Researchers have discovered another zero-click, zero-day exploit that targeted iPhone users. This spyware was provided by QuaDream, an Israeli company, and came to light shortly after President Biden issued an executive order aimed at preventing the US government from acquiring commercial spyware that undermines democracies.
Making you less safe
Microsoft and Citizen Lab security researchers have uncovered QuaDream's attacks. While QuaDream is a less well-known entity than NSO Group, it has similar roots, with former NSO Group employees among its founders and ties to Israeli intelligence. Although its attacks were initially uncovered last year, researchers have since gained more insight into the workings of this group of digital mercenaries.
QuaDream sold a surveillance platform known as Reign to governments, ostensibly for law enforcement purposes. This platform provided malware, exploits, and infrastructure to extract data from compromised devices, including iPhones running iOS 14.
In 2021, Apple was alerted to these exploits and promptly notified individuals who had been targeted by QuaDream's spyware. Additionally, Apple bolstered its security measures to prevent further attacks.
According to the researchers, QuaDream has now shifted its focus entirely to iOS attacks.
Sicilian defense
A new malware, named KingsPawn, has been discovered that exploits a zero-click attack called EndOfDays. This attack utilizes invisible iCloud calendar invites to infect devices, requiring no user interaction.
KingsPawn is in active use in Mexico and has affected victims across the US, Europe, the Middle East, and Central and Southeast Asia, including politicians, journalists, and an NGO worker. Once installed on an iPhone, the spyware can record calls and audio, take photos, steal and remove keychain items, generate 2FA iCloud passwords, track location, search files and databases, all while remaining hidden with a self-destruct feature. CitizenLab has identified over 600 servers in at least 10 nations operated by QuaDream's customers, which perform various tasks such as storing stolen data and exploit distribution/targeting.
The countries in which the servers are based include Israel, United Arab Emirates, Uzbekistan, Singapore, Hungary, Czech Republic, Romania, Bulgaria, Mexico, and Ghana, with at least three known to use spyware to target human rights defenders, journalists, and other civil society members.
A threat to democracy
Microsoft strongly condemns such attacks, characterizing the rise of spyware companies as a danger to democracy and human rights. The company cautions that the methods utilized by these unscrupulous entities will inevitably spread to more widespread criminal activities, resulting in severe consequences.
Amy Hogan-Burney, Microsoft's associate general counsel for cybersecurity policy and protection, has cautioned that the rise of spyware companies poses a genuine risk to online human rights and the broader digital environment's security and stability.
These firms require cyber mercenaries to accumulate vulnerabilities and seek unauthorized network access, creating a dangerous culture. Apple shares Microsoft's perspective, with a 2021 lawsuit against NSO Group referring to them as "21st century mercenaries" who have developed sophisticated cyber-surveillance machinery that invites flagrant abuse. Ivan Krstić, head of Apple Security Engineering and Architecture, has emphasized the company's commitment to analyzing new threats, promptly patching vulnerabilities, and implementing innovative security measures to defend against abusive state-sponsored actors like NSO Group.
Apple's security engineering team is one of the most advanced in the world, and they will continue working tirelessly to safeguard their users.
Protect yourselves
Though the type of attacks perpetrated by clandestine organizations may initially require significant investment, the cost gradually decreases. Apple must persist in making device security challenging enough to deter casual attackers from pursuing these attacks. However, as time passes, exploits do become more widely available, and individuals using older devices that no longer receive security updates become increasingly vulnerable to these attacks.
There are some measures that can be taken to reduce the risk of unknown zero-click attacks, including updating devices with the latest software patches, using passcodes, strong passwords, and two-factor authentication for Apple ID, downloading apps only from the App Store, and using advanced iCloud+ security tools if available. It is also recommended to avoid clicking on links or attachments from unknown senders. If someone suspects being a target, they can enable LockDown Mode to enhance security protection. However, it is essential to hold the industry accountable, particularly with the imminent threat of generative AI and quantum computing.