Security researchers uncover NSO Group iPhone attacks in Europe

news analysis

Apr 20, 20234 mins

AppleMobileSecurity

Researchers at Jamf Threat Labs have identified additional attacks against iPhones used by human rights activists and journalists in the Middle East and Europe, including one working for a global news agency.

Earlier this week, we saw research showing the noxious NSO Group continues to spy on people’s iPhones in Mexico. Now, Jamf Threat Labs has found additional attacks against human rights activists and journalists in the Middle East and Europe, one of whom worked for a global news agency.

Older iPhones at most risk

The main thrust of the latest research is that while Apple has taken steps to protect devices running the most recent versions of iOS, these attacks are still being made against older iPhones. Jamf warns that the attacks “prove malicious threat actors will exploit any vulnerabilities in an organization’s infrastructure they can get their hands on.”

The researchers echo earlier warnings that variations in the manner of these attacks show that new exploits are being developed, and while security patches will protect some systems, not all of them are so protected. They also confirm that while Apple is monitoring for such compromises, it is not necessarily aware of every attack — so high-risk individuals must really develop their own security awareness.

How to handle an attack

What’s noteworthy is what people do when they are attacked. Most security experts prefer to explore what has happened before simply wiping or destroying subverted devices; doing so sometimes gives insight into the attackers.

Attackers will know if they’ve been caught if a device goes dark, and sometimes skilled security forensics teams can get good data from these devices. (This is the kind of information security researchers are publishing at present.)

“Inconsistent investigations and data collection hinders timely and comprehensive research on emerging attack,” the researchers warn.

That attacks have been surfaced by two different sets of security researchers inside a week shows that the invasive insidious mercenary attacks continue to take place, to the detriment of democratic debate. And while these attacks are expensive to operate today, as with anything in tech, they will become cheaper to run and will proliferate across the dark web, putting all users at risk, particularly those with older devices.

How to protect against these attacks

With that in mind, enterprises and high-risk individuals should take steps to protect themselves. One critical move, of course, is to use systems that still regularly receive software and security patches and to refrain from using older handsets that no longer do.

IT should also ensure any software, personal or professional, installed on devices is updated in a timely fashion, including on both personal and managed devices.

But against such sophisticated zero-day attacks, these protections aren’t enough, which is why Jamf Threat Labs shares additional advice to help improve the defense permiter:

Educate high-risk users so they can identify the symptoms of an attack. Such symptoms include performance degradation and more frequent crashes than users are accustomed to.
Run security software to monitor for suspicious activity. This includes virus checkers and sophisticated endpoint detection/protection systems for mobile devices.
Put protections in place to monitor communications and watch for suspicious downloads. There are emerging telemetry-based solutions that help monitor such activity on devices.
For managed devices, IT should use automated policy controls to block bad activity.
Use Lockdown Mode. While doing so does impact some of the things that can be done with an Apple device, the trade-off is that in this mode systems are far less likely to fall to an attack.

As global political instability increases, it’s to be expected that security and security protection will become increasingly important to every enterprise user and technology firm in the months to come.

Security is a human right

The fact that in one week both Citizen Lab and Jamf surfaced fresh cases of such attacks is likely to be grist to the mill for Apple’s own security teams, who no doubt are already working to put even more robust protections in place across the ecosystem.

Earlier this week, an Apple spokesperson said: “Our security teams around the world will continue to work tirelessly to advance Lockdown Mode and strengthen the security and privacy protections in iOS.”

When Apple sued NSO Group, the company providing many of these attacks, Ivan Krstić, head of Apple security engineering and architecture promised, “Apple runs one of the most sophisticated security engineering operations in the world, and we will continue to work tirelessly to protect our users from abusive state-sponsored actors like NSO Group.”

With this in mind, I’d be very unsurprised to see security becoming one of the important developer topics at WWDC 2023.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

jonny_evans