Zero-days fixed by Apple were used to deliver Pegasus spyware

Zero-days fixed by Apple were used to deliver NSO Group’s Pegasus spyware

Pierluigi Paganini
September 08, 2023

Citizen Lab reported that the actively exploited zero-days fixed by Apple are being used in Pegasus spyware attacks

Researchers at Citizen Lab reported that the actively exploited zero-day flaws (CVE-2023-41064 and CVE-2023-41061) fixed by Apple are being used to infect devices with NSO Group’s Pegasus spyware. 

According to the researchers, the two vulnerabilities were chained as part of a zero-click exploit, named BLASTPASS, used in attacks on iPhones running the latest version of iOS (16.6).

Citizen Lab reported that the exploit was used to install the Pegasus Spyware on the device belonging to an individual employed by a Washington DC-based civil society organization with international offices.

The experts reported that the exploit involved PassKit attachments containing malicious images that were sent to the victim from an attacker’s iMessage account.

“Last week, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices, Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware.” reads the report published by Citizen Lab” “We refer to the exploit chain as BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim.

The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.”

The researchers plan to publish technical details about the BLASTPASS exploit chain in the future.

Citizen Lab recommends iPhone users immediately update their devices. The organization pointed out that civil society is continuously targeted by threat actors using highly sophisticated exploits and spyware.

Apple has already patched 13 actively exploited zero-day vulnerabilities in 2023, below is the list of the flaws fixed by the company:

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts