Most attacks make would-be victims click to install malware or redirect them to a phishing page to steal their credentials.
Zero-click attacks remove this hurdle. They can compromise the targeted device despite a victim’s good security hygiene and practices. There is no need for social engineering, as the program can implant backdoors directly without forced consent.
NSO Group’s Pegasus software has been routinely in the headlines in recent years for using zero-click attacks to install its spyware. The software has exploited zero-day vulnerabilities and unpatched flaws in software, most of the time unknown by the victims and companies.
While others, like Paragon, Candiru and Cognyte Software, have also reportedly used zero-click exploits to install software, NSO Group is the best known and most frequently cited user of the tactic.
Also read: Best Patch Management Software
NSO’s Business Model Spreads
Pegasus performs zero-click hacks by exploiting security flaws in popular applications installed by default on iOS and Android, such as WhatsApp, Telegram, Skype, or iMessage.
Such vulnerabilities may remain unpatched or even unknown, but a few actors like government agencies are aware of them and know how to exploit them to spy on persons of interest, such as hackers, activists, company employees, or even government leaders and journalists.
NSO’s software provides an interface for performing such high-level cyberattacks, something like a business approach to hacking at scale. According to Bloomberg, this business model seems to be in use by at least three other Israeli companies — Paragon, Candiru, and Cognyte Software Ltd.
The U.S. has blacklisted these companies, but it seems there are plenty of marketplaces where companies can sell platforms that leverage zero-day exploits sold by various actors, typically hackers but also security researchers through huge bug bounties.
This thriving ecosystem might be difficult to stop by authorities, as nation-state actors and governments have almost unlimited resources to buy these electronic weapons.
Also read: Feds Warn About Critical Infrastructure Ransomware Attacks, Vulnerabilities
Spyware and Zero-Days: A Troubling Market
Once the zero-click attack has successfully compromised the targeted device through a simple wireless connection such as Wi-Fi, Bluetooth, GSM, or LTE, NSO can spy on all a user’s activities, including emails, phone calls and text messages. They can also track the user’s location and use the camera and microphone to literally record everything and extract information.
It can even access the chip’s firmware to gain root access on the device, a significant privilege escalation.
Researchers describe attacks where the hack happens in the background silently, or through processes that are disguised as iOS, Android, and Microsoft system services, or tricked messages that automatically disappear, making it impossible to spot for the victims.
Zero-days vulnerabilities have become a hot market, and whoever has the financial power to buy these just-discovered flaws can now access an extensive range of high-level exploits that allow hackers to bypass common protections, which can end up tragically for human rights activists in some countries, or can disclose confidential information and put companies at risk.
Also read: Top Vulnerability Management Tools
Pegasus Might Not Be as Stealthy as NSO Claims
NSO claims it provide its spyware to governments to “investigate terrorism and crime” only. But Amnesty International’s technical investigators wrote a forensic report that came to a different conclusion: “This research has uncovered widespread unlawful surveillance and human rights abuses perpetrated using NSO Group’s Pegasus.”
The security teams have also disputed NSO’s claim that Pegasus “leaves no traces whatsoever.” The exhaustive Amnesty International report identified a number of patterns in attacks, among them similar messages and exploit domains such as free247downloads[.]com, with a non-standard high port number and fourth-level subdomain like https://bun54l2b67.get1tn0w.free247downloads.com:30495/szev4hz.
The Amnesty International Security Lab created a special toolkit called MVT (Mobile Verification Toolkit) to inspect mobile devices and spot Pegasus. The report reveals details about the attacks, such as targeted apps and services like Apple Music, iMessage, or Apple photos.
But the most interesting part could be the discovery of failed attempts to hide evidence of compromise. Amnesty found that Pegasus “started to manipulate system databases and records on infected devices to hide its traces and impede the research efforts of Amnesty International and other investigators.”
Amnesty revealed some inconsistencies such as incomplete data erases that could be used as a significant indicator for forensic analysis. But even if Pegasus disguised malicious processes as legitimate iOS system services, it can be another indicator of compromise. The list is available on GitHub.
The international human rights group has been following NSO campaigns for years, collecting information to discover the sophisticated Pegasus attack infrastructure. The group even created a versioning system, for example “Version 4,” to describe the evolution of the spyware.
How to Protect Against Zero-Click Threats
Zero-click attacks are a tool of the most sophisticated hackers and thus hard to prevent, but forensic teams and professionals should resist the temptation of security nihilism.
While security hygiene and employee training are no longer sufficient, companies can improve their preparation, starting with the acceptance that breaches and attacks are a possibility, if not an inevitability.
Standard approaches such as endpoint protection, aggressive patch management, and zero-trust architectures are effective ways to mitigate zero-click threats.
Additionally, AI and machine learning-based behavioral detection can spot anomalous activity and vectors, which is precisely what Pegasus and similar spyware would use. Such technology, often called user and entity behavior analytics (UEBA), is offered as a standalone product, but has also increasingly been showing up as a feature in more traditional security products like EDR and SIEM. It’s something no enterprise can afford to be without.
For some companies, bug bounties can also be a good investment for catching sneaky vulnerabilities before they get sold on the dark web. The only caveat is that such a program might attract mercenaries too and increase the bids, but it’s still a valuable strategy when risk is high.
Pegasus has shown that there’s an economic model for such a business, so companies that manipulate sensitive data or operate in risky environments should invest in prevention, perhaps stop using iOS or Android devices, and buy specific equipment when necessary.
Read next: Top Endpoint Detection & Response (EDR) Solutions