Cybersecurity | Attack Vectors
The cyber risk is constantly increasing. Cyberattacks are now so sophisticated that users become victims without having taken action themselves or having made a mistake.
What sounds more like methods from a spy thriller is reality. Just last week, it became known that it had been possible to infiltrate the Pegasus surveillance software on iPhones – without the user’s intervention. Zero-day vulnerabilities in the iMessage software served as an entry gateway. But what exactly is behind zero-click attacks? In our current blog post, we provide information.
The spyware Pegasus has been known since 2016. It was developed by the Israeli company NSO Group and is used to spy on Android and iOS devices. The software allows data to be accessed unnoticed and sent over the Internet. The use of Pegasus is quite controversial. The company already attracted attention with negative headlines in 2019. At that time, around 1,400 human rights activists, journalists and politicians were monitored with Whatsapp spying attacks . According to WhatsApp boss Cathcart, these attacks were also carried out with the help of the Pegasus software at that time. Now spyware is once again in the spotlight. This time, however, the fact that Pegasus can be smuggled onto the devices without any human activity makes things even more difficult. With so-called zero-click attacks.
This type of attack poses a whole new set of risks. Monika Bubela, Cyber Threat Intelligence Analyst at Perseus, summarizes the threat situation as follows:
“The biggest threat of zero-click attacks is that they don’t require any action from the victim. There is no suspicious link or message that the victim would have to click on.”
Thus, systems can be compromised without any human interaction. For example, just receiving a manipulated message can be enough to allow attackers to take over smartphones. Even a very attentive user with a well-patched and updated system can easily become a victim.
For zero-click attacks, cybercriminals exploit vulnerabilities and vulnerabilities that they find in the operating system of mobile devices or in the apps installed on the device.
So-called zero-day vulnerabilities are particularly interesting. These are security vulnerabilities that are not yet known to the manufacturer of the software and have therefore not yet been mitigated or patched.
Attention! Only with the installation of the provided security updates and patches are these security gaps closed on your own device and an active exploitation of the vulnerabilities by cybercriminals is fended off.
(Editor’s note. In connection with the Pegasus spyware, experts are not yet giving the all-clear that an update to the current iOS 14.7 operating system will prevent zero-click spread.)
For experts:
Monika Bubela explains in detail how cybercriminals can ultimately take over mobile devices:
“The malware itself ‘jailbreaks’ an iOS device without the user’s knowledge.” In information security, a ‘jailbreak‘ describes the unauthorized lifting of restrictions on the use of computers or other mobile devices. This means that certain functions that the manufacturer has blocked by default are now available.
“For Pegasus’ aforementioned zero-click attack on iOS devices, it means that an unauthorized third party gains root access to the iOS device. As a result, Apple is no longer the only source of apps, allowing an attacker to download applications that are not verified by Apple to the victim’s device. Android devices are also vulnerable. Google is aware of this and is trying to provide patches for the well-known malware such as Pegasus.”
What can you do?
In your day-to-day work, you probably won’t come into contact with zero-click attacks – at least not yet. However, developments in recent years show that attacks by cybercriminals are becoming increasingly complex. So sooner or later you may have to deal with zero-click attacks more intensively.
In this case, zero-click attacks, as already explained, can affect even very attentive users. Complete protection is therefore hardly possible, but we would like to point out important protective measures:
