How to Protect Yourself from NSO's Pegasus SpywareDownload Case Study
Note from the author: This write-up is meant to provide an overview on Pegasus, why you should be concerned, how Lookout can help protect you, and what actions security administrators should take. For additional information, please read our full technical report.
Latest developments: NSO financial woes may lead to human rights abuses
The NSO Group, the vendor behind Pegasus, is struggling financially, and to solve their money problems, the company is now considering selling their surveillanceware to governments with poor human rights records.
Currently, the NSO Group claims to only sell to customers with legitimate use for surveillanceware, such as intelligence and law enforcement agencies, but in reality, these tools are often abused under the guise of national security to spy on business executives, human rights activists, journalists, academics, and government officials.
To fully understand the implications of new Pegasus sales, we have to know the intentions of the potential buyer. For example, if a cybersecurity company is considering purchasing Pegasus to better protect against similar threats in the future, it may be a good thing.
We should keep in mind that Pegasus deployment is heavily reliant on new zero-day vulnerabilities being discovered — something the NSO organization has poured a lot of resources into. Without the financial resources to sustain that research, it’s possible that Pegasus would become ineffective or stop working altogether as existing vulnerabilities are found and fixed.
As of right now, Pegasus is still a very dangerous spyware. In 2021, in a joint investigation into a leaked list of more than 50,000 phone numbers, 17 media organizations found a high concentration of individuals from countries known to engage in surveillance. The reporting confirmed that Pegasus have been used on business executives, human rights activists, journalists, academics, and government officials. These regions are also known to have been clients of the NSO Group.
Potential customers of the NSO Group could include authoritarian governments with poor track records of respecting civil liberties, and that the sale of such sophisticated tooling to said governments may further enable abuses. Citizen Lab suspects threat actors from the United Arab Emirates were behind Pegasus attacks on the office of former UK prime minister Boris Johnson as well as the Foreign and Commonwealth Office, while other victims include U.S. diplomats working in Uganda and pro-democracy activists in Thailand.
What is Pegasus spyware?
Once considered the most advanced mobile spyware in the world, Pegasus can be deployed on both iOS and Android devices. Since its discovery, the spyware has continued to evolve. What makes Pegasus highly sophisticated is the control it gives the malicious actor over the victim’s device, the data it can extract, and its evolution into a zero-click payload.
Pegasus can extract highly accurate GPS coordinates, photos, email files and encrypted messages from apps such as WhatsApp and Signal. It can also turn on the devices’ microphone to eavesdrop on private in-room conversations or phone calls and activate the camera to record video.
For years, the NSO Group has denied that Pegasus is used by malicious actors. The firm claims that it only sells Pegasus to the intelligence and enforcement community of about 40 countries and that all prospects' human rights histories are rigorously vetted. The 2018 assassination of journalist Jamal Khashoggi raised significant doubt about this because it was widely believed that the Saudi government tracked Khashoggi by compromising his mobile phone with Pegasus.
Citizens and governments alike should be concerned
This revelation of how widely Pegasus spyware is used should alarm all citizens, not just government entities. The commercialization of spyware, similar to phishing tools, puts everyone at risk. Like what Joseph and I discussed on the podcast, yourself or your employees may not be direct targets of spyware like Pegasus, but you could be caught in the crossfire or become a pivot point for the attacker to get to their target.
Mobile devices can access the same data as a PC from anywhere. This dramatically increases the attack surface and risk for organizations because mobile devices are typically used outside the security perimeter. As pointed out by Joseph, once something like Pegasus gets onto a mobile endpoint, they have access to everything, whether it’s your Microsoft 365 or Google Workspace accounts. At that point, it doesn’t matter whether something is encrypted. The attacker sees what the user sees. This makes any executive or employee with access to sensitive data, technological research or infrastructure, a lucrative target for cybercriminals.
While mobile OS and app developers are constantly improving the security of their products, these platforms are also becoming more complex. This means there will always be room for vulnerabilities to exploit and for spyware like Pegasus to thrive.
