Global spyware attacks spotted against both new and old iPhones

Attackers have been targeting iPhone users around the globe in ongoing Pegasus spyware attacks. They show that cyber-threat actors are targeting both new exploits and older, unupdated devices to circumvent new preventative measures from Apple, researchers have found.

One of the multiple targeted campaigns observed over the last six months involved an iPhone user in the Middle East, and another a journalist in Europe using an iPhone 6 that is not supported by the latest iOS updates, researchers at Jamf Threat Labs reported in a recent blog post. Those updates include new threat “Lockdown Mode” notifications by Apple that can help warn someone if there is unusual activity that could be related to spyware on their devices.

The attacks demonstrate how threat actors continue to evolve and grow in sophistication even as there is more awareness about spyware and prevention against these attacks, which are often used with malicious intent by governments to target dissidents or others who investigate or are unsupportive of policies or regimes, the researchers said.

“Modern spyware is very advanced and, as evidenced by the continued evolution of commercial spyware, continues to leverage zero-day vulnerabilities in both old and new devices to ensure any user can be effectively targeted,” the researchers wrote in the post.

They also indicate that though the researchers were able to take a deep dive into devices involved in some of the recent attacks, there is no consistency in terms of how the individuals or organizations targeted investigate attacks after the fact. This makes it difficult to respond or prevent further attacks in a timely or comprehensive way, the researchers said.

Moreover, “not all users impacted by spyware have been contacted by Apple, illustrating the challenges with maintaining a comprehensive list of indicators of compromise (IoCs) and with extracting relevant data remotely,” they wrote.

Mideast Activist Targeted

Researchers specifically detailed two separate attacks that demonstrate how no iPhone is safe from being targeted, despite Apple’s bolstering of preventative measures in its most recent updates to iOS.

One attack targeted an iPhone 12 Pro Max user in the Middle East who eventually was notified by Apple of suspicious activity on the device, which showed IoCs that Pegasus — the notorious spyware from Israel’s NSO Group — was running.

Subsequent analysis from Jamf Threat Labs revealed traces of the “libtouchregd” process on the device, which Amnesty International has identified as an IoC associated with Pegasus spyware, the researchers said.

The device also yielded additional IoCs via subsequent analysis of the com.apple.CrashReporter.plist file, which is located within a root folder on iOS and serves as a configuration file for the system daemon, ReportCrash, according to the researchers.

“Under normal operating conditions, applications are not granted permission to access or modify this file,” the researchers wrote. “Alteration of this file could potentially impede the reporting of crash report logs to Apple. Additionally, the existence of the file is rare for normal users.”

To read the complete article, visit Dark Reading.