Despite the recent US government directive, by the Biden administration, to curb the use of commercial Spyware, entities across the world are still employing it for targeted surveillance and espionage.  A recent DarkReading article, outlines that “Campaigns that wielded NSO Group’s Pegasus against high-risk users over a six-month period continue to demonstrate growing sophistication and the relentless nature of spyware actors.”  The article references work done by JAMF Threat Labs which  investigated multiple mobile devices belonging to different individuals and organisations that showed unique indicators of compromise (IOCs) and evidence of active spyware campaigns.

In a similar vein, early this April-2023, researchers at the Citizen Lab at the University of Toronto’s Munk School said new spyware, which is made by an Israeli company called QuaDream, infected some victims’ phones by sending an iCloud calendar invitation to mobile users from operators of the spyware, who are likely to be government clients. Victims were not notified of the calendar invitations because they were sent for events logged in the past, making them invisible to the targets of the hacking. Such attacks are known as “zero-click” because users of the mobile phone do not have to click on any malicious link or take any action in order to be infected.

But even the infamous Pegasus has not gone away, as it emerged recently, the mother company NSO Group is back with at least three new iOS 15 and iOS 16 zero-click exploit chains, which were used against human rights activists in Mexico and elsewhere across the world in 2022 as reported by Citizen Lab on 18-Apr-23.

Whilst few organisations and individuals will be subject to such targeted Spyware attacks, CyberSolace recommends to all relevant customers/audience who may see the risk relevant to them, such as those in the legal sector and NGO sector, to adopt some basic hygiene practices to reduce exposure to such attacks.

You can read more by clicking the button below.

Recommendations For Risk Mitigation

  • Ensure all devices are running the most current operating system and have all available security patches applied.
  • Keep all applications, both business oriented and personal, up-to-date and fully patched; mobile application vulnerabilities are easily exploited and frequently overlooked by security teams.
  • Run security software to monitor for suspicious activity and report alongside all other endpoint monitoring dashboards, ensuring that mobile devices are treated with the same attention and urgency as desktops, laptops and servers.
  • Monitor communications for suspicious downloads, command & control indicators and data exfiltration; utilize automated policy controls to block known bad activity before it can cause further damage.
  • Educate high-risk users about the symptoms of spyware, which can include performance issues and frequent crashes. Encourage them to reach out to their security team if they observe any of these issues to maximize the extraction of IOCs from their device.
  • Encourage high-risk users to use Lockdown Mode, which is designed to protect devices against extremely rare and highly sophisticated cyber attacks.
  • Implement a security monitoring process that includes mobile telemetry analysis and stay up-to-date on known IOCs related to mobile spyware.
Source: JAMF Threat Labs