2. AGENDA
ï” What is Pegasus
ï” When it was discovered
ï” Trident vulnerability
ï” How it works
ï” Who was targeted
ï” Prevention and mitigation
3. What is Pegasus
ï” Pegasus is spyware that aids in cyber-espionage developed by the NSO Group of
Israel. Recent investigations reveal that Pegasus was used as a surveillance tool
targeting high-profile Government representatives, officials, human rights activists,
journalists, and even Heads of State. Spyware is software designed to intrude on
target devices, gather information about them, and then transfer it to the handlers
or Threat Actors via encrypted channels. Threat Actors could be individuals or
groups with malicious intent to target flaws in systems for personal or other gains.
Threat Actors might be cybercriminals looking for financial gains or groups
backed by nation-states. The latter are called Advanced Persistent Threats (APTs).
APTs usually have a high level of sophistication, resources, and planning.
4. When it was discovered ?
ï” Pegasus was discovered in August 2016 after a failed installation attempt on the
iPhone of a human rights activist led to an investigation revealing details about
the spyware, its abilities, and the security vulnerabilities it exploited. News of the
spyware caused significant media coverage. It was called the âmost sophisticatedâ
smartphone attack ever, and marked the first time that a malicious remote exploit
using jailbreak to gain unrestricted access to an iPhone had been detected. This
version of the spyware infected smartphones using a technique called âspear-
fishingâ: text messages or emails containing a malicious link were sent to the
target. It depended on the target clicking the linkâa requirement that was done
away with in subsequent version.
5. Trident Vulnerability
ï” The software contains multiple zero-day vulnerabilities, referred to here as Trident, used
against iOS 9.3.3, each of which would have worked against 9.3.4 as of the date of
discovery. With the 9.3.5 patches, these vulnerabilities will no longer work
1) CVE-2016-4657: Memory Corruption in Safari WebKit A memory corruption
vulnerability exists in Safari WebKit that allows an attacker to execute arbitrary code.
Pegasus exploits this vulnerability to obtain initial code execution privileges within the
context of the Safari web browser.
2) CVE-2016-4655: Kernel Information Leak Circumvents KASLR Before Pegasus can
execute its jailbreak, it must determine where the kernel is located in memory. Kernel
Address Space Layout Randomization (KASLR) makes this task difficult by mapping the
kernel into different and unpredictable locations in memory. In short, before attacking
the kernel, Pegasus has to find it.
3) CVE-2016-4656: Memory Corruption in Kernel leads to Jailbreak The third vulnerability
in Pegasusâ Trident is the one that is used to jailbreak the phone. A memory corruption
vulnerability in the kernel is used to corrupt memory in both the 32- and 64-bit
versions. The exploits are performed differently on each version
6. How it works
ï” The attack is composed of three separate stages that include both the exploit
code and the surveillance software. The
stages are regular; each stage is expected to successfully decode, exploit, install,
and run the following stage.
Each steps leverages one of the vulnerabilities in order to function successfully.
ï” Stage 1 Delivery and WebKit vulnerability:
This step comes down over the initial URL in the form of an HTML file
(1411194s) that uses a vulnerability (CVE-2016â4657) in WebKit (used in Safari
and other browsers).
7. ï” Stage 2 Jailbreak: This step is downloaded from the first stage code based on the
device type (32-bit vs 64-bit).Stage 2 is downloaded as an obfuscated and
encrypted package. Each package is encrypted with unique keys at every
download, making conventional network-based restrictions weak. It includes the
code that is required to utilize the iOS Kernel (CVE-2016â4655 and CVE-2016â
4656) and a loader that downloads and decrypts a package for stage 3.
ï” Stage 3 Reconnaissance software: This step is downloaded by stage 2 and is
also based on the device type (32-bit vs 64-bit). Stage 3 contains the surveillance
software, daemons, and other processes that are used after the device has been
jail broken in stage 2. Stage 3 establishes the hooks into the applications the
attacker wants to spy on.
Additionally, stage 3 detects if the device was previously jail broken by another
program and, if so, kills any way to the device that the jailbreak grants, such as
via SSH. The software also holds a failsafe to eliminate itself if certain
circumstances are present.
8.
9. Who was targeted
ï” The targets mentioned in the recent Pegasus attack coverage were human rights
activists, journalists involved in high-profile investigations, ministers and
opposition leaders from various countries, and the Heads of State or their
associates. The data leak of approximately 50,000 numbers confirmed the
potential surveillance targets in multiple countries around the world.
ï” Governments of various countries, including India, Israel, Hungary, Morocco,
Rwanda, UAE, Saudi Arabia, Spain, Azerbaijan, Bahrain, Kazakhstan, and Mexico,
have been named in the data leak for using Pegasus
10. Prevention and mitigation
ï” Since it is challenging to detect the presence of Pegasus once it infects a system,
prevention is the best defense. Here are a few things to keep in mind to protect
devices from Pegasus.
ï” Open links only from trusted sources.
ï” Contact your IT support immediately if you spot something amiss in any of your
devices.
ï” Always have an up-to-date Antivirus solution from a reputed security organization
on your device.
ï” Be aware of any new services, apps that have come up on your device recently.
11. ï” In case you are suspicious of a Pegasus attack, you can use tools like the one
shared by Amnesty International called the Mobile Verification Toolkit or MVT that
can decrypt iOS backups, process and parse records from iOS systems, generate
JSON logs, amongst other things, to identify a potential infection and
compromise.