Cyber security news for all

More

    NSO Group Exploited WhatsApp to Deploy Pegasus Spyware Despite Legal Action by Meta

    Newly unsealed legal documents have shed light on a troubling narrative involving NSO Group and its persistent exploitation of WhatsApp. The Israeli spyware company utilized an arsenal of sophisticated exploits to deliver Pegasus spyware, including one attack that occurred after Meta initiated legal proceedings against the firm.

    The revelations illustrate how NSO Group repeatedly adapted its methods to bypass WhatsApp’s defenses, ensuring that Pegasus spyware could infiltrate target devices even as the messaging platform bolstered its security measures.

    Advanced Attacks Through WhatsApp

    In May 2019, WhatsApp disclosed its mitigation of a complex cyberattack that exploited the app’s video calling feature to silently inject Pegasus malware. This attack took advantage of a then-unknown zero-day vulnerability, tracked as CVE-2019-3568 (CVSS score: 9.8). The flaw was a critical buffer overflow vulnerability within the app’s voice call function.

    Fresh evidence now reveals that NSO Group devised an additional attack method, codenamed Erised, which similarly leveraged WhatsApp’s servers to implant Pegasus. This zero-click exploit, requiring no user interaction, remained active until at least May 2020—well after Meta’s October 2019 lawsuit against NSO Group.

    Erised was one of a series of malware vectors—collectively referred to as Hummingbird—employed by NSO Group. These included exploits codenamed Heaven and Eden, the latter being a designation for CVE-2019-3568, which reportedly targeted approximately 1,400 devices globally.

    Breaching Security Through Reverse Engineering

    According to the legal filings, NSO Group admitted to reverse-engineering WhatsApp’s code to craft its exploits. They used a bespoke “WhatsApp Installation Server” (WIS) to send malformed messages that a legitimate WhatsApp client would be incapable of transmitting. These messages exploited vulnerabilities to covertly install Pegasus spyware, directly violating WhatsApp’s Terms of Service and both state and federal laws.

    The Heaven exploit manipulated WhatsApp’s signaling servers to reroute target devices to a third-party relay server controlled by NSO. However, subsequent server-side updates by WhatsApp in late 2018 forced NSO to refine its strategy, resulting in the development of the Eden exploit by early 2019, which relied on WhatsApp-operated relays.

    The legal documents indicate that by May 2020, NSO Group had successfully deployed Pegasus spyware on “hundreds to tens of thousands” of devices worldwide, though the company declined to confirm whether newer exploits had been developed beyond that timeframe.

    NSO’s Role in Spyware Operations

    Contrary to claims by NSO Group that its customers manage and control Pegasus, the court filings reveal that the company orchestrates nearly every stage of the spyware’s deployment. The client’s role is reportedly limited to inputting a target’s phone number, after which NSO handles installation and data retrieval entirely.

    “The customer merely submits an order for a target device’s data, while NSO operates the infrastructure and ensures the successful deployment of Pegasus,” the documents state. This undermines NSO’s repeated assertions that Pegasus is solely a tool for combating terrorism and organized crime.

    Broader Implications and Defensive Measures

    This lawsuit underscores the escalating cat-and-mouse game between spyware vendors and platform defenders. While Apple opted to withdraw its own lawsuit against NSO in 2024 to prevent exposing critical security intelligence, it has proactively fortified its devices against such threats.

    Notable advancements include Lockdown Mode, introduced two years ago to minimize device functionality and reduce the attack surface for spyware. More recently, a new inactivity reboot feature in beta versions of iOS 18.2 requires users to re-enter their passwords if a device remains locked for 72 hours, complicating unauthorized access by law enforcement or threat actors.

    This enhanced security feature, confirmed by Magnet Forensics, significantly impacts forensic processes. “The inactivity reboot timer necessitates swift imaging of devices to ensure maximum data acquisition,” the company explained. It reflects a broader industry shift towards prioritizing user privacy and security, even as threat actors continue to evolve their techniques.

    The ongoing revelations about NSO Group’s operations highlight the grave risks posed by mercenary spyware. Despite legal and technological countermeasures, the relentless evolution of such tools underscores the need for robust defenses and accountability mechanisms. The battle between privacy advocates and surveillance vendors is far from over, with significant implications for individual rights and digital security.

    Recent Articles

    Related Stories