Cyber attackers have recently launched a series of Pegasus spyware attacks on iPhone users worldwide. These attacks have revealed that threat actors are targeting both new vulnerabilities and outdated, unupdated devices to bypass Apple’s latest preventive measures, according to researchers.
A recent blog post from Jamf Threat Labs highlighted several targeted campaigns over the past six months, including one involving a Middle Eastern iPhone user and another targeting a journalist in Europe using an unsupported iPhone 6. The attacks exploit zero-day vulnerabilities and take advantage of new features like Apple’s “Lockdown Mode” notifications, which aim to alert users to unusual activity that may be related to spyware on their devices.
The researchers emphasized that these attacks demonstrate the continuous evolution and sophistication of threat actors, even as spyware awareness and preventive measures increase. Spyware is often used with malicious intent by governments to target dissidents or individuals investigating or opposing certain policies or regimes.
However, the researchers noted challenges in responding to and preventing further attacks due to inconsistencies in post-attack investigation methods by targeted individuals or organizations. Maintaining a comprehensive list of compromise indicators (IoCs) and extracting relevant data remotely also poses difficulties.
In two specific attacks, researchers detailed how no iPhone is immune to targeting, despite Apple’s security updates. One attack targeted an iPhone 12 Pro Max user in the Middle East, who received a notification from Apple regarding suspicious activity on the device associated with Pegasus spyware. Investigation revealed evidence of compromised files and system crashes.
Another attack focused on a journalist in Europe who used an unsupported iPhone 6. The researchers found files in an unusual location within the iPhone’s file system, suggesting a new indicator of potential compromise. Although the researchers could not definitively identify the threat actor or the use of Pegasus, they reported this finding to Apple as a potential new IoC.
To mitigate and prevent such attacks, organizations are advised to ensure that all devices are updated with the latest operating systems and security patches. Comprehensive monitoring of mobile devices alongside desktops, laptops, and servers is recommended, alongside practicing good hygiene on corporate networks by keeping applications up to date and fully patched. Users should receive education on spyware symptoms and be encouraged to use the Lockdown Mode feature for added protection.