NSO Group Utilizes Three iOS Zero-Click Exploits in 2022: Citizen Lab Report

April 18, 2023

According to a recent report from Citizen Lab, Israeli spyware vendor NSO Group used at least three previously unknown iOS zero-click exploits in 2022. These exploits, named FindMyPwn, PwnYourHome, and LatentImage, were discovered during an investigation into malware infections on the iPhones of human rights defenders in Mexico. NSO Group's Pegasus spyware has often been delivered to targeted iPhones using zero-click and/or zero-day exploits. Despite Apple's efforts to prevent attacks against its customers, NSO's exploit developers continue to find ways to bypass mitigations.

One of the new zero-click exploits discovered by Citizen Lab, PwnYourHome, is a two-step exploit targeting HomeKit and iMessage. It was used against iOS 15 and 16 devices starting in October 2022. Another two-step exploit, FindMyPwn, targets the Find My feature and iMessage and has been used against iPhones running iOS 15 since at least June 2022. The third exploit, LatentImage, was seen on only one device and appears to be the first new exploit used by NSO in 2022. The FindMyPwn and PwnYourHome exploits were used as zero-days.

Apple was informed about the findings in October 2022 and January 2023. One of the vulnerabilities involved in these attacks is CVE-2023-23529, which Apple fixed in February. It's unclear what other CVE identifiers have been assigned to the flaws associated with these exploits. The tech giant has patched roughly a dozen iOS zero-days over the past year. Apple sent out notifications to targeted users in November and December 2022, as well as in March 2023.

Citizen Lab has not seen the PwnYourHome exploit work against devices that had Apple's Lockdown Mode feature enabled, suggesting that NSO Group may have since improved its exploits. The organization discovered the new exploits after finding indicators of compromise known to be associated with Pegasus attacks. However, Citizen Lab has decided not to disclose those indicators, as NSO Group might leverage the information to ensure that future attacks are not detected.

In related news, Citizen Lab and Microsoft recently detailed the iOS malware developed by an Israel-based spyware vendor named QuaDream. Described as a competitor of NSO, the company is reportedly shutting down, partly due to the latest revelations.

Related News

• CISA Directs Government Agencies to Update Apple Devices by May 1st
• Apple Releases Emergency Updates to Address Zero-Days Exploited in Attacks
• Apple Addresses Actively Exploited WebKit Zero-Day for Older iPhones and iPads
• CISA Adds Four Security Vulnerabilities to Known Exploited List
• Apple Patches Zero-Day Vulnerability Used in iPhone, iPad, and Mac Attacks

Latest News

• Ransomware Attack Targets US Payments Giant NCR
• Emergency Chrome Update Addresses First Zero-Day of 2023
• Google and CISA Issue Warning on Android Flaw Exploited by Chinese App
• Windows Admins Urged to Patch Critical MSMQ QueueJumper Bug
• Microsoft Offers Guidance on Detecting BlackLotus UEFI Bootkit Attacks