Title of Presentation DD/MM/YYYY 1 Understanding the Pegasus Cyber Espionage Tool What you need to know about Pegasus Spyware & How to protect yourself from this and other threats
Title of Presentation DD/MM/YYYY 1
Understanding the Pegasus Cyber Espionage Tool
What you need to know about Pegasus Spyware
& How to protect yourself from this and other threats
Title of Presentation DD/MM/YYYY 2
Agenda• Top 5 things to know about Pegasus
• The Story of Pegasus
• Technical details of Pegasus/Trident
• The Hacking Process & The Kill Chain
• How does Skycure protect your organization?
• Q&A
Title of Presentation DD/MM/YYYY 3
Top 5 things to know about Pegasus1. Pegasus is zero-day spyware for iOS
2. Pegasus is a low probability, but high impact threat
3. Apple’s iOS 9.3.5 update will not detect or remove Pegasus
4. Pegasus exposes ALL messages, calls, emails, data, communications, audio, video…
5. Existence of other exploits like Pegasus is very likely
Title of Presentation DD/MM/YYYY 4
Colliding Trends
CYBERATTACKS
PC MobileSpam Targeted
Annoying Financial gainAndroid iOS
MOBILE TECHNOLOGY
Call + text + mail + everythingCorporate BYOD
Convenience ProductivityWork hours Always on
BEST INFILTRATION
AND ESPIONAGE DEVICE EVER
Title of Presentation DD/MM/YYYY 5
The Story
THE PLAYERS:
WHAT HAPPENED:
NSO GroupCyber war software
UAE(suspected)Nation state
Ahmed MansoorHuman rights
activist
Citizen Lab
Research laboratory
Apple
Mobile devices
Found vulnerabilities in iOS (didn’t report)
Pegasus, a zero-day “lawful intercept” spyware product for governments, exploits 3 iOS vulnerabilities to jailbreak and take over mobile devices
Purchased Pegasus from NSO to spy on Ahmed Mansoor
Send an SMS message with a malicious URL capable of completely compromising his mobile device
Smartly, did not click on the SMS link
Contacted Citizen Lab for forensic analysis
Recognized exploit as an NSO product
Analyzed the exploit
Contacted Lookout for support in the analysis
Notified Apple of Vulnerabilities
Patched the three vulnerabilities and released iOS 9.3.5 update
Filed CVE reports
Title of Presentation DD/MM/YYYY 6
Trident: 3 Zero-Day iOS Vulnerabilities• CVE-2016-4657: Memory Corruption in WebKit
- Vulnerability in Safari WebKit allows the attacker to compromise the device when the user clicks a link
• CVE-2016-4655: Information Leak in Kernel- Kernel base mapping vulnerability that leaks information to the attacker that allows him to calculate the
kernel’s location in memory - circumvents KASLR
• CVE-2016-4656: Kernel Memory corruption leads to Jailbreak- Kernel-level vulnerability that allows attacker to corrupt memory in a function, disabling the code
signing requirement to silently jailbreak the device and install surveillance software that runs as if it were part of iOS.
- Allows attacker to circumvent all security measures
Title of Presentation DD/MM/YYYY 7
The Surveillance
Kernel
App 1 App 2 App 3 App 4Internet
Cloud ServicesCorporate services
Command & Control Center
Data encryption ContainersVPNs
End-to-end encryption Secure email✗
✗✗
✗? ✗
Title of Presentation DD/MM/YYYY 8
Exploits Kernel and Legitimate Apps
Legitimate apps are patched in memory, not replaced by malicious apps.App patching is not required for Pegasus to spy, but it provides context.
Title of Presentation DD/MM/YYYY 9
Emphasis on StealthPegasus features designed to avoid detection• Throttle bandwidth based on connection• Operate certain functions when idle• Automatically uninstall if any chance of discovery• Automatically reverts to a legitimate website if exploit fails• Anonymizing proxy chain to obfuscate Command and Control
“In general, we understand that it is more important that the source will not be exposed and the target will suspect nothing than keeping the agent alive and working.”
- NSO Group documentation
Title of Presentation DD/MM/YYYY 10
Skycure Mobile Threat Defense
Mobile Threat Intelligence Platform
Phys
ical
Net
wor
k
Vuln
erab
ilitie
s
Mal
war
e
• Advanced security• Management console• Automation & integration
Security Visibility IT Satisfaction
Server-Side
• End-user satisfaction• Detection & protection• No “Private APIs”
Seamlessexperience
Privacy Minimalfootprint
End-User App
Title of Presentation DD/MM/YYYY 11
The Cyber Kill ChainCYBER KILL CHAIN
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command & Control
Actions on Objectives
• Study the target, gather intelligence
• Design and build the exploit, research vulnerabilities
• Social engineering – SMS, email, etc.
• Execute infiltration, exploit vulnerabilities
• Install malware
• The “spy” receives information and may control the device
• Exfiltration, theft, ransom, etc.
Pegasus was stopped here
✗
Title of Presentation DD/MM/YYYY 12
How Skycure Interrupts the Kill ChainCYBER KILL CHAIN
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command & Control
Exfiltration
• Study the hacker – gather intelligence on them
• Protect against disclosed and undisclosed vulnerabilities
• Protect unsuspecting users (i.e. SMS/MMS like Stagefright)
• Static & dynamic analysis, system integrity checks
• Block installation, detonate in a safe environment
• Active Honeypot patent, who is the device talking to?
• Block critical enterprise resources, recognize attackers when they use what they stole
Title of Presentation DD/MM/YYYY 13
xxxxxxxx
xxxxxxxx
xxxxxxxx
Skycure Detections
Title of Presentation DD/MM/YYYY 14
What to do now
Install Skycure – it’s free
Contact Skycure Email: [email protected]: 1-800-650-4821
1
2If Pegasus is foundTURN THE PHONE OFF
3
Title of Presentation DD/MM/YYYY 15
The Rest of the Story• Announcement about Pegasus after the Apple patches (August 25, 2016)
• Security companies add Pegasus detection
- Skycure already detected Pegasus (just added the name)
• NSO is not out of business (nor are others)
• Other exploits are out there – and more will come
• Can you afford to wait until the next announcement?
• There are no guarantees, but you can reduce your risk
Title of Presentation DD/MM/YYYY 16
Request a free Pegasus assessment
get.skycure.com/pegasus-spyware-assessment
Q&A