Earlier this week, Apple released updates to watchOS, iOS, and macOS. It was weird because I was expecting Apple to be releasing nothing as new versions of those operating systems are inbound in the next couple of weeks. However looking at the security information gave us the first hint that Apple might have been forced to release this as the words “Apple is aware of a report that this issue may have been actively exploited” were used in the security information. And now we know the reason why they were released. These updates patch flaws that were used by the infamous Pegasus spyware that is sold by the equally infamous NSO Group:
Citizen Lab, an internet watchdog group that investigates government malware, published a short blog post explaining that last week they found a zero-click vulnerability — meaning that the hackers’ target doesn’t have to tap or click anything, such as an attachment — used to target victims with malware. The researchers said the vulnerability was used as part of an exploit chain designed to deliver NSO Group’s malware, known as Pegasus.
“The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” Citizen Lab wrote.
Once they found the vulnerability, the researchers reported it to Apple, which released a patch on Thursday, thanking Citizen Lab for reporting them.
Based on what Citizen Lab wrote in the blog post, and the fact that Apple also patched another vulnerability and attributed its finding to the company itself, it appears Apple may have found the second vulnerability while investigating the first.
Ken Westin, Field CISO, Panther Labs had this comment:
“While this exploit initially appears to have been utilized by the NSO Group with their Pegasus spyware, the vulnerability has been identified, and differences between the software versions have been documented. This suggests that exploits targeting this vulnerability are likely to become more widespread and may extend beyond commercial spyware use.
The initial exploit employed by the NSO Group for their Pegasus spyware may have been somewhat targeted. However, the NSO Group has not been transparent about the targets of these exploits. In many cases, they have claimed a lack of visibility regarding their use. Regrettably, this software has been used to target innocent individuals, including journalists and dissidents, by authoritarian regimes. While Pegasus exhibits some level of targeting in its usage, the primary concern now, with the patch being published, is the identification of the vulnerability. As a result, it is likely that exploits will become more widespread.”
While Pegasus is a highly targeted form of spyware, that should not stop you from immediately updating your Apple Watch, iPad, iPhone, or MacBook ASAP to make sure that you are secure as possible. The reason being is that other threat actors might try to leverage this flaw agains those who have not updated.