Attackers have been targeting iPhone users around the globe in ongoing Pegasus spyware attacks. They show that cyber-threat actors are targeting both new exploits and older, unupdated devices to circumvent new preventative measures from Apple, researchers have found.

One of the multiple targeted campaigns observed over the last six months involved an iPhone user in the Middle East, and another a journalist in Europe using an iPhone 6 that is not supported by the latest iOS updates, researchers at Jamf Threat Labs reported in a recent blog post. Those updates include new threat "Lockdown Mode" notifications by Apple that can help warn someone if there is unusual activity that could be related to spyware on their devices.

The attacks demonstrate how threat actors continue to evolve and grow in sophistication even as there is more awareness about spyware and prevention against these attacks, which are often used with malicious intent by governments to target dissidents or others who investigate or are unsupportive of policies or regimes, the researchers said.

"Modern spyware is very advanced and, as evidenced by the continued evolution of commercial spyware, continues to leverage zero-day vulnerabilities in both old and new devices to ensure any user can be effectively targeted," the researchers wrote in the post.

They also indicate that though the researchers were able to take a deep dive into devices involved in some of the recent attacks, there is no consistency in terms of how the individuals or organizations targeted investigate attacks after the fact. This makes it difficult to respond or prevent further attacks in a timely or comprehensive way, the researchers said.

Moreover, "not all users impacted by spyware have been contacted by Apple, illustrating the challenges with maintaining a comprehensive list of indicators of compromise (IoCs) and with extracting relevant data remotely," they wrote.

Mideast Activist Targeted

Researchers specifically detailed two separate attacks that demonstrate how no iPhone is safe from being targeted, despite Apple's bolstering of preventative measures in its most recent updates to iOS.

One attack targeted an iPhone 12 Pro Max user in the Middle East who eventually was notified by Apple of suspicious activity on the device, which showed IoCs that Pegasus — the notorious spyware from Israel's NSO Group — was running.

Subsequent analysis from Jamf Threat Labs revealed traces of the "libtouchregd" process on the device, which Amnesty International has identified as an IoC associated with Pegasus spyware, the researchers said.

The device also yielded additional IoCs via subsequent analysis of the com.apple.CrashReporter.plist file, which is located within a root folder on iOS and serves as a configuration file for the system daemon, ReportCrash, according to the researchers.

"Under normal operating conditions, applications are not granted permission to access or modify this file," the researchers wrote. "Alteration of this file could potentially impede the reporting of crash report logs to Apple. Additionally, the existence of the file is rare for normal users."

Apple sent a threat notification to the Middle East user late last year that a potential attack was occurring on the device and recommended updating it to iOS 16.2. The user subsequently engaged with security researchers to better understand the attack timeline and details, which resulted in a determination that Pegasus was used in the attack.

"These findings have allowed Jamf Threat Labs to build a more robust profile on a device with 'proven' compromise status," the researchers wrote.

Targeting an Outdated Device

Another spyware attack targeted an iPhone 6 — currently unsupported by the latest version of iOS — used by a journalist in Europe working for a global news agency, the researchers reported. The device also showed evidence of system crashes, similar to the phone in the Middle East scenario, that indicated it had been compromised.

However, even more suspiciously, investigators discovered files at an atypical location within iPhone’s strict file system, with one that was "clearly masquerading as a built-in binary," the researchers wrote.

"Based on this path and filename, we have strong reason to believe this may be a new indicator that can be used to assess if a device has been targeted," by a specific threat actor, they wrote. Though they could not conclusively identify the threat actor or the use of Pegasus, they said they notified Apple of a potential new IoC by the actor.

Moreover, an attack on an older device that's clearly unsupported by the latest Apple updates — including its enhanced threat-notification program — demonstrates the relentless nature of spyware actors, the researchers said.

"The continued targeting of older devices, such as the iPhone 6s, serves as a reminder that malicious threat actors will exploit any vulnerabilities in an organization's infrastructure, attacking wherever possible," they wrote.

Mitigations & Prevention

Given the advanced and evolving knowledge base around spyware, there are numerous ways that organizations can protect users from being attacks. The latest campaigns demonstrate the most basic mitigation tactic, which is to ensure that all devices are running the most current OS and have all available security patches applied, the researchers said.

At the same time, organizations should practice similar hygiene on the corporate network, keeping all applications — both business oriented and personal — up to date and fully patched, as "mobile application vulnerabilities are easily exploited and frequently overlooked by security teams," the researchers wrote.

Jamf also recommends running security software to monitor for suspicious activity on mobile devices and reporting it alongside all other endpoint monitoring dashboards to ensure they are treated with the same attention and urgency as desktops, laptops, and servers.

Other steps organizations can take to protect users include: monitoring communications for suspicious downloads, command-and-control (C2) indicators, and data exfiltration, and utilizing automated policy controls to block known bad activity before it can cause further damage.

High-risk users also should receive separate education about the symptoms of spyware — such as performance issues and frequent crashes — and be encouraged to use an iPhone's Lockdown Mode if necessary, the researchers said. This protects devices against these extremely rare and highly sophisticated cyberattacks.