Apple has issued a fix for a vulnerability in iOS, iPadOS, watchOS and macOS that paved the way for the spyware company NSO Group to develop and market a zero-click exploit to national government clients.
The ForcedEntry exploit, which targets the vulnerability tracked as CVE-2021-30860, centres on Apple’s image rendering library and effectively bypasses the in-built Apple security feature known as BlastDoor.
NSO Group had deployed the zero-click exploit to the Bahraini government, only for the client to target Bahraini activists between February and July 2021, according to Citizen Lab, which discovered the vulnerability.
Hackers had been able to exploit CVE-2021-30860 by sending a malicious iMessage that required no user interaction in order to compromise its victim.
This exploit is really similar in nature to another flaw the NSO Group had weaponised, known as Kismet, which was also used to target Bahraini activists.
Apple, however, has now issued patches for both this flaw and a WebKit vulnerability tracked as CVE-2021-30858 that’s also been exploited in the wild. This latter is a use after free issue that was addressed with improved memory management.
“Despite promising their customers the utmost secrecy and confidentiality, NSO Group’s business model contains the seeds of their ongoing unmasking,” a team of Citizen Lab researchers said.
RELATED RESOURCE
2021 IBM Security X-Force Insider Threat Report
Top discovery methods and recommendations for insider attacks
“Selling technology to governments that will use the technology recklessly in violation of international human rights law ultimately facilitates discovery of the spyware by investigatory watchdog organizations, as we and others have shown on multiple prior occasions, and as was the case again here.”
Kismet was actually never acknowledged as a vulnerability in Apple’s systems, with Citizen Lab suggesting the underlying flaw, if it still exists, was rendered obsolete by the BlastDoor mitigation introduced with iOS 14. This tool sandboxes incoming iMessages to protect users from malicious texts.
It’s likely for this reason that NSO Group developed the ForcedEntry exploit, to circumvent Apple’s additional layer of protection.
The organisation has gained notoriety for its spyware tools, having previously developed the Pegasus spyware that was eventually used to target journalists and activists through a WhatsApp vulnerability.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
