Pegasus Spyware - What You Need to Know

Title of Presentation DD/MM/YYYY 1

Understanding the Pegasus Cyber Espionage Tool

What you need to know about Pegasus Spyware

& How to protect yourself from this and other threats


Agenda• Top 5 things to know about Pegasus

• The Story of Pegasus

• Technical details of Pegasus/Trident

• The Hacking Process & The Kill Chain

• How does Skycure protect your organization?

• Q&A


Top 5 things to know about Pegasus1. Pegasus is zero-day spyware for iOS

2. Pegasus is a low probability, but high impact threat

3. Apple’s iOS 9.3.5 update will not detect or remove Pegasus

4. Pegasus exposes ALL messages, calls, emails, data, communications, audio, video…

5. Existence of other exploits like Pegasus is very likely


Colliding Trends

CYBERATTACKS

PC MobileSpam Targeted

Annoying Financial gainAndroid iOS

MOBILE TECHNOLOGY

Call + text + mail + everythingCorporate BYOD

Convenience ProductivityWork hours Always on

BEST INFILTRATION

AND ESPIONAGE DEVICE EVER


The Story

THE PLAYERS:

WHAT HAPPENED:

NSO GroupCyber war software

UAE(suspected)Nation state

Ahmed MansoorHuman rights

activist

Citizen Lab

Research laboratory

Apple

Mobile devices

Found vulnerabilities in iOS (didn’t report)

Pegasus, a zero-day “lawful intercept” spyware product for governments, exploits 3 iOS vulnerabilities to jailbreak and take over mobile devices

Purchased Pegasus from NSO to spy on Ahmed Mansoor

Send an SMS message with a malicious URL capable of completely compromising his mobile device

Smartly, did not click on the SMS link

Contacted Citizen Lab for forensic analysis

Recognized exploit as an NSO product

Analyzed the exploit

Contacted Lookout for support in the analysis

Notified Apple of Vulnerabilities

Patched the three vulnerabilities and released iOS 9.3.5 update

Filed CVE reports


Trident: 3 Zero-Day iOS Vulnerabilities• CVE-2016-4657: Memory Corruption in WebKit

- Vulnerability in Safari WebKit allows the attacker to compromise the device when the user clicks a link

• CVE-2016-4655: Information Leak in Kernel- Kernel base mapping vulnerability that leaks information to the attacker that allows him to calculate the

kernel’s location in memory - circumvents KASLR

• CVE-2016-4656: Kernel Memory corruption leads to Jailbreak- Kernel-level vulnerability that allows attacker to corrupt memory in a function, disabling the code

signing requirement to silently jailbreak the device and install surveillance software that runs as if it were part of iOS.

- Allows attacker to circumvent all security measures


The Surveillance

Kernel

App 1 App 2 App 3 App 4Internet

Cloud ServicesCorporate services

Command & Control Center

Data encryption ContainersVPNs

End-to-end encryption Secure email✗

✗✗

✗? ✗


Exploits Kernel and Legitimate Apps

Legitimate apps are patched in memory, not replaced by malicious apps.App patching is not required for Pegasus to spy, but it provides context.


Emphasis on StealthPegasus features designed to avoid detection• Throttle bandwidth based on connection• Operate certain functions when idle• Automatically uninstall if any chance of discovery• Automatically reverts to a legitimate website if exploit fails• Anonymizing proxy chain to obfuscate Command and Control

“In general, we understand that it is more important that the source will not be exposed and the target will suspect nothing than keeping the agent alive and working.”

- NSO Group documentation


Skycure Mobile Threat Defense

Mobile Threat Intelligence Platform

Phys

ical

Net

wor

k

Vuln

erab

ilitie

s

Mal

war

e

• Advanced security• Management console• Automation & integration

Security Visibility IT Satisfaction

Server-Side

• End-user satisfaction• Detection & protection• No “Private APIs”

Seamlessexperience

Privacy Minimalfootprint

End-User App


The Cyber Kill ChainCYBER KILL CHAIN

Reconnaissance

Weaponization

Delivery

Exploitation

Installation

Command & Control

Actions on Objectives

• Study the target, gather intelligence

• Design and build the exploit, research vulnerabilities

• Social engineering – SMS, email, etc.

• Execute infiltration, exploit vulnerabilities

• Install malware

• The “spy” receives information and may control the device

• Exfiltration, theft, ransom, etc.

Pegasus was stopped here

✗


How Skycure Interrupts the Kill ChainCYBER KILL CHAIN

Reconnaissance

Weaponization

Delivery

Exploitation

Installation

Command & Control

Exfiltration

• Study the hacker – gather intelligence on them

• Protect against disclosed and undisclosed vulnerabilities

• Protect unsuspecting users (i.e. SMS/MMS like Stagefright)

• Static & dynamic analysis, system integrity checks

• Block installation, detonate in a safe environment

• Active Honeypot patent, who is the device talking to?

• Block critical enterprise resources, recognize attackers when they use what they stole


xxxxxxxx

xxxxxxxx

xxxxxxxx

Skycure Detections


What to do now

Install Skycure – it’s free

Contact Skycure Email: [email protected]: 1-800-650-4821

1

2If Pegasus is foundTURN THE PHONE OFF

3


The Rest of the Story• Announcement about Pegasus after the Apple patches (August 25, 2016)

• Security companies add Pegasus detection

- Skycure already detected Pegasus (just added the name)

• NSO is not out of business (nor are others)

• Other exploits are out there – and more will come

• Can you afford to wait until the next announcement?

• There are no guarantees, but you can reduce your risk


Request a free Pegasus assessment

get.skycure.com/pegasus-spyware-assessment

Q&A