Professional Mobile Espionage Attacks: Pegasus and Beyond
Total Page:16
File Type:pdf, Size:1020Kb
#RSAC SESSION ID: MBS-R11 Professional Mobile Espionage Attacks: Pegasus and Beyond Andrew Blaich Max Bazaliy Staff Security Researcher Staff Security Researcher Lookout Lookout @ablaich @mbazaliy Video #RSAC What just happened? 3 #RSAC What just happened? “Lawful Intercept” 4 #RSAC The Target: Ahmed Mansoor 5 #RSAC Collaboration 6 #RSAC Citizen Lab: Pegasus Attribution C2 Infrastructure sms.webadv.co <-> mail1.nsogroup.com, nsoqa.com Linked to other targeted attacks in Mexico, Kenya Code identifiers Internal variables and function names Sophistication of software HackingTeam leak: marketing literature 7 #RSAC Pegasus Overview #RSAC What is Pegasus? Pegasus is espionage software Relies on jailbreaking a device to install itself The jailbreak is achieved via an exploit chain named Trident Pegasus can listen to all audio, video, text, and data communications coming into or leaving a phone 9 #RSAC Historical analysis Pegasus featured a non-public persistent remote jailbreak No/Minimal user interaction required 2011 public jailbreak “jailbreakme 3” is most similar December 2016 Luca Tedesco released a “jailbreakme” using Trident and Pangu. 10 #RSAC How does Pegasus operate on iOS? Stage 1 Stage 2 Stage 3 WebKit XNU Surveillance Spear-phish RCE exploitation + persistence Single use Safari UAF Kernel info leak + Re-jailbreak on CVE-2016-4657 CVE-2016-4655 reboot + Kernel UAF + Init. app hooks CVE-2016-4656 + Sync with C&C server = Jailbreak 11 #RSAC Exploit Chain - Trident CVE-2016-4657: Visiting a maliciously crafted website may lead to arbitrary code execution CVE-2016-4655: An application may be able to disclose kernel memory CVE-2016-4656: An application may be able to execute arbitrary code with kernel privileges 12 #RSAC Targeted apps 13 #RSAC Payload Analysis 14 #RSAC What do you need for a jailbreak? Ability to bypass code execution to run unsigned code Ability to patch the kernel to remove security restrictions Ability to elevate privileges and install payload [Optional] Ability to persist the jailbreak after reboot 15 #RSAC Stages & Trident Vulnerabilities Stage 1 CVE-2016-4657– Visiting a maliciously crafted website may lead to arbitrary code execution (Safari WebKit RCE) Stage 2 CVE-2016-4655- An app may be able to disclose kernel memory (KASLR) CVE-2016-4656- An app may be able to execute arbitrary code in kernel Stage 3 Espionage software payload Unsigned code execution and jailbreak persistence 16 #RSAC Pegasus - Stage 1 17 #RSAC Stage 1 - Payload Spear-phish URL – Single use Contains obfuscated JavaScript —Checks for device compatibility iPhone, 32 or 64-bit —Contains URLs for Stage 2 —Contains an RCE in WebKit 18 #RSAC Vulnerability: CVE-2016-4657 Visiting a maliciously crafted website may lead to arbitrary code execution Remote code execution in Webkit Vulnerability is a use after free (UAF) Achieved via two bugs Not 100% stable as it relies on WebKit garbage collector semantics 19 #RSAC Pegasus - Stage 2 20 #RSAC Stage 2 - Payload Contains shellcode and compressed data Shellcode used for kernel exploitation in Safari Compressed data: Stage 3 loader Downloads and decrypts Stage 3 Configuration file 21 #RSAC Vulnerability: CVE-2016-4655 An application may be able to disclose kernel memory Infoleak used to get the kernel’s base address to bypass KASLR Constructor and OSUnserializeBinary methods were missing bounds checking Uses the OSNumber object with a high number of bits Trigger happens in is_io_registry_entry_get_property_bytes Can be triggered from an app’s sandbox 22 #RSAC Vulnerability: CVE-2016-4656 An application may be able to execute arbitrary