September 2, 2016

min read

So, You Heard About Pegasus and Trident. Here’s What You Should Do Now

Get an in-depth walk-through of this attack in this webinar by Lookout Vice President of Security Research Mike Murray.Since Lookout first announced our discovery of the Pegasus attack and Trident vulnerabilities in partnership with Citizen Lab, we've received many clarifying questions from security professionals. In this series we're answering the top queries we've received to help you better understand the facts around this unprecedented mobile threat.

Today’s question: What do I need to do next?

The Pegasus attack is the most sophisticated piece of mobile spyware ever seen. With just a single tap on a seemingly important text message it has the capability to cause catastrophic data loss to a targeted individual or organization, completely compromising all communications from a smartphone — messages, calls, emails, passwords, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, Viber, Facetime, Calendar, and others. Pegasus can even intercept data from end-to-end encrypted applications.

The relative ease and stealth with which this attack can infect a device, combined with the catastrophic data loss it causes, means that CIOs and CISOs need to be reacting to the Pegasus attack now to prevent further damage.

Here are the top five things to do:

Step 1: Update iPhones immediately to iOS 9.3.5.

Update devices to iOS 9.3.5 because this patch closes the Trident series of vulnerabilities that the Pegasus software was using to take over targeted iPhones and iPads.

Here’s a sample email that you can send to your employees to ensure they update their devices immediately.

Unfortunately, updating the device will not remove the spyware from devices that currently have Pegasus installed, nor will the update alert you if there is a previous Pegasus infection. The iOS update simply patches the holes and prevents future infections using those specific exploits, but it does not work as a detection mechanism.

Step 2: Use Lookout Mobile Endpoint Security to detect whether your high-value assets have been attacked.

Lookout Mobile Endpoint Security can detect the presence of Pegasus and alert your IT team of existing infections as well as any new infections.

Pegasus is a low-probability, but extremely high-severity threat. Given its cost and sophistication, attackers will likely only use it to target “high-value” individuals within your organization such as your CEO, CEO, CFO, financial team, HR team, executive admins, and others. You should prioritize checking the devices of these individuals.

If one of your employees has been attacked, turn off the device and get it to your Information Security team.

Step 3. Do not back up an infected device.

Though it may be tempting to save all of the data, apps, and photos on the device, backing up the phone is a dangerous idea because it can trigger Pegasus’ self-destruct mechanisms.

Pegasus can also self destruct if it believes it has been discovered and automatically wipe the device.

While backing up and wiping a device might seem like a good solution, if it triggers Pegasus’ self-destruct mechanism, your organization will not be able to conduct a forensic investigation to understand the scope, timing, and implications of the breach that already occurred. This kind of data is crucial for the enterprise to know what steps to take next.

Note: Backing up the device will also only preserve this infected state, so trying to reinstate the data to a new device will simply end up with a newly infected device. Not good.

Step 4. Realize that wiping an infected device won’t fix the problem

If you have a Pegasus infection, the device is not your biggest problem. Focus on discovering and remediating the significant data loss that has occurred up until the point of detection.

Just like backing up the device, wiping a device might also trigger Pegasus’ self-destruct mechanism. This means you will not be able to conduct a forensic investigation to understand the scope, timing, and implications of the breach that already occurred. This kind of data is crucial for the enterprise to know what steps to take next.

Step 5. Watch Lookout’s webinar on the attack

Lookout’s Vice President of Security Research Mike Murray will walk you through the attack and answer key questions from our recorded webinar, available on-demand here.

Get even more information on our official Pegasus and Trident page.

Think your device has been impacted by Pegasus? Contact us.