Mercenary spyware--specifically Pegasus--prompts a round of Apple patches.
Apple issues emergency patches.
On Thursday Apple issued three emergency patches for a vulnerability that could be exploited to install spyware. The patches affect macOS Ventura 13.5.2, iOS 16.6.1 and iPadOS 16.6.1, and watchOS 9.6.2. "A maliciously crafted attachment may result in arbitrary code execution," the company said in its advisories. "Apple is aware of a report that this issue may have been actively exploited." The report of active exploitation came from the University of Toronto's Citizen Lab, which found evidence that NSO Group’s Pegasus spyware was being installed in vulnerable devices through a zero-click exploit the Lab calls "BLASTPASS." The attacks used PassKit attachments sent as iMessage images. These carried the malicious payload. The patches will protect users against BLASTPASS; so will enabling Apple's Lockdown Mode on the device.
"Civil society organization" targeted.
Citizen Lab found BLASTPASS on the device used by "a Washington DC-based civil society organization with international offices. Both Apple and Citizen Lab characterize this threat as "mercenary spyware," that is, it's spyware sold to a variety of actors, especially government security services, without having any essential political connections. The Times of Israel describes Apple's patch as intended specifically to close a vulnerability exploited by NSO's Pegasus.
The Guardian reports that NSO Group declined to comment on the report, since it is “unable to respond to any allegations that do not include any supporting research.” NSO Group has long maintained that its Pegasus product is a lawful intercept tool, sold only to governments for legitimate law enforcement use, but the Guardian has long reported misuse of Pegasus in "Mexico, Saudi Arabia, India, Rwanda and the UAE, among others."
A risk of exploit commodification.
Ken Westin, Field CISO, Panther Labs, wrote with considerations that the vulnerability may have been exploited by others beside Pegasus operators, that it may involve more than commercial spyware."While this exploit initially appears to have been utilized by the NSO Group with their Pegasus spyware, the vulnerability has been identified, and differences between the software versions have been documented. This suggests that exploits targeting this vulnerability are likely to become more widespread and may extend beyond commercial spyware use," he wrote. "The initial exploit employed by the NSO Group for their Pegasus spyware may have been somewhat targeted. However, the NSO Group has not been transparent about the targets of these exploits. In many cases, they have claimed a lack of visibility regarding their use. Regrettably, this software has been used to target innocent individuals, including journalists and dissidents, by authoritarian regimes. While Pegasus exhibits some level of targeting in its usage, the primary concern now, with the patch being published, is the identification of the vulnerability. As a result, it is likely that exploits will become more widespread."