code with kernel privileges Use after free to gain kernel level code execution The setAtIndex macro does not retain an object Trigger happens in OSUnserializeBinary Can be triggered from an app’s sandbox 23 #RSAC Pegasus - Stage 3 24 #RSAC Stage 3 - Payload - espionage software Processes: Dylibs: lw-install - spawns all sniffing services libdata.dylib - Cydia substrate watchdog - process manager libaudio.dylib - calls sniffer systemd - reporting module libimo.dylib - imo.im sniffer workerd - SIP module libvbcalls.dylib - Viber sniffer converter - Cynject from Cydia libwacalls.dylib - Whatsapp sniffer Other: com.apple.itunesstored.2.csstore - JS used for unsigned code execution ca.crt - root cert used w/ SIP module 25 #RSAC com.apple.itunesstored.2.csstore JSC bug that led to unsigned code execution Used with rtbuddyd trick to gain persistence Bad cast in setEarlyValue Triggerable only from an jsc process context 26 #RSAC Techniques to prevent detection and analysis One time use links (redirects to Google or other sites) Obfuscated JavaScript and Objective-C code Payloads are encrypted with a different key on each download Spyware components are hidden as system services 27 #RSAC Techniques to stay undetectable Blocks iOS system updates Clears Mobile Safari history and caches Uses SIP for communication Removes itself via self destruct mechanisms 28 #RSAC Techniques to gather data Records any microphone usage Records video from camera Gathers sim card and cell network information Gathers GPS location Gathers keychain passwords (including Wifi and router) 29 #RSAC Targeted apps 30 #RSAC Application Hooking iOS sandbox prevents apps from spying on each other On a jailbroken iOS device spying “hooks” can be installed Pegasus uses Cydia Substrate to install app “hooks” Dynamic libraries are injected into the application processes on spawn Cynject to insert code into running processes 31 #RSAC Application HookingPhone with Pegasus Pegasus Pegasus Pegasus Kernel #RSAC Observations and Continuing Work Remote jailbreaks in the public are rare (~5 years ago) Rarer to find a sample of such a highly engineered piece of spyware Commercial surveillance-ware is different from “home grown” attacks Continuing to hunt other “lawful intercept” surveillance-ware 33 #RSAC Security Risk SECURITY RISK HEAT MAP 100 CATASTROPHIC LOSS EXECUTIVE, ACTIVIST, POLITICIAN Likelihood A PERSON IN THE GENERAL PUBLIC LOW RISK 0 Impact 100 #RSAC Predictions We will continue to see targeted attacks on mobile Android - using both known and unknown vulnerabilities iOS – depends on the target; using primarily unknown vulnerabilities due to the fast updating of devices by Apple Persistent vs. Non-Persistent Jailbreaks Recent public jailbreaks have all been non-persistent Persistent jailbreaks require extra work and are rare, thus making them worth more to exploiters 35 #RSAC Apply what you’ve learned Keep your devices up to date Avoid visiting sketchy links especially from unknown contacts Act quickly Protect your organization 36 #RSAC Special thanks Citizen Lab: Bill Marczak, John Scott-Railton, and Ron Deibert Lookout: John Roark, Robert Nickle, Michael Flossman, Christina Olson, Christoph Hebeisen, Pat ford, Colin Streicher, Kristy Edwards and Mike Murray Divergent Security: Cris Neckar, Greg Sinclair Individual researchers: in7egral 37 #RSAC Questions and Answers 38 #RSAC Resources #RSAC Useful links https://blog.lookout.com/blog/2016/08/25/trident-pegasus/ https://blog.lookout.com/blog/2016/11/02/trident-pegasus-technical-details/ https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso- group-uae/ https://citizenlab.org/2016/05/stealth-falcon/ https://targetedthreats.net/ https://citizenlab.org/ 40.