New zero-click exploit used to target Bahraini activists’ iPhones with NSO spyware

Citizen Lab uncovered a new zero-click iMessage exploit that was used to deploy the NSO Group’s Pegasus spyware on devices belonging to Bahraini activists.

Researchers from Citizen Lab spotted a zero-click iMessage exploit that was used to deploy NSO Group’s Pegasus spyware on Bahraini activists’ devices.

The iPhones of nine activists, including members of the Bahrain Center for Human Rights, Waad, Al Wefaq, were infected with Pegasus spyware as part of a surveillance operation likely orchestrated by a threat actor tracked as LULU and attributed with high confidence to the government of Bahrain.

The infections took place between June 2020 and February 2021, experts pointed out that two of the hacked activists now reside in London, and at least one was in London when his device was hacked. This is the first documented hack of conducted by the Bahrain government of a device that was used by an activist in Europe.

“We identified nine Bahraini activists whose iPhones were successfully hacked with NSO Group’s Pegasus spyware between June 2020 and February 2021. Some of the activists were hacked using two zero-click iMessage exploits: the 2020 KISMET exploit and a 2021 exploit that we call FORCEDENTRY.” reads the analysis published by citizen Lab.

Threat actors leveraged two zero-click iMessage exploits to infect the iPhones with spyware, respectively known as 2020 KISMET exploit and a new exploit dubbed FORCEDENTRY.

Citizen Lab researchers discovered that the FORCEDENTRY exploit is able to bypass the “BlastDoor” sandbox introduced eight months ago in iOS to block iMessage zero-click exploits.

“Phone logs indicated that the “responsible process” for the spyware was amfid, the Apple mobile file integrity daemon. We saw the FORCEDENTRY exploit successfully deployed against iOS versions 14.4 and 14.6 as a zero-day.” continues the report. “With the consent of targets, we shared these crash logs and some additional phone logs relating to KISMET and FORCEDENTRY with Apple, Inc., which confirmed they were investigating.”

Citizen Lab shared his findings with Apple, the IT giant will likely address the zero-click vulnerability with the release of an out-of-band emergency iOS update.

Experts recommend disabling iMessage and FaceTime to prevent attacks mentioned in the report, anyway, powerful spyware like the one developed by NSO group has many other exploits in their arsenal.

“While NSO Group regularly attempts to discredit reports of abuse, their customer list includes many notorious misusers of surveillance technology. The sale of Pegasus to Bahrain is particularly egregious, considering that there is significant, longstanding, and documented evidence of Bahrain’s serial misuse of surveillance products including Trovicor, FinFisher, Cellebrite, and, now, NSO Group.” concludes the report. “We believe that the specific attacks we mention in this report could have been prevented by disabling iMessage and FaceTime. However, NSO Group has successfully exploited other messaging apps in the past to deliver malware, such as WhatsApp. Thus, disabling iMessage and FaceTime would not offer complete protection from zero-click attacks or spyware.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, iOS Zero-Click Exploit)

[adrotate banner=”5″]

[adrotate banner=”13″]