20 Matching Annotations
  1. Jul 2021
    1. Initially, many iMessage (com.apple.madrid) push notifications were received, and attachment chunks were written to disk
    2. multiple successful zero-click infections in May and June 2021. We can see one example of this on 17 May 2021. An unfamiliar iMessage account is recorded and in the following minutes at least 20 iMessage attachment chunks are created on disk.

      adding email to contact list to trigger user-discovery routine as a trigger for the infection.

    3. While we have not been able to extract records from Cache.db databases due to the inability to jailbreak these two devices, additional diagnostic data extracted from these iPhones show numerous iMessage push notifications immediately preceding the execution of Pegasus processes

      malware pushed using a legitimate app's push message. first of its kind of attack.

    4. HTTP request performed by the com.apple.coretelephony process. This is a component of iOS involved in all telephony-related tasks and likely among those exploited in this attack
    5. Pegasus is currently being delivered through zero-click exploits which remain functional through the latest available version of iOS at the time of writing (July 2021).
    6. if Apple Music was itself exploited to deliver the initial infection or if instead, the app was abused as part of a sandbox escape and privilege escalation chain
    7. In many cases the same iMessage account reoccurs across multiple targeted devices, potentially indicating that those devices have been targeted by the same operator
    8. In many cases we discovered suspected Pegasus processes executed on devices immediately following suspicious iMessage account lookups
    9. iOS keeps a record of Apple IDs seen by each installed application in a plist file located at /private/var/mobile/Library/Preferences/com.apple.identityservices.idstatuscache.plist. This file is also typically available in a regular iTunes backup, so it can be easily extracted without the need of a jailbreak.
    10. However, while it is only effective on domestic networks, the targeting of foreign targets or of individuals in diaspora communities also changed

      possibly the malware synced in through rogue icloud accounts which were surreptitiously added to the target device, or through a trigger based on iMessage sync for a canary email address.

    11. Network injection is an effective and cost-efficient attack vector for domestic use especially in countries with leverage over mobile operators

      leverage with mobile operators can be used for redirection attacks. if mobile no is equal to this, when the user requests this url, redirect him to this url

    12. he discovery of network injection attacks in Morocco signalled that the attackers’ tactics were indeed changing
    13. iCloud accounts seem to be central to the delivery of multiple “zero-click” attack vectors in many recent cases of compromised devices analysed by Amnesty International
    14. apps themselves may have been exploited or their functionality misused to deliver a more traditional JavaScript or browser exploit to the device
    15. OS Photos app or the Photostream service were used as part of an exploit chain to deploy Pegasus.
    16. vulnerability in the iOS JavaScriptCore Binary (jsc) to achieve code execution on the device.
    17. additional staging domains are used as trampolines eventually leading to the infection servers
    18. When previewing a link shared in his timeline, the service com.apple.SafariViewService was invoked to load a Safari WebView,

      [Closest match on the db] Drive-by Compromise https://attack.mitre.org/techniques/T1456/

    19. SMS messages with Pegasus exploit

      MITRE Mobile ATT&CK Void

    20. These also include so-called “zero-click” attacks which do not require any interaction from the target.

      MITRE Mobile ATT&CK Void