Growing Zero-Click Risks and How to Defend Your Business
In the months leading up to the murder of Jamal Khashoggi, the journalist may have been monitored through the cellphones of his relatives and loved ones. According to a forensic analysis, the devices of several people close to Khashoggi, including his fiancée’s mobile phone, were targeted by a type of attack for which there are few protections: no-click malware.
Even though Khashoggi warned his colleagues to be vigilant about possible state-sponsored surveillance, their devices were still compromised by the no-click Pegasus spyware, which was developed and sold by NSO Group, an Israeli technology company.
As part of Project Pegasus, a collaborative investigation by media and human rights groups in 10 countries, Amnesty International’s Security Lab conducted a forensic analysis of the infected phones. Amnesty cybersecurity experts have discovered that in addition to Khashoggi’s network, up to 50,000 other devices worldwide have been compromised by Pegasus.
NSO Group denies any connection to the Khashoggi breach and says it only sells its surveillance software to official intelligence and law enforcement groups believed to use the spyware to fight terrorism. Nonetheless, Amnesty’s Security Lab has carefully detailed and published its methodology, which claims that Pegasus was the cyber-espionage tool of choice that several repressive governments, including Hungary, Saudi Arabia and the United Arab Emirates, have used to spy on journalists, activists, politicians and others.
Pegasus isn’t the only clickless attack security experts have discovered or demonstrated to warn the public of the risk, and its attack methodologies could extend beyond state-sponsored espionage. .
Here’s what you need to know about no-click attacks and how to protect your business.
What are zero-click attacks and how do they work?
A no-click attack compromises a device without requiring any end-user interaction. Most cyberattacks, on the other hand, require end users to do something to break into a device. For example, an attacker will use social engineering techniques to trick people into downloading a malware-infested attachment or clicking a link to a compromised website.
But a clickless attack removes the human from the equation and exploits software or hardware vulnerabilities to compromise the device simply by sending malware to the device. Users do not need to click or open anything. It is enough to receive the infected message, email or any other malware infested payload to compromise the device.
No-click attacks can exploit a number of vulnerabilities, with recent attacks exploiting zero-day vulnerabilities in messaging apps. Pegasus exploits a loophole in the data verification process for Android and iPhone messaging apps. Attackers send harmless-looking text messages with embedded spyware that evade data checks. Once the messages reach users’ phones, the malicious payload infects the devices.
From there, attackers can do just about anything they want with the device. “Turn your target’s smartphone into an intelligence gold mine,” boasts a sales brochure for Pegasus that was emailed to several US law enforcement agencies. The brochure was sent by NSO Group’s North American subsidiary, WestBridge Technologies, and obtained by Vice through a public records request.
The brochure goes on to explain what Pegasus is and how it works: “Pegasus is an end-to-end cyber-intelligence software that remotely and secretly extracts all data from any smartphone. Installation is done remotely (over-the-air) with minimal or no target engagement, requires no third-party intervention from mobile carriers, and leaves no trace on the device.”
The Pegasus Toolkit can then access everything on the phone, including contact lists, call history, emails, and calendar entries. It can also perform spy-related tasks such as activating the microphone to listen to a room, taking camera snapshots, tracking targets via GPS, and even intercepting calls.
How big is the risk of no-click attacks?
“I think this type of malware/attack represents a very big opportunity for hackers and will continue to grow,” said Kate Scarcella, chief cybersecurity architect for CyberRes, Micro Focus’s cybersecurity business. “We’ve seen that once an example of malware is out there, not only does it replicate, but soon we also see 24/7 support for the malware. I think it’s only a matter of time before we see the same kind of no-click malware support.”
State-sponsored malware that spreads beyond its target isn’t just a theory, as the Stuxnet worm has proven. Jointly developed by US and Israeli intelligence, Stuxnet was designed to destroy centrifuges that were part of Iran’s nuclear development efforts. Stuxnet included features intended to limit its spread beyond Iran’s nuclear program, but the worm traveled far beyond its target, infecting computers in several other countries, including China, Germany, Kazakhstan and Russia. ‘Indonesia.
The fact that Pegasus has yet to spread to less sophisticated hacker groups is more a matter of luck than deft mitigation. In 2018, a disgruntled former NSO Group employee copied Pegasus software and attempted to sell it on the dark web. But that attempt was foiled when the prospective buyer contacted NSO Group, which then reported the former programmer to Israel’s internal security service, the Shin Bet. The employee was arrested before he could sell pirated copies of Pegasus.
Could your organization be targeted?
Although the zero-click risk for most organizations today is low, it is certainly not zero. China, Russia and Iran all have advanced cyber espionage capabilities, and each of them has targeted US government agencies, private companies and even critical infrastructure.
The United States and many of its allies, including Israel, the United Kingdom and Estonia, also have advanced cyber espionage and cyber warfare capabilities, which means that clickless tools are most likely already in the hands of a certain number of official or state agents. supported groups.
Many companies may be tempted to believe that they are not big or important enough to be targeted by a zero-click attack. In the age of cyber warfare, ransomware, and advanced persistent threats, this outdated “security through obscurity” mindset is not a plan, but a coping mechanism.
In fact, as Internet of Things (IoT) devices become increasingly widespread across a range of industries, businesses must defend against a range of new and growing risks.
According to CyberRes’ Scarcella, the IoT and all the devices that connect to businesses have expanded the threat surface in ways that were unimaginable a decade or two ago. As an example, she cited food companies, where IoT collars are placed on dairy cows to improve milk production. “We may think it’s silly to protect cows,” she said. “But we recently had a cyberattack that shut down the HP Hood Dairy in the Northeast. I couldn’t even find half and half!”
7 steps to protect your business
Although the Hood attack was not a clickless attack, it illustrates how wide the attack surface for hackers has become in the age of IoT, much like the Colonial Pipeline ransomware attack. , which prompted the Biden administration to enact emergency measures.
To protect against zero-click attacks, follow the seven steps below to help your organization limit its attack surface and mitigate zero-click and other zero-day threats.
- Make sure all your systems and software are patched and up to date.
- Adopt automation for manual and repetitive security tasks, including vulnerability assessments and patches.
- Check the developers of all your software, especially obscure apps. For example, if one of your departments wants to deploy specialized software from a niche developer, don’t cut corners on due diligence.
- Apply multi-factor authentication to access corporate resources.
- Install security guards on end devices, which “can send device telemetry data so that we can understand when the device is doing something outside of normal behavior,” CyberRes’ Scarcella advised.
- Deploy security tools that integrate AI and ML to improve your chances of detecting and thwarting zero-click and zero-day attacks. AI and ML tools can detect abnormal device behaviors, such as the exfiltration of large amounts of data, which are signs of an attack.
- Don’t be afraid to complain. Both Apple and Facebook sued NSO Group against Pegasus, moves that helped trigger the Biden administration’s blacklisting of NSO Group.