25 August 2021

New iOS zero-click exploit used in attacks against Bahraini activists


New iOS zero-click exploit used in attacks against Bahraini activists

Security researchers at Citizen Lab uncovered a previously undisclosed zero-click iMessage exploit used to deploy NSO Group’s Pegasus spyware on devices belonging to several Bahraini activists.

The attacks, believed to have been orchestrated by LULU, a threat actor linked by researchers to the government of Bahrain, targeted nine Bahraini activists between June 2020 and February 2021.

The hacked activists included three members of Waad (a secular Bahraini political society), three members of the Bahrain Center for Human Rights, two exiled Bahraini dissidents, and one member of Al Wefaq (a Shiite Bahraini political society), Citizen Lab said in its new report.

The attackers used two zero-click iMessage exploits to plant the spyware onto victims’ iPhones - the 2020 KISMET exploit, which previously was observed in attacks targeting journalists at Al Jazeera, and a new exploit chain dubbed ‘FORCEDENTRY’ able to circumvent Apple’s BlastDoor security system, which is basically a sandbox mode that protects the Messages app from the rest of iOS.

While KISMET is aimed at iOS 13.5.1 devices, FORCEDENTRY is targeting the newest iOS 14 devices.

“We saw the FORCEDENTRY exploit successfully deployed against iOS versions 14.4 and 14.6 as a zero-day,” Citizen Lab said.

The researchers said they shared crash logs and some additional phone logs relating to KISMET and FORCEDENTRY with Apple and that the company has launched its own investigation into the matter.

An NSO Group spokesperson told to the Guardian that the company had not received any data from Citizen Lab and could therefore not respond to “rumours” of the group’s findings.

“As always, if NSO receives reliable information related to misuse of the system, the company will vigorously investigate the claims and act accordingly based on the findings,” the spokesperson said.


Back to the list

Latest Posts

Windows MSHTML bug used in ransomware attacks, Microsoft says

Windows MSHTML bug used in ransomware attacks, Microsoft says

According to the Windows maker, in the wild exploitation of CVE-2021-40444 began on August 18.
17 September 2021
State-backed hackers actively exploiting recently disclosed Zoho RCE bug

State-backed hackers actively exploiting recently disclosed Zoho RCE bug

The targeted entities include academic institutions, defense contractors, as well as critical infrastructure entities.
17 September 2021
Free REvil/Sodinokibi ransomware universal decryptor released

Free REvil/Sodinokibi ransomware universal decryptor released

The tool works for all REvil victims whose files were encrypted in attacks prior to July 13, 2021.
17 September 2021
Featured vulnerabilities
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in Git
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in GLPI
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021