Mobile phishing attacks remain at the root
As much as things may change, mobile phishing remains the most effective first step for cyberattackers. Just like other mobile malware, Pegasus is typically delivered to its victims through a phishing link. The most effective delivery of phishing links is with social engineering. For example, Pegasus was brought to our attention by a journalist who was sent a link from an anonymous mobile number promising tips about a human rights story they were working on.
While Pegasus has evolved to a zero-touch delivery model — meaning the victim doesn’t need to interact with the spyware for their device to be compromised — the link hosting the spyware still has to reach the device. Considering the countless iOS and Android apps that have messaging functionality, this could be done through SMS, email, social media, third-party messaging, gaming, or even dating apps.
How these attacks work and how Lookout can help protect you
The advanced tactics used by Pegasus are similar to many other Advanced Persistent Threats (APTs). Here is how Lookout can help protect your organization in the context of these principal tactics that APTs use to carry out an attack:
1. Payload delivery
The first step for Pegasus and any APT is usually through phishing. Lookout Phishing and Content Protection (PCP) can protect your organization against each of the following scenarios that Pegasus and other APTs use:
- Scenario: Pegasus can be executed as a zero-click or one-click infection. Regardless of which tactic is used, the actual spyware software package payload is still loaded over the network.
- How Lookout protects you: Lookout continuously discovers, acquires, and analyzes newly registered domains and websites to uncover those that are purpose-built for phishing and malicious purposes. Lookout anti-phishing provides near real-time protection against zero-hour phishing attacks.
- Lookout Admin Action: Enable Lookout PCP across your entire mobile fleet and activate the default policy that requires users to enable it on their device in order to access the internet and company resources.
2. Vulnerability exploitation
Spyware frequently exploits vulnerabilities at both the app and device level in order to gain access to the operating system (OS) of the device or exfiltrate data from particular parts of the system.
- Scenario: Lookout Mobile Endpoint Security (MES) detects when an app vulnerability is present on a mobile device and when the device is running an OS or Android Security Patch Level (ASPL) version with known vulnerabilities. In each case, Lookout can alert both the user and the security administrator.
- How Lookout protects you: Lookout Mobile Vulnerability Management discovers all known Common Vulnerabilities and Exposures (CVE) for both iOS and Android at the OS and app level. It will automatically flag devices in your fleet that have any vulnerabilities present.
- Lookout admin Action: Configure policies requiring a minimum OS or ASPL version and the updating of vulnerable apps to the latest version.
3. Device compromise
Pegasus and other APTs will silently jailbreak or root the victim’s device. Also, while zero-day exploits by their nature aren’t known, they leave the system in a compromised state. Lookout Mobile Endpoint Security can protect your organization’s mobile fleet from these exploits in the following ways:
- Scenario: Lookout detects the indicators of device compromise and alerts device owners. Detection is based on analyzing device telemetry data, including file system data, system behavior and parameters. Depending on the details of the spyware package, such as how it operates or where it sits on the device systems, Lookout detects the traces it may produce.
- How Lookout protects you: Lookout continuously ingests malware artifacts and telemetry from the mobile ecosystem. This feeds our machine intelligence to automatically identify malicious behavior across any device or app.
- Lookout admin action: Ensure the default Root/Jailbreak policy is activated, set the priority to high, and set the action to alert the device and block access to the internet.
4. Communication from the payload
Similar to other malware, Pegasus will communicate with a command-and-control (C2) server from which it will take orders from the malicious actor and to which it will send exfiltrated data.
- Scenario: Just like any website, C2 servers are hosted on remote systems that Lookout can identify as malicious.
- How Lookout protects you: Lookout detects when the device is attempting to connect to a C2 server and terminate the connection. This can help prevent sensitive data exfiltration and additional malware downloads.
- Lookout admin action: Enable Lookout PCP across your organization and activate the default policy that requires users to enable it on their device in order to access the internet and company resources.
Listen in on our Endpoint Enigma podcast episode about Pegasus and spyware to hear from Microsoft Chief Security Advisory Joseph Davis on why organizations should have zero trust and mobile security as part of their security strategy.
This blog was last updated in September 2022