Pegasus The Humanitarian Costs of Insecure Code

PegasusThe Humanitarian Costs of InsecureCode

A look at the nature and effects of legal, advanced spyware on application security

Typically, stories about cyber attacks grab the readers attention by describing the damage inflicted on a company in large dollar amounts. While multimillion-dollar ransomware demands are shocking, they can be quickly forgotten. After all, these situations are eventually worked out, and its not as if anyones life is indanger.

Pegasus attacks are different.

Pegasus attacks on iPhone and Android devices do not cost businesses millions in revenue. They do not trigger multiple expensive lawsuits for privacy violations or result in sensitive data being used for blackmail. Pegasus measures its damage by its chilling effect on privacy, the incalculable costs of information suppression, and in some cases, humanlives.

Pegasus is an advanced spyware that exploits vulnerable mobile apps to gain a foothold on iPhone and Android devices. Once installed, Pegasus gives attackers a considerable amount of control over the device, including the abilityto:

Pegasus is the creation of the NSO Group, an Israeli firm that licenses it to governments to perform surveillance. NSO states its technology is intended to prevent and investigate terrorism and crime to save thousands of lives around the globe. However, Pegasus is a highly sophisticated tool, and like any tool its use is only as benevolent as the hand that wields it. The spyware allows governments to crack citizens mobile devices, track them, and observe their communications. Whether it is solely used to target criminals is up to their discretion.

On the iPhone, Pegasus uses a zero-click attack against the iOS iMessage app to infect the device. A zero-click attack is one that requires no cooperation or interaction from the victim to succeed. Typically, these attacks directly exploit known app vulnerabilities and use data verification loopholes to avoid automated detection and other security features. Zero-click attacks also take lengthy steps to remove or obfuscate all traces of their existence, making them extremely difficult for threat researchers todetect.

Pegasus is easier to deploy on Android and can move laterally to exploit secondary attack vectors if the primary method of infection fails. The Android version of Pegasus does not rely on a zero-click attack but, uses Framaroot to discover code exploits and root the device. Android, by design, does not keep the logs researchers use to identify a Pegasus infection. In fact, researchers must often use special tools to detect the presence of Pegasus onAndroid.

Both the Android and iPhone versions of Pegasus ultimately rely on exploiting vulnerable code. Yet, the spyware is so sophisticated that detecting its presence does little to reveal how it infiltrates a device. This is evident from the sheer length of time that iPhone users have struggled with Pegasus. Media outlets first reported the existence of the spyware in 2016. Apple released a quick fix for iMessage shortly afterward. Yet, the most recent iOS fix for Pegasus arrived on September 13, 2021five yearslater.

On July 18th Amnesty International and Forbidden Stories (a Paris-based non-profit), named 50,000 individuals as potential targets of Pegasus attacks. Among the names were journalists, activists, politicians and other people of interest. The list was initially leaked to Forbidden Stories, who shared it with the media. The Amnesty International Security Lab collected a small sample of phones from members of the list and tested them for Pegasus infections. The lab discovered Pegasus indicators on 37 of 67phones.

In response, NSO Group released a statement denying any wrongdoing and criticizing the methodology used by the lab. They reiterated their commitment to only serving law enforcement and intelligence agencies of vetted governments. NSO stated they do not operate Pegasus for clients or have access to internal client data. Therefore, they could not possibly possess or leak a list oftargets.

Governments named by Amnesty International for violating their citizens privacy likewise denied any wrongdoing. In India, several journalists, opposition leaders, and three state officials were identified as appearing on the list. Forensic tests on 22 of the smartphones belonging to suspected Indian targets revealed that 10 were attacked by Pegasus. The Indian Government responded by denying they use Pegasus to target non-criminals.

One aspect that sets Pegasus apart from other malware is its focus on individual targets. While ransomware and APT groups may conduct surveillance on their targets before launching an attack, they are seldom concerned with individuals. Malware campaigns may involve spear-phishing or whaling attacks against high-ranked individuals, but the goal is usually obtaining their account credentials or access. Pegasus is deployed to directly monitor the individual, not steal their account privileges.

Likewise, traditional malware attacks usually focus on stealing money, hijacking data, or disrupting the operations of an organization. They almost always inflict financial damage through blackmail, extortion, regulatory fines, information theft, or harming the brand name. The damage Pegasus inflicts is personal and applies directly to the individual. This means developers accustomed to weighing the financial risks of vulnerable code should also consider humanitarian risks aswell.

Pegasus also highlights the wide spectrum of adversaries devs are facing. The tactics techniques and procedures (TTPs) of APTs and black-hat hackers are well known and generally understood. Their attacks are unlawful, meaning compromised organizations can generally rely on the support of law enforcement. NSO is a well-funded private company and its customers are governments and law enforcement agencies. This makes it unlikely that anyone officially deploying Pegasus will be considered a criminal. When cracking security on an individuals mobile device is not a crime, the app developer becomes the sole line of defense against Pegasus-like attacks.

Pegasus, like 84% of all cyber attacks, relies on exploiting vulnerabilities in the application layer to succeed. This makes application security testing through methods like SAST, DAST, IAST, and SCA key to preventing these attacks. Simply put, depriving organizations like NSO of vulnerabilities to exploit is the best way to stop them. Once vulnerable code is released it can be extremely difficult to discover how it is exploited. If Apple, the worlds largest company, is still patching iMessage five years after the first Pegasus infection what chance do smaller businesses have?

Open-source code presents another problem. Many open-source libraries contain known vulnerabilities, yet 96% of proprietary applications contain open-source code. Simple steps like checking open-source code dependencies with tools like Intelligent SCA (I-SCA) can greatly improve application security by alerting development teams to these vulnerabilities. Likewise, static code analysis like next-generation SAST (NG-SAST) can provide developers with daily or weekly insight into vulnerabilities in custom and open source code. With these kinds of tools, it is possible to integrate security processes throughout the software development lifecycle to better protect user data in an application.

For more information on efficient ways to add security testing to the SDLC, visit Shiftleft.io.

PegasusThe Humanitarian Costs of Insecure Code was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by The ShiftLeft Team. Read the original post at: https://blog.shiftleft.io/pegasus-the-humanitarian-costs-of-insecure-code-6f5afe6f36a1?source=rss----86a4f941c7da---4