An unknown zero-click exploit in Apple’s iMessage was used by Israeli-based NSO Group to plant either Pegasus or Candiru malware on iPhones owned by politicians, journalists and activists.
Citizen Lab, in collaboration with Catalan-based researchers, released the finding in a report on Monday that claims 65 people were targeted or infected with malware via an iPhone vulnerability called HOMAGE. It asserts the controversial Israeli firm the NSO Group and a second firm Candiru were behind the campaigns that took place between 2017 and 2020.
Candiru, aka Sourgum, is a commercial firm that allegedly sells the DevilsTongue surveillance malware to governments around the world. The Apple iMessage HOMAGE bug is a so-called zero-click vulnerability, meaning no interaction by the victims is needed to surreptitiously install malware on intended targets. Since 2019, versions of Apple’s iOS software are no longer vulnerable to HOMAGE attacks.
Catalan Politicians and Activists Targeted
“The hacking covers a spectrum of civil society in Catalonia, from academics and activists to non-governmental organizations (NGOs). Catalonia’s government and elected officials were also extensively targeted,” wrote authors of the Citizen Lab report that included John Scott-Railton, Elies Campo, Bill Marczak, Bahr Abdul Razzak, Siena Anstis, Gözde Böcü, Salvatore Solimano and Ron Deibert.
They wrote “the highest levels of Catalan government to members of the European Parliament, legislators, and their staff and family members” were also targeted.
Regarding who directed the attacks? Researchers said it was “not conclusively attributing the operations to a specific entity,” however evidence suggests Spanish authorities were likely behind the operation. It called out Spain’s National Intelligence Center (CNI) as the likely mastermind, citing the organization’s history of surveillance and espionage scandals.
CatalanGate: Malware Specifics
The Catalan attackers infected victims through at least two exploits: zero-click exploits and malicious SMS messages. Zero-click exploits are challenging to defend against, given that they do not require victims to engage in any activity.
Citizen Lab alleges, victims were targeted with the Pegasus malware using the zero-click iOS exploit (HOMAGE) and a known malicious SMS message vulnerability, circa 20215, used by the NSO Group to spread its Pegasus malware.
Researchers wrote: “The HOMAGE exploit appears to have been in use during the last months of 2019, and involved an iMessage zero-click component that launched a WebKit instance in the com.apple.mediastream.mstreamd process, following a com.apple.private.alloy.photostream lookup for a Pegasus email address.”
HOMAGE was also believed to have been used six time in 2019 and 2020. Citizen Lab said Apple devices running a version of its mobile operating system greater than 13.1.3 (released September 2019) are not vulnerable to attacks.
Other Malware/Exploits Used in Campaigns
Researchers said the KISMET zero-click exploit was also used in the attacks. In December 2020, Citizen Lab said phones of 36 journalists were infected with KISMET by four separate APTs, possibly linked to Saudi Arabia or the UAE.
The WhatsApp buffer overflow bug (CVE-2019-3568), exploited by the NSO Group in the CatalanGate attacks, had previously been reported by Citizen Lab in 2019 and was patched in May of 2019. At the time, the Financial Times reported a “private company” believed to be the NSO Group created the zero-day attack to sell to its customers.
As part of the Catalan attacks, researchers say four individuals were targeted or infected using the Candiru spyware firm’s spyware, also called Candiru. These attacks attempted to take advantage of two now patched zero-day bugs (CVE-2021-31979, CVE-2021-33771) – both Windows Kernel Elevation of Privilege Vulnerabilities – were used by Candiru. Both were discovered by Microsoft and patched in July 2021.
“We identified a total of seven emails containing the Candiru spyware, via links to the domain name stat[.]email,” researchers wrote. “Candiru’s spyware showed that Candiru was designed for extensive access to the victim device, such as extracting files and browser content, but also stealing messages saved in the encrypted Signal Messenger Desktop app.”
In August 2021, Citizen Lab reported a never-before-seen, zero-click iMessaging exploit had been used to illegally spy on Bahraini activists with NSO Group’s Pegasus spyware.
Citizen Lab described the campaigns as “high volume” and examples of “unrestrained abuses” of privacy that point to a “serious absence of regulatory constraints” over the sale of spyware to government clients and others.
“It is now well established that NSO Group, Candiru, other companies like them, as well as their various ownership groups, have utterly failed to put in place even the most basic safeguards against abuse of their spyware. What we find in Spain is yet another indictment of this industry,” it wrote.