NSO Group's exploits rival those of nation states, security researchers say

NSO Group's spyware rival those of nation states

Security researchers at Google have taken a deep dive into an NSO Group zero-click iMessage, revealing the sinister sophistication of the company's attacks.

According to Google's Project Zero, the ForcedEntry zero-click exploit — which has been used to target activists and journalists — is "one of the most technically sophisticated exploits we've ever seen." It also illustrates that NSO Group's capabilities rival those of nation-state actors.

Apple patched the zero-click exploit, designated CVE-2021-30860, in mid-September 2021 in iOS 14.8.

The exploit went beyond so-called one-clicks that rely on a target clicking a link. Project Zero notes that the initial entry point for the Pegasus software developed by NSO Group is iMessage Apple's encrypted messaging platform. "This means that a victim can be targeted just using their phone number or AppleID username," the researchers wrote.

Once a message was sent to a user, the exploit relied on vulnerabilities in the ways that iMessage accepted and decoded files like GIF images. From there, it tricked the platform into opening malicious PDFs without any interaction from a user.

More specifically, the exact vulnerability existed in a legacy compression tool used to recognize text in images. Once exploited, however, it allowed NSO Group customers to completely take over an iPhone.

Signs of the attack's sophistication went beyond the initial exploitation. According to Project Zero, ForcedEntry even set up its own virtualized command-and-control environment instead of communicating directly with a server. That made it even harder to detect.

NSO Group-made attacks like ForcedEntry have been used by governments to target journalists, activists, and political dissidents on multiple occasions. In at least one case, NSO Group spyware was used in a targeted attack of U.S. State Department officials.

Apple sued NSO Group back in November, seeking to hold the group accountable for its surveillance of iPhone users. In December, reports indicated that NSO Group was considering killing its Pegasus spyware under the pressure of lawsuits and criticism.

Follow AppleInsider on Google News

4 Comments

h4y3s

said about 2 years ago

Anyone have more details?

EsquireCats

said about 2 years ago

h4y3s said:

Anyone have more details?

Here is the first part of the deep dive: https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html

to over-simplify it (because it truly is a nation-state level hack.)
1. Overflow in a seldom used dependency that is actioned prior to blastdoor.
2. That overflow is carefully manipulated to utilise certain features of an image decompressor to establish a basic set of operators (AND/OR/XOR etc.) These are the fundamental building blocks of electronics circuits, aka processing on a computer.
3. Those building blocks are then used to build (I'm not joking) a full computer architecture including registers, a full 64-bit adder and comparator which then runs the relevant scripts to boot strap the next stage of the hack.
4. The article stops here, but the next part will detail how this is used to break through the relevant sandboxing to the installation of the spyware.

The fragility of it is exceptional, but the time and cost to develop such an exploit is what's more remarkable. It also forms a good argument about removing seldom used features and retiring old standards. The JBIG2 format provided the necessary tools for this exploit to run, but also is largely irrelevant and seldom used. It may just be better to remove that functionality altogether. (JBIG2 decoding is included as part of support for PDFs.)

Edit: Just as follow-up, Apple made a number of changes to address this entry method. Moving more areas to inside Blastdoor as well as greatly restricting the number of available formats available for Messages (i.e. just the ones it's meant to support.)

appleinsideruser

said about 2 years ago

EsquireCats said:

h4y3s said:

Anyone have more details?

Here is the first part of the deep dive: https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html

to over-simplify it (because it truly is a nation-state level hack.)
1. Overflow in a seldom used dependency that is actioned prior to blastdoor.
2. That overflow is carefully manipulated to utilise certain features of an image decompressor to establish a basic set of operators (AND/OR/XOR etc.) These are the fundamental building blocks of electronics circuits, aka processing on a computer.
3. Those building blocks are then used to build (I'm not joking) a full computer architecture including registers, a full 64-bit adder and comparator which then runs the relevant scripts to boot strap the next stage of the hack.
4. The article stops here, but the next part will detail how this is used to break through the relevant sandboxing to the installation of the spyware.

The fragility of it is exceptional, but the time and cost to develop such an exploit is what's more remarkable. It also forms a good argument about removing seldom used features and retiring old standards. The JBIG2 format provided the necessary tools for this exploit to run, but also is largely irrelevant and seldom used. It may just be better to remove that functionality altogether. (JBIG2 decoding is included as part of support for PDFs.)

Edit: Just as follow-up, Apple made a number of changes to address this entry method. Moving more areas to inside Blastdoor as well as greatly restricting the number of available formats available for Messages (i.e. just the ones it's meant to support.)

great summary! Loved the article. Just to add, at step 3 they use their homemade computer to search memory to find their next exploit step. Scary and so clever.