Security researchers at Citizen Lab uncovered a previously undisclosed zero-click iMessage exploit used to deploy NSO Group’s Pegasus spyware on devices belonging to several Bahraini activists.
The attacks, believed to have been orchestrated by LULU, a threat actor linked by researchers to the government of Bahrain, targeted nine Bahraini activists between June 2020 and February 2021.
The hacked activists included three members of Waad (a secular Bahraini political society), three members of the Bahrain Center for Human Rights, two exiled Bahraini dissidents, and one member of Al Wefaq (a Shiite Bahraini political society), Citizen Lab said in its new report.
The attackers used two zero-click iMessage exploits to plant the spyware onto victims’ iPhones - the 2020 KISMET exploit, which previously was observed in attacks targeting journalists at Al Jazeera, and a new exploit chain dubbed ‘FORCEDENTRY’ able to circumvent Apple’s BlastDoor security system, which is basically a sandbox mode that protects the Messages app from the rest of iOS.
While KISMET is aimed at iOS 13.5.1 devices, FORCEDENTRY is targeting the newest iOS 14 devices.
“We saw the FORCEDENTRY exploit successfully deployed against iOS versions 14.4 and 14.6 as a zero-day,” Citizen Lab said.
The researchers said they shared crash logs and some additional phone logs relating to KISMET and FORCEDENTRY with Apple and that the company has launched its own investigation into the matter.
An NSO Group spokesperson told to the Guardian that the company had not received any data from Citizen Lab and could therefore not respond to “rumours” of the group’s findings.
“As always, if NSO receives reliable information related to misuse of the system, the company will vigorously investigate the claims and act accordingly based on the findings,” the spokesperson said.