The Citizen Lab has uncovered another iPhone zero-click bug that NSO exploited to deploy their notorious Pegasus malware. The recent campaign typically targeted politicians, activists, and journalists in Catalonia, Spain.
iPhone Zero-Click Exploited Against Catalans
As elaborated in their recent report, the Citizen Lab team found a new iPhone vulnerability exploited in the “CatalanGate”.
Specifically, they noticed a wave of Pegasus malware attacks targeting users from the region in 2019. However, a deeper analysis showed that the attacks happened between 2017 and 2020. The malware infected the devices of numerous Catalan Members of the European Parliament (MEPs), legislators, journalists, jurists, activists, and civil society members. As per the numbers, the researchers identified 63 different individuals affected during this period.
Regarding the bug, the researchers identified a zero-click vulnerability affecting iPhone devices. Identified as “HOMAGE”, this vulnerability involved an iMessage zero-click component and affected iOS versions later than iOS 13.1.3 and earlier than iOS 13.2. (The latter might have fixed the bug.)
Together with HOMAGE, the attacks also exploited the previously known “KISMET’ flaw.
But that’s not all – the researchers also spotted another spyware, Candiru, targeting some Catalans. So that exceeds the count of total individuals affected with Pegasus or Candiru, or both, to 65.
For Candiru infections, the attackers exploited two privilege escalation vulnerabilities in Windows Kernel (CVE-2021-31979 and CVE-2021-33771). Following this discovery, the Citizen Lab informed Microsoft of the matter. Hence, Microsoft patched the two zero-day bugs with July 2021 Patch Tuesday updates, eventually fixing all potentially affected Windows systems.
The Citizen Lab has shared the details about the surveillance situation in Spain, particularly, against the Catalans, in the report. To execute the attack, the attackers targeted the victims via zero-click exploits and malicious SMS messages. Either way, since the attack required no user input, it remained difficult for the victim to escape the infection.
Let us know your thoughts in the comments.