 16. 

These sophisticated chains of exploits, targeted at iPhones and iPads, were deployed against human rights activists in Mexico and worldwide.

In a recent press release, Citizen Lab published the results of its investigation into recent activities of the NSO Group.

3 iOS Zero-Click Exploits

The investigative team at Citizen Lab has uncovered compelling evidence linking NSO Group to a digital espionage campaign aimed at human rights organizations in Mexico. 

Specifically, they’ve identified three exploit chains that launched Pegasus spyware attacks on groups like Centro PRODH, a legal advocacy group fighting against alleged abuses committed by the Mexican military.

Here below, we have mentioned the three iOS 15 and iOS 16 zero-click exploit chains that were used to launch Pegasus spyware:-

  • PWNYOURHOME
  • FINDMYPWN
  • LATENTIMAGE

Since then, Apple has made a HomeKit security update available with iOS 16.3.1

There has been a long history of the military and government of Mexico engaging in the following illicit activities:-

  • Grave human rights abuses
  • Extrajudicial killings
  • Disappearances

Targets

Furthermore, it has come to light that two individuals dedicated to promoting and protecting human rights, employed at Centro PRODH, have fallen victim to the notorious Pegasus spyware.

Pegasus targeted Centro PRODH during important events related to human rights violations by the Mexican Army, indicating an attempt to weaken their impact.

Jorge Santiago Aguirre Espinosa, Centro PRODH’s Director, had his device infected with Pegasus. He was previously targeted in 2017 when Citizen Lab discovered Pegasus infection attempts via a text message sent to his device in 2016.

In 2022, he was infected by the FINDMYPWN exploit at least twice. His device was infected with spyware between June 22, 2022, and July 13, 2022, when the spyware was active on it.

Mr. Aguirre’s phone was first infected on June 22, 2022, which coincided with the launch of Mexico’s truth commission on the Dirty War. The ceremony was held at a military camp witnessing many abuses.

After the ceremony, another member of the Centro PRODH, María Luisa Aguilar Rodríguez, who is the International Coordinator at Centro PRODH, became infected on June 23, 2022.

Her device was infected twice more using the FINDMYPWN exploit, and it was active on her phone between September 24 and 29, 2022.

Recommendation

Citizen Lab has refrained from disclosing additional details about Pegasus indicators to preserve their ability to identify infections. They suspect NSO Group of making concentrated efforts to avoid detection, which they continue to observe.

In October 2022 and January 2023, Citizen Lab notified Apple about their observations regarding these exploit chains.

As a recommendation, the cybersecurity researchers at Citizen Lab have urged all users who are at risk to enable the Lockdown Mode on their Apple devices.

Despite the potential for reduced usability, they believe the benefits of the feature may outweigh this cost by making it more expensive for attackers.

Building Your Malware Defense Strategy – Download Free E-Book

Related Read:

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious actors…

8 hours ago

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers…

11 hours ago

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to malicious…

12 hours ago

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in 2022…

12 hours ago

Critical Laravel Vulnerability CVE-2024-52301 Allows Unauthorized Access

CVE-2024-52301 is a critical vulnerability identified in Laravel, a widely used PHP framework for building…

13 hours ago

4M+ WordPress Websites to Attacks, Following Plugin Vulnerability

A critical vulnerability has been discovered in the popular "Really Simple Security" WordPress plugin, formerly…

15 hours ago