According to Citizen Lab , its employees, together with Lookout Security, managed to investigate an attempt to establish surveillance of a human rights activist from the Arab Emirates, Ahmed Mansour, for which two vulnerabilities were used in the iOS core and one in WebKit. On 10-11 August, he received an SMS-message, which suggested to follow the link in order to obtain information about prisoners who are being tortured in UAE prisons. Instead, suspecting something was wrong, Ahmed turned to information security specialists.

Employees of the company used their phone, it can be said, as a hanipot, thanks to which they were able to analyze the malware directed against Mansur. Traces led to the NSO Group and the UAE government.

NSO Group

NSO Group is a company based in Israel. According to Bloomberg , it owned (or owned; there is information about finding a buyer for the purpose of selling for one billion dollars) to US LLC Francisco Partners Management, specializing in venture capitalism. One of the products of the NSO Group is spyware called Pegasus, sold to various government organizations.

The co-founders of the NSO Group are also involved in the Kaymera company, which offers information security services. The organization’s website contains a copy of a Bloomberg article reporting on the game on both sides of the cyberwar.

Pegasus

It is known that one of the attack vectors for the subsequent installation of Pegasus are SMS messages. The victim follows the link to the so-called "anonymizer", which connects to the installation server that issues the appropriate exploit for the user agent.

Three vulnerabilities under the common name Trident were used to attack against Ahmed. One of them allows you to run malicious code through WebKit. Then, to obtain the necessary privileges, errors in the XNU core code are exploited.

Fragment from mailing Apple:

iOS 9.3.5 is now available and addresses the following:

Kernel
Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later
Impact: An application may
Description: A validation issue was approved through improved input sanitization.
CVE-2016-4655: Citizen Lab and Lookout

Kernel
Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: Memory corruption issue.
CVE-2016-4656: Citizen Lab and Lookout
')
Webkit
Available for: iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later
Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
Description: Memory corruption issue.
CVE-2016-4657: Citizen Lab and Lookout

Pegasus includes the Cydia Substrate framework, which is used for implementation in various applications, including iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram, Skype, Line, KakaoTalk, WeChat, Surespot, Imo.im, Mail.Ru, Tango , VK, and Odnoklassniki. Also read calendars, contacts and passwords.

The malware is able to communicate with the management server via HTTPS and SMS.

Conclusion

According to Citizen Lab, the attack is extremely subtle and rare. Such exploits can cost from a few hundred thousand up to a million dollars. Apple responded immediately and solved the problem in about 10 days, releasing version 9.3.5.

This is not the first case of persecution of activists by repressive regimes. Obviously, companies that help them value money more than human lives. It is worth noting that in Israel to export spyware, you must obtain a special license. Consequently, if the NSO Group submitted an application and did not receive a refusal, then it turns out that people are worms, not only in their offices, but also in government offices.