The story is as old as phishing itself. A malicious message is sent, disguised as something innocuous. Once the message is opened (or, possibly, even if it's not), the victimized endpoint is at the mercy of the spyware’s commands.
Pegasus spyware follows the same storyline.
What’s Different?
Pegasus isn’t trying to phish your grandmother or your new finance intern.
It’s going after heads of state.
Earlier this year, news broke that high-ranking Spanish political figures, including Spain’s prime minister and defense minister, were targeted with Pegasus. The Spanish government has made a point of saying that the attacks were both “illicit” and “external.”
Pegasus—allegedly only sold to governments—was initially developed in the mid-2010s by an Israeli intelligence agency. It has since been installed on tens of thousands of devices owned by politicians and journalists around the world. The fact that Pegasus is being used to go after powerful public figures is particularly alarming given what Pegasus is capable of. It can harvest photos, secretly record through a device’s camera, and activate microphone functions. In a sense, it’s the 007 of spyware.
Even more concerning, unlike many vulnerabilities, Pegasus doesn’t wait around for people to slip up and hand over their credentials. Pegasus can access a device via zero-day vulnerabilities—bugs that aren’t yet known and thus don’t have patches available.
And it gets worse.
Vulnerability Chaining
Part of why Pegasus is so menacing is that it frequently uses vulnerability chaining, a technique where threat actors identify and capitalize on multiple tangential threats at the same time in order to increase chances of success. In lay terms, vulnerability chaining means exploiting one vulnerability to get to another, and so on. This makes the threat harder to track and combat. Vulnerability chaining also makes it possible to access targets that may have been inaccessible had the threat actor tried to go after them directly.
Vulnerability chaining has been discussed in theoretical terms for some time, but it has rarely been put into practice. Since it has been so rare, it has been easy to dismiss it as a limited threat. But, of course, that’s the problem. Apple, for instance, has patched vulnerabilities associated with previous Pegasus attacks, only to have Pegasus use vulnerability chaining to attack again.
When a team of people is tasked with identifying and assessing threats, the risk analysis is only as good as the team’s abilities and capacity for threat identification and assessment. It doesn’t matter how robust and talented your team is; as humans, we tend to bring our personal assumptions and experiences into threat assessment. And there is absolutely no way to manually get ahead of every threat.
Since people haven’t commonly seen vulnerability chaining, it hasn't necessarily felt like a threat worth devoting time and resources to. And yet here we are facing Pegasus.
Look Holistically, React Accordingly
To further complicate matters, vulnerability chaining comes with its own set of exacerbating factors. By its very definition, vulnerability chaining comes with myriad permutations and combinations that can be weaponized. If you have 250,000 vulnerabilities and they can be exploited in any combination . . . well, you can do the math. It’s a lot to get ahead of, to say the very least.
Patching vulnerability chaining is as complicated as you might guess given the context here. If two vulnerabilities are being weaponized together, the solution is not as simple as patching each vulnerability individually. It’s like a medical patient facing a multi-organ problem; you can’t pretend that there isn’t a global and more complex issue in play. You do have to treat each vulnerability (or organ, in this example), but you also have to look holistically at the overall threat and react accordingly.
Of course, as with medical patients, the ideal option is preventive care. Phishing is a clear pathway for vulnerability chaining, and the preventive measure for phishing is as simple as it gets: Don’t click on unverified links.
That’s clearly easier said than done, particularly when you’re managing a large team with multiple endpoints that aren’t tucked neatly behind a perimeter. That’s why education is important, but device security becomes paramount.
The shift to the remote workplace has led to more people accessing sensitive data on a wide range of devices (including personally owned devices) that are operating on a variety of systems far beyond the firewalls of the past. Jailbroken Android and Apple devices with device controls removed have become low-hanging fruit for threat actors. With complex threats like Pegasus emerging—and IT teams understaffed and overwhelmed like never before—the time to act is now.
Sophisticated spyware threats such as Pegasus demand sophisticated defense strategies so that organizations can identify, flag, and (potentially) remediate threats—long before a human would ever discover them. To that end, organizations should use unified endpoint management and mobile-threat defense to enforce robust compliance actions—including blocking access, quarantining devices, and wiping the devices to prevent data loss and potential ransomware.
In the words of my colleague Nigel Seddon, “The ability to detect and flag a vulnerability could be the difference between total privacy and a Black Mirror nightmare.”
What Can You Do Right Now?
As a user, be vigilant about not clicking links.
As an enterprise, ensure that you have a robust mobile device management (MDM) solution in place.
Ensure that device security and MDM undergo regular updates.
Patch consistently—optimally using risk-based intelligent patching.
The success of Pegasus sends a signal to other threat actors that vulnerability chaining is an effective cyber criminal strategy. That’s not the message we want them to get. We need to send an even stronger message in return: We know what you’re doing, and we know how to get ahead of it.