Citizen Lab has uncovered a significant security vulnerability that has been used as part of a zero-click iMessage exploit chain called BLASTPASS to install the Pegasus spyware on fully up-to-date iPhones running iOS 16.6. This exploit chain can compromise iPhones without any user interaction, using PassKit attachments with malicious images sent via iMessage. The specific technical details of these vulnerabilities have not been disclosed due to ongoing exploitation, but it is noted that they can bypass Apple's BlastDoor sandbox framework designed to prevent zero-click attacks. This discovery highlights the continued targeting of civil society by highly advanced spyware and exploits. Citizen Lab made these findings while investigating the device of an individual associated with a Washington D.C.-based civil society organization with international connections.
Apple has released iOS 16.6.1 to patch this vulnerability and an immediate update is recommended to all.
Relevance
Zero Click Malware
Recommendations
Update to iOS 16.6.1 and iPad 16.6.1
References
1. Apple Rushes to Patch Zero-Day Flaws Exploited by Pegasus Spyware on iPhones. (2023 Sept. 08) The Hacker News. Apple Rushes to Patch Zero-Day Flaws Exploited for Pegasus Spyware on iPhones (thehackernews.com)
How can CyberForce|Q services help you address this risk?
Partner with CyberForce|Q our cybersecurity experts can assist with writing and implementing a patch management system for your organization. Also, our Incident Response team can work with you to help develop, implement, and test your incident response plan. Customized Tabletop exercises are encouraged for all organizations. Our cutting-edge Security Operations Center is purpose-bult to tackle the challenge of monitoring your systems 24x7x265. By leveraging our services, we can help minimize the risk associated with an IT Infrastructure Security risk with measurable results.
Learn more about CyberForce|Q.
Comments