Apple NSO Zero-Click Zero-Day: Dataprise Defense Digest

Executive Summary

Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy, University of Toronto, discovered a zero-day zero-click exploit against Apple’s iMessage. They have named this exploit, FORCEDENTRY, and have attributed the exploit to the Israeli cyber mercenary group, NSO Group, that is responsible for creating the Pegasus spyware used in numerous high profile exploitations of celebrity, politician, and world leader mobile devices.

FORCEDENTRY is a zero-day exploit that targets Apple’s image rendering library, and is effective against Apple iOS, MacOS and WatchOS devices. Citizen’s Lab believes that FORCEDENTRY has been used in the wild since at least February 2021.

Citizen’s Lab responsibly reported the exploit and their findings to Apple who assigned CVE-2021-30860 to the issue and describes the vulnerability as, “processing a maliciously crafted PDF may lead to arbitrary code execution.” On Monday September 13., 2021 Apple released updates for all affected Apple products including Macs, iPads, and Apple Watches to patch the FORCEDENTRY zero-day vulnerability. Dataprise recommends immediately updating your Apple devices to the latest operating system version to close this vulnerability.

Impact

Successful exploitation of this vulnerability can allow an attacker to execute arbitrary code on your device. This vulnerability and exploit have been used thousands of times to install the Pegasus spyware software on the phones of political dissidents and human rights workers.  

Detailed Analysis

Citizen Lab forwarded artifacts to Apple on Tuesday, Sept. 7 and on Monday, Sept. 13, Apple confirmed that the files included a zero-day exploit against iOS and MacOS.

The FORCEDENTRY exploit uses PDF data disguised as GIF files to circumvent Apple’s “BlastDoor” sandbox for message content. When FORCEDENTRY is used to exploit a vulnerable device, a specially crafted PDF document disguised as a GIF image is sent to an iMessage user which causes the IMTranscoderAgent, a service the device uses to transcode and preview images in iMessage, to crash. Once IMTranscoderAgent has crashed, the attacker can execute arbitrary code on the device.

Security researchers have observed FORCEDENTRY being used to install NSO Group’s Pegasus spyware which can surrupticiously turn on the device’s camera, microphones, and even capture encrypted messages sent to apps like Signal.

Citizen Lab’s analysis of the FORCEDENTRY payload from the investigation of a Saudi journalist’s phone revealed the following:

• 27 copies of an identical file with the “.gif” extension. Despite the extension, the file was actually a 748-byte Adobe PSD file. Each copy of this file caused an IMTranscoderAgent crash on the device. These files each had random-looking ten-character filenames.
• Four different files with the “.gif” extension that were actually Adobe PDF files containing a JBIG2-encoded stream. Two of these files had 34-character names, and two had 97-character names.
• The output of the pdfid tool on these four “.gif” files was (NB: the stream had varying length):

PDF Comment ‘%PDF-1.3nn’

obj 1 0

 Type: /XRef

 Referencing:

 Contains stream

  << /Type /XRef /Size 9 /W [1 3 1] /Length … /Filter [/FlateDecode /FlateDecode /JBIG2Decode] /DecodeParms >>

trailer

  << /Size 2 >>

startxref 10

PDF Comment ‘%%EOFn’

Citizen Lab has identified several code signatures that have enabled them to make attribution to the Israeli NSO Group. In 2019 NSO used a zero-day exploit in WhatsApp to target more than 1,400 phones, and in 2020 NSO exploited another zero-click zero-day vulnerability in Apple’s iMessage dubbed KISMET. KISMET’s vulnerability was never publicly released, however it is suspected that the vulnerability was silently patched with the introduction of the BlastDoor capability in iOS 14, necessitating the need for a new zero-click zero-day to bypass the new sandboxing capability ultimately resulting in FORCEDENTRY.

Indicators Of Vulnerability

Exploitation of the FORCEDENTRY vulnerability does not typically result in an indicator that is evident to the end user. Exploited mobile devices can be remotely controlled and monitored with no outward evidence or indicator.

Mitigation Steps

There are currently no mitigations, other than patching these vulnerabilities. Disabling iMessage does not completely mitigate the vulnerability. All Apple devices should be updated to the versions below, released September 13, 2021.

• iOS and iPadOS 14.8 or above
• MacOS Big Sur 11.6 or above
• WatchOS 7.6.2 or above

Sources

• https://threatpost.com/apple-emergency-fix-nso-zero-click-zero-day/169416/
• https://thehackernews.com/2021/08/bahraini-activists-targeted-using-new.html
• https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/

CONTRIBUTING AUTHORS

Stephen Jones, Senior Director Cybersecurity