25 August 2021

New iOS zero-click exploit used in attacks against Bahraini activists


New iOS zero-click exploit used in attacks against Bahraini activists

Security researchers at Citizen Lab uncovered a previously undisclosed zero-click iMessage exploit used to deploy NSO Group’s Pegasus spyware on devices belonging to several Bahraini activists.

The attacks, believed to have been orchestrated by LULU, a threat actor linked by researchers to the government of Bahrain, targeted nine Bahraini activists between June 2020 and February 2021.

The hacked activists included three members of Waad (a secular Bahraini political society), three members of the Bahrain Center for Human Rights, two exiled Bahraini dissidents, and one member of Al Wefaq (a Shiite Bahraini political society), Citizen Lab said in its new report.

The attackers used two zero-click iMessage exploits to plant the spyware onto victims’ iPhones - the 2020 KISMET exploit, which previously was observed in attacks targeting journalists at Al Jazeera, and a new exploit chain dubbed ‘FORCEDENTRY’ able to circumvent Apple’s BlastDoor security system, which is basically a sandbox mode that protects the Messages app from the rest of iOS.

While KISMET is aimed at iOS 13.5.1 devices, FORCEDENTRY is targeting the newest iOS 14 devices.

“We saw the FORCEDENTRY exploit successfully deployed against iOS versions 14.4 and 14.6 as a zero-day,” Citizen Lab said.

The researchers said they shared crash logs and some additional phone logs relating to KISMET and FORCEDENTRY with Apple and that the company has launched its own investigation into the matter.

An NSO Group spokesperson told to the Guardian that the company had not received any data from Citizen Lab and could therefore not respond to “rumours” of the group’s findings.

“As always, if NSO receives reliable information related to misuse of the system, the company will vigorously investigate the claims and act accordingly based on the findings,” the spokesperson said.


Back to the list

Latest Posts

Security researcher published PoC exploit for Zoho ManageEngine ADAudit Plus bug

Security researcher published PoC exploit for Zoho ManageEngine ADAudit Plus bug

Using this vulnerability, a cybercriminal can get the remote access to sensitive information.
4 July 2022
Microsoft found Raspberry Robin worm in networks of hundreds of organizations

Microsoft found Raspberry Robin worm in networks of hundreds of organizations

While Raspberry Robin was first discovered in September 2021, it was active long before that.
4 July 2022
Half of 2022's 0-days are variants of 2021’s 0-days

Half of 2022's 0-days are variants of 2021’s 0-days

In the first half of 2022, Google’s Project Zero team identified eighteen 0-day vulnerabilities, and at least nine of them are variants of previously fixed flaws.
4 July 2022