NSO Group’s Spyware Installed on iPhones of Al Jazeera Employees Using a Zero-Day Exploit

Security Researchers from The Citizen Lab discovered that attackers deployed a zero-day against iOS 13.5.1 and likely had access to iPhones of 36 people working at Al Jazeera. Zero-day exploits are usually very expensive and attackers don’t normally use them for just anyone. Such vulnerabilities appear in attacks against high-value targets for a simple reason: … The post NSO Group’s Spyware Installed on iPhones of Al Jazeera Employees Using a Zero-Day Exploit appeared first on Bitdefender.

In the case of the Al Jazeera hack, the attackers installed NSO Group’s Pegasus spyware, a piece of kit that allows the user to remotely monitor devices. The NSO Group made a name for itself with similar attacks, including the 2019 Whatsapp breach that allowed them to infect more than 1,000 devices. Now, the company focuses more on zero-click exploits and network-based attacks, selling their “products” to governments and other interested parties.

“It is more challenging for researchers to track these zero-click attacks because targets may not notice anything suspicious on their phone,” said The Citizen Lab in their report. “Even if they do observe something like ‘weird’ call behavior, the event may be transient and not leave any traces on the device.”

This is exactly what happened with the current Pegasus infection. Al Jazeera’s Tamer Almisshal believed he was hacked and allowed security researchers to monitor his traffic.

“The phones were compromised using an exploit chain that we call KISMET, which appears to involve an invisible zero-click exploit in iMessage,” the researchers said. “In July 2020, KISMET was a zero-day against at least iOS 13.5.1 and could hack Apple’s then-latest iPhone 11. Based on logs from compromised phones, we believe that NSO Group customers also successfully deployed KISMET or a related zero-click, zero-day exploit between October and December 2019.”

In total, The Citizen Lab identified 36 infected phones belonging to Al Jazeera employees, but the infections came from four different operators, MONARCHY, SNEAKY KESTREL, CENTER-1 and CENTER-2. It’s difficult to pinpoint the operators, but the group says with medium confidence that SNEAKY KESTREL was acting on behalf of the UAE and MONARCHY on behalf of Saudi Arabia.