Posted on December 20, 2021 at 4:34 AM
Google warns against NSO Group techniques similar to elite nation-state spies
NSO Group is one of the most advanced threat actor groups globally. NSO Group is an Israeli spyware developer that has baffled the global cybersecurity space because of its stealth mode of operations.
The group uses aggressive but effective hacking tools, targeting both Android and iOS devices. For years, cybersecurity researchers have watched as this group has grown its product base that has since been used to target companies and government bodies.
NSO Group spyware misused
The spyware products manufactured by NSO Group have been misused globally. Following this, the company has faced sanctions, and several high-profile lawsuits have been filed against it. The group’s future is also uncertain, given the level of damage that its products have caused over time.
A recent analysis of the malware has focused on the ForcedEntry iOS exploit. This exploit was used this year to target a wide range of high-profile individuals, including journalists, activists and dissidents. The recent information comes with the revelation of another warning that poses a danger to corporates and governments.
The manufacturing of this spyware and its distribution has revealed the harsh truth that private businesses can be used to manufacture hacking tools. Moreover, the advanced products made by the NSO Group are developed using a high level of technical expertise. The software also has a high level of sophistication that can only be found with some of the most elite government institutions.
The recent analysis was done by Project Zero bug-hunting group from Google. The group analyzed ForcedEntry by using a sample given by researchers from Citizen Lab at the University of Toronto. The group published the research extensively in 2021 and focused on targeted attacks made using the exploit.
Another analysis of the antiques sued by this group was conducted by Amnesty International researchers. The research talked about using the hacking spyware tool against iOS devices to attack certain individuals.
NSO Group’s malware manages to bypass restrictions
One of the unique features of this malware is that its zero-click. It conducts an attack without requiring any interactions from the user. As such, a user can easily deploy the malware on their devices without clicking on any links or granting any permission.
The Project Zero research discovered that ForcedEntry employed a wide range of tactics to target the iMessage feature from Apple devices. The tactics used by the spyware were used to bypass the security measures installed by Apple to prevent such attacks.
In recent years, Apple has added extra layers of protection, but this did not prevent the malware from reaching these devices. NSO Group has already developed malware that seeks to take over these devices and bypass the restrictions to install Pegasus. Pegasus is the flagship malware for this project, and it has been attributed to a series of attacks.
After the malware was detected on iOS devices, Apple issued a series of patches to protect devices. The patches were issued in September and October with the main purpose of mitigating a ForcedEntry attack on Apple’s devices. The patches were used to enhance the security of iMessage and ensure that it is buffered against further attacks in the future.
The researchers from Project Zero table their analysis shows that ForcedEntry is still one of the leading exploits in the market and that it was “one of the most technically sophisticated exploits we’ve ever seen.”
The researchers also state that the tactics used by NSO Group show that the company has advanced ahead in terms of innovation and refinement. The level of operation is similar in nature to what is used by a small group of nation-state hackers.
Ian Beer and Samuel Grob, some of the researchers with Project Zero, stated, “We haven’t seen an in-the-wild exploit build an equivalent capability from such a limited starting point, no interaction with the attacker’s server possible, no JavaScript or similar scripting engine loaded, etc.”
The two added that technology companies needed to consider that threat actors were using advanced techniques. They hinted that regular security measures needed to be put in place. “There are many within the security community who consider this type of exploitation – single–shot remote code execution – a solved problem. They believe that the sheer weight of mitigations provided by mobile devices is too high for a reliable single-shot exploit to be built. This demonstrates that not only is it possible, it’s being used in the wild reliably against people.”
