A number of Indonesian officials, including the Coordinating Minister for Economic Affairs Airlangga Hartarto suspected of being attacked spyware ForcedEntry. The attack is thought to have come from the NSO Group, an Israeli company.
So, what exactly is ForcedEntry?
The use of ForcedEntry to attack targets was first revealed by Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs, University of Toronto, Canada.
Citizen Lab discovered ForcedEntry while analyzing the cellphones of Saudi Arabian activists affected by the Pegasus spyware attack, also from NSO.
“When analyzing the phones of Saudi activists infected with the Pegasus spyware from NSO Group, we found a clickless exploit against iMesage. The exploit, which we call ForcedEntry, targets Apple’s image rendering library, and is highly effective against iOS, MacOS, and WatchOS devices, ‘ wrote Citizen Lab.
Pratama Persadha, Chairman of Communication & Information System Security Research Center (CISSReC), said that this software still infects even though the owner of the device doesn’t click anything.
“ForcedEntry is a hack with a Zero-click attack method. This attack is relatively sophisticated because it does not require social engineering techniques, such as leading the victim to click on a malicious link or attachment. This method also does not require interaction with the victim, making it difficult to trace the source,” he explained. , in a statement via short message, Friday (30/9).
According to Citizen Lab, ForcedEntry has been in use since at least February 2021. Citizen Lab disclosed the vulnerability and code to Apple, which has designated the ForcedEntry vulnerability CVE-2021-30860 and described the vulnerability as “processing a maliciously crafted PDF may lead to arbitrary code execution.”
Citizen Lab found ForcedEntry in a file with the extension ‘.gif’ on the activist’s cellphone which was hacked using the Pegasus spyware. There are 27 copies of the .gif file which is actually an Adobe PSD file with a size of 748 bytes.
“Each copy of these files causes IMTranscoderAgent to crash on the device. The files also have 10 character names that look random,” wrote Citizen Lab.
“Four different files with a .gif extension which are actually Adobe PDF files, contain a JBIG2-encoded stream. Two of these files have 34 character names and two have 97 character names,” they wrote.
Citizen Lab then forwarded the artifact to Apple on Tuesday (7/9/2021). Six days later, Apple confirmed that the file contained exploits against iOS and MacOS. They designed ForcedEnry to exploit CVE-2021-30860 and describe it as “processing PDF creations that might cause random code execution”
According to Citizen Lab, ForcedEntry works by exploiting the image rendering vulnerability of Apple’s integer overflow (CoreGraphics). Not only that, there are two indications that make Citizen Lab identify ForcedEntry with the NSO Group.
First is spyware installed by ForcedEntry exploiting a forensic artifact called Cascadefail, a bug in which the evidence is incompletely removed from a file on the phone called DataUsage.sqlite.
“We only found this type of incomplete removal associated with NSO’s Pegasus spyware. We believe the bug is unique enough to be identified with NSO,” wrote Citizen Lab.
Second, the spyware installed by ForcedEntry exploits various process names such as ‘setframed’. It was used in the Pegasus spyware attack from NSO Group on Al Jazeera journalists in July 2020.
Can it be fought?
Researchers from Google call ForcedEntry an extraordinary cyberweapon. The reason, this attack can take place without the intervention of the iPhone owner.
“NSO offers their clients a clickless exploit technology, where even targets who are highly technically savvy, and don’t click on suspicious links, are completely unaware that they are being targeted,” Google researchers wrote in Project Zero. defenders.
“In a clickless scenario, there is no need for interaction with the user. That means, the attacker does not need to send a phishing message. The exploitation process takes place in silence in the background. There is no way to prevent exploitation in a clickless manner like this. no defense can withstand it,” they wrote.
According to the Google team, the entrance to this attack comes from iMessage. Anyone can be a target as long as the attacker has their cell phone number or Apple ID.
Pratama also recommends regular updates to iOS devices, although its effectiveness is not yet known.
“To avoid such attacks, it seems rather difficult, but at a minimum, users must always update as soon as possible if the iOS operating system developer provides an update,” he said.
“However, hacking attacks are always evolving. So whether the next attack will succeed in breaking into Apple’s new patch, we don’t know for sure.
Apple itself took the NSO Group to court in December 2021 over the Pegasus spyware. Apple accused NSO of carrying out attacks on state-sponsored iOS devices.
However, Apple claims, although Pegasus continues to evolve, there is no evidence that the attack was successful against iOS 15 or the latest version of the OS on the iPhone.