Tech giant Apple released emergency OS X security updates yesterday — Security Update 2016-001 El Capitan and Security Update 2016-005 Yosemite — to address the same three zero-day exploits as last week’s security update for iOS. Those vulnerabilities, known collectively as the Trident vulnerabilities, are being actively used by “cyber warfare” company NSO Group Technologies.
The exploits were first discovered a week ago by researchers at digital security groups Citizen Lab and Lookout Security. “The Trident vulnerabilities used by NSO could have been weaponized against users of non-iOS devices, including OSX,” Citizen Lab wrote in its announcement. “We encourage all Apple users to install the update as soon as possible.”
A Three-Pronged Attack
The Trident vulnerabilities give the NSO Group three ways to attack a target device: they can convince a target to visit a malicious Web site using the Safari browser, which could lead to arbitrary code execution; an application can be made to disclose kernel memory; or an application can be made to execute arbitrary code on the device with kernel privileges.
Those three exploits could essentially allow a hacker to install any type of malware on a victim’s device to spy on the target, or even take full control of the device.
The Trident vulnerabilities came to light after an attempt was made to attack the iPhone of Ahmed Mansoor, a human rights activist based in the United Arab Emirates (UAE). “On August 10 and 11, 2016, Mansoor received SMS text messages on his iPhone promising ‘new secrets’ about detainees tortured in UAE jails if he clicked on an included link,” Citizen Lab wrote on its Web site. Instead of clicking on the link, Mansoor sent the messages to Citizen Lab to investigate.
Who’s the Culprit?
Citizen Lab said the links it received belonged to a collection of exploits connected with the NSO Group. Although based in Israel, the NSO Group is believed to be owned by a U.S. venture capital firm, Francisco Partners Management.
The NSO Group is a cyber weapons company that sells exploit packages such as the one used against Mansoor. Among the products sold by the NSO Group is Pegasus, a so-called “lawful intercept” spyware package sold only to governments.
Had Mansoor clicked on the links, the Web site would have installed malware on his iPhone 6 that would have turned it into a combination spy camera and microphone, capable of recording and transmitting images from his camera, audio from his microphone as well as his WhatsApp and Viber calls, and tracking his movements.
Citizen Lab said that the high cost of iPhone zero-days, the apparent use of NSO Group’s government-exclusive Pegasus product, and prior known targeting of Mansoor by the UAE government suggested that the UAE government is the most likely suspect behind the attack.
But the UAE isn’t the only actor connected to NSO. The company also reportedly sold its Pegasus spyware to Ricardo Martinelli, the Panamanian billionaire accused of spying on political opponents and journalists.
