PWNYOURHOME, FINDMYPWN, LATENTIMAGE: 3 iOS Zero-Click exploits used by NSO Group in 2022

Citizen Lab reported that Israeli surveillance firm NSO Group used at least three iOS zero-click exploits in 2022.

A new report from Citizen Lab states that the Israeli surveillance firm NSO Group used at least three zero-click zero-day exploits to deliver its Pegasus spyware.

In 2022, the Citizen Lab analyzed the NSO Group activity after finding evidence of attacks on members of Mexico’s civil society, including two human rights defenders from Centro PRODH, which represents victims of military abuses in Mexico.

The researchers discovered that in 2022, NSO Group customers used at least three iOS 15 and iOS 16 zero-click exploit chains against civil society targets worldwide.

One of the iOS zero-click used in 2022, called by Citizen Lab “PWNYOURHOME,” was used against iPhones running iOS 15 and iOS 16 starting in October 2022. The researchers believe PWNYOURHOME is a novel two-step zero-click exploit. The first step targets the HomeKit process, while the second step targets iMessage.

Another zero-click exploit dubbed FINDMYPWN was used by the surveillance firm against iOS 15 since June 2022. FINDMYPWN is a two-step exploit that targets the iPhone’s Find My feature and the step targets iMessage.

Another two-step exploit, which targets the Find My feature and iMessage, has been dubbed FindMyPwn. This zero-click exploit has been used against iPhones running iOS 15 since at least June 2022. 

The third zero-click exploit discovered by Citizen Lab is LATENTIMAGE, it was found on a single target’s phone and experts believe it was the first new exploit used by NSO Group in 2022.

“Further analysis yielded additional indicators, which were then applied to analyze additional devices in the global pool of 2022 Pegasus victims to uncover more details about NSO Group’s 2022 exploits.” reads the report. “These indicator overlaps allow us to attribute the 2022 zero-click chains to NSO Group’s Pegasus spyware with high confidence. Overall, we believe NSO Group deployed at least three zero-click chains in 2022 (Figure 2), exploiting a variety of apps and features on the iPhone. We have observed cases of some of the chains deployed as zero-days against iOS versions 15.5 and 15.6 (FINDMYPWN), and 16.0.3 (PWNYOURHOME).”

The researchers shared their findings with Apple in October 2022 and in January 2023. Apple notified targets of the attacks in November and December 2022, and March 2023.

Citizen Lab noticed that NSO Group, for a brief period, targeted devices with iOS 16’s Lockdown Mode feature enabled. The owners of these devices received real-time warnings when the threat actors attempted to use the PWNYOURHOME exploit against their devices. The bad news is that NSO Group may have improved its exploit to avoid the real-time warning, and the researchers have not seen PWNYOURHOME successfully used against any devices on which Lockdown Mode is enabled.

“It is encouraging to see that Apple’s Lockdown Mode notified targets of in-the-wild attacks. While any one security measure is unlikely to blunt all targeted spyware attacks, and security is a multi-faceted problem, we believe this case highlights the value of enabling this feature for high-risk users that may be targeted because of who they are or what they do.” concludes the report. “We highly encourage all at-risk users to enable Lockdown Mode on their Apple devices. While the feature comes with some usability cost, we believe that the cost may be outweighed by the increased cost incurred on attackers.”

Recently Citizen Lab researchers reported that at least five civil society members were victims of spyware and exploits developed by the Israeli surveillance firm QuaDream.

The victims include journalists, political opposition figures, and an NGO worker located in North America, Central Asia, Southeast Asia, Europe, and the Middle East.

The researchers also believe that the threat actors used a suspected iOS 14 zero-click exploit to deploy QuaDream’s spyware. The zero-day exploit, dubbed ENDOFDAYS, appears to work against iOS versions 14.4 and 14.4.2, and possibly other versions. ENDOFDAYS relies on invisible iCloud calendar invitations sent from the spyware’s operator to victims.

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

• The Teacher – Most Educational Blog
• The Entertainer – Most Entertaining Blog
• The Tech Whizz – Best Technical Blog
• Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Citizen Lab)