Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Staying safe from Pegasus, Chrysaor and other APT mobile malware
#1
Lightbulb 
Quote:
[Image: how-to-protect-from-pegasus-spyware-featured.jpg]

How to protect your iPhone or Android smartphone from Pegasus and similar mobile APTs.

Possibly the biggest story of 2021 — an investigation by the Guardian and 16 other media organizations, published in July — suggested that over 30,000 human rights activists, journalists and lawyers across the world may have been targeted using Pegasus. Pegasus is a so-called “legal surveillance software” developed by the Israeli company NSO. The report, called the Pegasus Project, alleged that the malware was deployed widely through a variety of exploits, including several iOS zero-click zero-days.

Based on forensic analysis of numerous mobile devices, Amnesty International’s Security Lab found that the software was repeatedly used in an abusive manner for surveillance. The list of targeted individuals includes 14 world leaders and many other activists, human rights advocates, dissidents and opposition figures.

Later in July, representatives from the Israeli government visited the offices of NSO as part of an investigation into the claims. In October, India’s Supreme Court commissioned a technical committee to investigate the use of Pegasus to spy on its citizens. Apple announced, in November, that it was taking legal action against NSO Group for developing software that targets its users with “malicious malware and spyware.” Last but not least, in December, Reuters published that US State Department phones were hacked with the NSO Pegasus malware, as alerted by Apple.

Over the past few months I have received a lot of questions from concerned users worldwide on how to protect their mobile devices from Pegasus and other similar tools and malware. We are trying to address this in the current article, with the observation that no list of defence techniques can ever be exhaustive.

Additionally, as attackers change their modus operandi, protection techniques should also be adapted.

How to stay safe from Pegasus and other advanced mobile spyware

First of all, we should start by saying that Pegasus is a toolkit sold to nation states at relatively high prices. The cost of a full deployment may easily reach millions of USD. Similarly, other APT mobile malware may be deployed through zero-click 0-day exploits. These are extremely expensive — as an example, Zerodium, an exploit brokerage firm pays up to $2.5 million for an Android zero-click infection chain with persistence.

From the start, this draws an important conclusion — nation state sponsored cyberespionage is a vastly resourceful endeavor. When a threat actor can afford to spend millions, potentially tens of millions or even hundreds of millions of USD on their offensive programs, it is very unlikely that a target will be able to avoid getting infected. To put this in simpler words, if you are targeted by such an actor, it’s not a question of “whether you can get infected,” it’s actually just a matter of time and resources before you get infected.

Now, for the good news — exploit development and offensive cyberwarfare are often more of an art rather than an exact science. Exploits need to be tuned for specific OS versions and hardware and can be easily thwarted by new OS releases, new mitigation techniques or even small things such as random events.

With that in mind, infection and targeting is also a question of cost and making things more difficult for the attackers. Although we may not always be able to prevent the successful exploitation and infection of the mobile device, we can try to make it as hard as possible for the attackers.

How do we do this in practice? Here’s a simple checklist.

How to protect from advanced spyware on iOSReboot daily.

According to research from Amnesty International and Citizen Lab, the Pegasus infection chain often relies on zero-click 0-days with no persistence, so regular reboot helps clean the device. If the device is rebooted daily, the attackers will have to re-infect it over and over again. In time, this increases the chances of detection; a crash might happen or artifacts could be logged that give away the stealthy nature of the infection. Actually, this is not just theory, it’s practice — we analyzed one case in which a mobile device was targeted through a zero-click exploit (likely FORCEDENTRY). The device owner rebooted their device regularly and did so in the next 24 hours following the attack. The attackers tried to target them a few more times but eventually gave up after getting kicked a few times through reboots.

Disable iMessage.

iMessage is built into iOS and is enabled by default, making it an attractive exploitation vector. Because it’s enabled by default, it is a top delivery mechanism for zero-click chains and for many years, iMessage exploits were in high demand, with top payouts at exploit brokerage companies. “During the last few months, we have observed an increase in the number of iOS exploits, mostly Safari and iMessage chains, being developed and sold by researchers from all around the world. The zero-day market is so flooded by iOS exploits that we’ve recently started refusing some (of) them,” Zerodium’s founder Chaouki Bekrar wrote back in 2019 to WIRED. We realize life without iMessage may be very difficult for some (more on that later), but if Pegasus and other high-end APT mobile malware is in your threat model, this is a tradeoff worth taking.

Disable Facetime.

Same advice as above.

Keep the mobile device up to date; install the latest iOS patches as soon as they are out.

Not everyone can afford zero-click 0-day’s, actually many of the iOS exploit kits we are seeing are targeting already patched vulnerabilities. Nevertheless, many people run older phones and postpone updates for various reasons. If you want to be ahead of (at least some) nation state hackers, update as soon as possible and teach yourself not to need Emojis to install the patches.

Don’t ever click on links received in messages.

This is simple advice yet effective. Not all Pegasus customers can afford to buy zero-click 0-day chains at a cost of millions so they rely on 1-click exploits.

These arrive in the form of a message, sometimes by SMS, but can also be via other messengers or even e-mail. If you receive an interesting SMS (or by any other messenger) with a link, open it on a desktop computer, preferably using TOR Browser, or better yet using a secure non-persistent OS such as Tails.
...
Continue Reading
[-] The following 1 user says Thank You to harlan4096 for this post:
  • ismail
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
AWZ Screen Recorder
AWZ Screen Recorder ...zevish — 11:05
Website X5 Go 2024.1
Website X5 Go 2024.1...zevish — 09:32
Apple's rules to allow third-party app ...
Apple has announ...alison30 — 09:28
Intel: Microsoft AI PCs need a Copilot K...
Microsoft hopes th...harlan4096 — 08:55
Synchredible 8 Professional Edition v8.2...
          Synchredib...zevish — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>