Israeli spyware maker NSO Group deployed at least three novel “zero-click” exploits against iPhones in 2022 to infiltrate defenses erected by Apple and deploy Pegasus, according to the latest findings from Citizen Lab.

“NSO Group customers widely deployed at least three iOS 15 and iOS 16 zero-click exploit chains against civil society targets around the world,” the interdisciplinary laboratory based at the University of Toronto said.

NSO Group is the manufacturer of Pegasus, a sophisticated cyber weapon that’s capable of extracting sensitive information stored in a device – e.g., messages, locations, photos, and call logs, among others — in real-time. It’s typically delivered to targeted iPhones using zero-click and/or zero-day exploits.

While it has been pitched as a tool for law enforcement agencies to combat serious crimes such as child sexual abuse and terrorism, it has also been deployed illegally by authoritarian governments to spy on human rights defenders, democracy advocates, journalists, dissidents, and others.

The misuse of Pegasus prompted the U.S. government to add NSO Group to its trade blocklist in late 2021, with Apple filing a lawsuit of its own against the company for targeting its users.

In July 2022, it emerged that the spyware was used against Thai activists involved in the country’s pro-democracy protests between October 2020 and November 2021 using two zero-click exploits named KISMET and FORCEDENTRY.

Two of the targets of the latest campaign unearthed by Citizen Lab include human rights defenders from Centro PRODH, which represents victims of the Mexican Army’s extrajudicial killings and disappearances. The intrusions occurred in June 2022.

This entailed the use of three disparate exploit chains dubbed LATENTIMAGE, FINDMYPWN, and PWNYOURHOME that weaponized various flaws in iOS 15 and iOS 16 as zero-days to penetrate the devices and ultimately launch Pegasus –

  • LATENTIMAGE (iOS version 15.1.1, detected in January 2022) – An exploit that’s suspected to involve the iPhone’s Find My feature and SpringBoard
  • FINDMYPWN (iOS versions 15.5 and 15.6, detected in June 2022) – A two-phase exploit that makes use of the Find My service and iMessage
  • PWNYOURHOME (iOS version 16.0.3, detected in October 2022) – A two-phase exploit that combines the HomeKit functionality built into iPhones and iMessage to bypass BlastDoor protections

In an encouraging sign, Citizen Lab said it found evidence of Lockdown Mode stepping in to thwart an attempted PWNYOURHOME attack, warning users that it blocked unknown parties with Gmail and Yahoo! accounts from trying to “access a Home.”

The development marks the first publicly documented instance where Lockdown Mode, which is specifically designed to reduce the iPhone’s attack surface, has successfully protected an individual from a compromise.

That said, Citizen Lab pointed out that NSO Group “may have figured out a way to correct the notification issue, such as by fingerprinting Lockdown Mode.” Apple has since shipped several security improvements to HomeKit in iOS 16.3.1 and sent out notifications to targeted victims in November and December 2022, and March 2023.

The findings are the latest example of NSO’s evolving attack techniques to break into iPhones without requiring any targets to take any action to trigger the infection.

They also coincide with a new investigation from the New York Times uncovering Mexico’s use of Pegasus to target human rights defenders in recent months, detailing how the country became the first and most prolific user of the spyware.

In yet another indication of the pervasive nature of such campaigns, Jamf Threat Labs uncovered evidence of a human rights activist based in the Middle East as well as a Hungarian journalist being targeted with spyware. Their names were not disclosed.

The attack targeting the journalist’s iPhone is also significant for the fact that the device was an iPhone 6s, which is no longer compatible with the latest iOS version, indicating threat actors’ penchant for exploiting known and unknown vulnerabilities to meet their goals.

While Apple does back-port fixes for critical flaws to older devices (the current version supported by iPhone 6s is iOS 15.7.5), it’s important to note that not all vulnerabilities are addressed for legacy devices.

“As a result, threat actors can continue to exploit unpatched vulnerabilities that have been patched on newer supported devices, potentially giving attackers more time and more information to gain remote access to targeted devices,” Jamf said.

To safeguard against spyware attacks, it’s recommended to apply the latest operating system updates, upgrade outdated devices to newer iPhone or iPad models, and consider enabling Lockdown Mode.

The U.K. National Cyber Security Centre (NCSC), in an advisory released on April 19, 2023, cautioned the “proliferation of commercial cyber tools will pose a growing threat to organizations and individuals globally.”

“The commercial proliferation of cyber tools and services lowers the barrier to entry to state and non-state actors in obtaining capability and intelligence that they would not otherwise be able to develop or acquire,” the agency said.