Rewterz Threat Alert – Pegasus Spyware – Finnish Diplomats Under Attack

Severity

High

Analysis Summary

Finland’s Ministry of Foreign Affairs revealed that Pegasus Spyware has infected devices of many Finnish Diplomats. 

“Finnish diplomats have been targets of cyber espionage by means of the Pegasus spyware, developed by NSO Group Technologies, which has received wide publicity. The highly sophisticated malware has infected users’ Apple or Android telephones without their noticing and without any action from the user’s part. Through the spyware, the perpetrators may have been able to harvest data from the device and exploit its features.” reads a statement published by the Ministry.

The NSO Group is a leading Israeli cyber- company which made it to the news after 50,000 phone numbers worldwide on a leaked list were linked to its notorious spyware Pegasus. The spyware was used to monitor high-profile targets, including but not limited to the heads of states, journalists, human rights activists, and political rivals, and in this case, Finnish Diplomats. 

“The Ministry for Foreign Affairs is continually monitoring events and activities in its operating environment and assessing related risks. The Ministry for Foreign Affairs monitors its services and strives to prevent harmful activities.  The preparation of and decisions on foreign and security policy, in particular, are matters that attract much interest, which may also manifest itself as unlawful intelligence.” concludes the Ministry. “The Ministry responds to the risk by various means, but complete protection against unlawful intelligence is impossible.”

The key futuristic feature of Pegasus spyware is that it can be installed on a targeted phone with just a missed call or text message; it uses a zero-click iMessage exploit to deliver a chain of zero-day exploits to invade security features on the smartphone. The evasion will install the Pegasus spyware without the user’s permission and knowledge.

The critical data that is being extracted using Pegasus spyware is:

• Photos and Screenshots
• Microphone recordings
• Video recordings
• Email and SMS
• Live GPS data
• Network Details
• Device Settings Info
• Browsing History
• Contact Details
• Social Networks
• Phone Calls
• File Retrievals
• Keystrokes
• Messaging data exfiltration from common applications including WhatsApp, Skype, Facebook, Twitter, Viber, Kakao
• Email exfiltration from Android’s Native Email client
• Contacts and text messages.

The silver lining is that the information has been classified as Level 4 (the lowest level of classified information) or public. However, its sources may be subject to diplomatic confidentiality.

Impact

• Information Theft
• Performance Degradation
• Misuse of Data
• Financial Loss

Indicators of Compromise

MD5

• 3a69bfbe5bc83c4df938177e05cd7c7c
• 81c793c80bd4cdd7dab3d51aff73c378
• a087a76807c2918b53a4b15c0ce1b66b

SHA-256

• 3474625e63d0893fc8f83034e835472d95195254e1e4bdf99153b7c74eb44d86
• 2421a2d7976e669f7b960bc4d312c92aae923d2020adfb9a7ebf289cc28bb496
• d44fd08796bb71f2926bb1891f13fa4b6fe867b6eddb6183b0e3b96932c87d55

SHA-1

• b6850881561265d89597d0d245b33dba3d7d3f47
• c75433d6e5d3da659f00587d77e9a7300a32a6bf
• 047f10aa4d09aeefaaaaf06fc9653b7a9014a93d

Remediation

It is exceptionally difficult to protect against such sophisticated attacks due to the extensive use of zero-day exploits, but not impossible. Mentioned below are some best practices that can be adopted to safeguard oneself against Pegasus & such Attacks to the optimum level of security.

• Use mobile phone EDR aka mobile endpoint detection and response.
• Use a reputable password manager app.
• Use Authenticator app (i.e., Google authenticator app, Microsoft authenticator app).
• For extra security, get a physical authenticator key like YubiKey, that can be used on the
• Phone and laptop.
• Switch to an uncommon but safe web browser.
• Do not use an outlook mail client or any email server that’s inbuilt on your OS. Switch to uncommon but reputable and
• secure email clients.
• Ensure that all your devices and logins are stored in your password manager and use the password generator
• Ensure all your logins are connected to your authenticator app/device.
• Your anti-virus software should be enabled to lock and erase your device if it’s stolen.
• Use Securedrop for document sharing, etc.
• Use a different SMS app (Disable iMessage, or if possible, delete it since it has been abused by Pegasus & other threat
• actors multiple times exploiting zero-day providing the Pegasus an initial access point. It will be not wrong to say it’s
• their favorite attack spot).
• Only open links from known and trusted contacts and sources when using your device.
• Make sure your device is updated with any relevant patches and upgrades.
• Avoid public and free Wi-Fi services (including hotels), especially when accessing sensitive information.
• Do not blindly approve app permission requests.
• Keep checking app permissions