Stop! Go patch your iOS/iPadOS and macOS devices against Pegasus spyware right now!

Background information

Back in late-July, news outlets reported a growing concern with the misuse of the Pegasus surveillance software. Intended to be used to target terrorists and criminal threats by exploiting iMessage vulnerabilities found primarily within iOS/iPadOS devices, the question of rights to privacy became the focus after it was found that several governments worldwide were using the sophisticated tools to target journalists, activists and dissidents by monitoring and capturing privacy data without the user’s explicit consent.

Jamf reported a thorough breakdown of the Pegasus spyware as it became known, including what it is and what it does, along with the broader security implications, indicators of compromise and recommendations for staying protected, including the “patch fast, patch often” mantra to ensure devices are protected against the very latest known threats.

On September 13, 2021, Apple released a slew of new, critical updates for iOS/iPadOS (14.8), macOS Catalina/Big Sur(11.6), watchOS (7.6.1) and the Safari (14.1.2) browser that target security threats – namely, the vulnerabilities that make falling victim to Pegasus possible.

• CVE-2021-30858: A use after free issue was addressed with improved memory management. This issue is fixed in iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6. Processing maliciously crafted web content may lead to arbitrary code execution.
• CVE-2021-30860: An integer overflow was addressed with improved input validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

iOS/iPadOS 14.8

According to Apple’s iOS/iPadOS release notes, both CoreGraphics and WebKit are patched with this update, protecting against maliciously crafted PDF and web content respectfully that could lead to arbitrary code execution.

The update targets iPhone 6S and later, all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, as well as iPod touch 7th generation devices. For security reasons, Apple does not disclose security issues nor perform a deep dive into security updates.

Users are urged to patch immediately or as soon as possible to keep protected against the latest known threats, especially as there have been reports of the Pegasus spyware having been exploited in the wild. Effectively indicating any device running a version of iOS/iPadOS lower than 14.8 as vulnerable and potentially exploitable without additional protections to mitigate some of the risks.

Additional considerations for protection against the latest known and zero-day threats include deploying Wandera Threat Defense for the real-time detection and prevention of network attacks, such as phishing threats, malicious downloads and preventing data exfiltration, while safeguarding user privacy with added encryption for added protection help to block the follow-up activities common to mobile device-based attacks, if not stamping it out completely.

Additionally, there are a number of security recommendations based on industry best practices that also apply to mobile devices in helping to mitigate risks like this one, and other future threats, that you may want to consider:

• Device Security:
  • Ensure all devices are running the latest software. Yes, even for mobile devices, the “patch fast, patch often” mantra applies. Ensure that you have an organized process to roll out OS and app updates across your mobile fleet just as quickly as you do for your other devices.
  • Implement a vulnerability monitoring and patch management process to improve timely responses to future exploits. Yes - even on mobile devices.
  • Implement an app vetting workflow that ensures only approved apps have access to corporate data. By strictly controlling what apps are available on devices you can reduce the attack surface further.
• Data Security:
  • Review managed app permissions for excessive data collection, if an app is exploited and it hasn’t been given access to contacts, calendar, photos, camera, microphone, etc, then the threat is easier to contain.
  • Implement conditional access policies that prevent work applications (with sensitive data) from being accessed when the mobile device has risky apps installed. Conditional access policies implemented on the device can be highly effective even with unmanaged devices.
• Network Security:
  • Deploy a security solution with inspection capabilities at the network layer to identify transactions that are indicative of a compromised device. Ensure that network visibility is active on all network interfaces and not just when the device is on the corporate campus.
  • Utilize network security policies to block malicious downloads, command and control (C2) traffic, and data exfiltration.
  • Deploy a mobile security solution with zero-day detection capabilities to monitor at scale for anomalous behavior (such as a sudden pattern of communication with untrusted foreign servers).
  • When a new threat is identified, attempt to isolate the threat and limit its ability to function. When WhatsApp was being used by Pegasus a while back, Wandera customers were able to respond by blocking WhatsApp connections at the network level to manage the risk while they waited for a patch. Since the current round of attacks seem to be focused on iMessage, consider what the impact to your organization and your employees would be where you to disable iMessage traffic, for example.

macOS Big Sur 11.6

Echoing identical information to that of the iOS/iPadOS section above, the Apple release notes for macOS Big Sur 11.6 address the very same threats and should be taken equally as serious by admins and users in how critical it is for your macOS-based devices to be “patched fast, patched often”.

Similarly, to the protections afforded to iOS/iPadOS by Wandera Threat Defense, macOS device benefit greatly from Jamf Protect, the purpose-built endpoint security software designed exclusively to monitor, detect, prevent, remediate and report on Mac specific security threats affecting your macOS-based device fleet. Running alone or integrated with a number of applications to provide more additional workflows and automation, Jamf Protect ensures your Mac -and users - stay protected, compliant and performing optimally.

macOS Catalina Security Update 2021-005

As an addendum to the macOS Big Sur 11.6 update above, organizations and users still running macOS 11.5, dubbed Catalina, will want to update to the latest security update quickly. According to Apple’s release notes, Catalina is vulnerable to CVE-2021-30860 and patching this vulnerability will mitigate this risk.

Safari 14.1.2

Lastly, Apple provides additional information in their release notes relating to the WebKit component found in both macOS Catalina and Mojave. An update to the Safari browser brings it into compliance with version 14.1.2, patching it against CVE-2021-30858.