Zero-click Exploits Explained

Apple Security Updates. Zero-Click Exploits Explained. Hacked? What To Do First.

In this post we'll explore Apple's recent security updates, their efforts to protect devices and users against cyber attacks, zero-click exploits, and what to do if you think you’re actively being attacked (lock down mode).

Apple’s July 2023 Security Updates

Apple recently released security updates via their Rapid Security Response initiative to address a series of zero-day and zero-click vulnerabilities that have been exploited in attacks targeting iPhones, Macs, and iPads. Among the vulnerabilities patched, a critical WebKit flaw (CVE-2023-37450) and a Kernel flaw (CVE-2023-38606) were actively exploited in attacks. The Kernel flaw was part of a zero-click exploit chain used to deploy spyware on iPhones. Apple also backported security patches for a previous zero-day (CVE-2023-32409) to devices running tvOS 16.6 and watchOS 9.6. These updates were included in macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5, covering a wide range of iPhone, iPad, and Mac models. In total, Apple has now patched 11 zero-day flaws this year for iOS, macOS, and iPadOS devices.

Apple’s RSR

Apple's Rapid Security Response is an initiative implemented by Apple to address critical security vulnerabilities and issues in their software products swiftly and efficiently. The primary function of this program is to accelerate the process of identifying, fixing, and releasing security updates for their operating systems and software applications. Apple introduced the Rapid Security Response program as a response to the growing concern over security vulnerabilities and the need to provide timely protection to their users. 

When a security vulnerability is discovered in an Apple product, whether through internal testing or by external researchers, it can be reported to Apple's security team. Upon receiving the report, the team assesses the severity and potential impact of the vulnerability. If the issue is deemed critical, meaning it could lead to serious security breaches or unauthorized access, it may be addressed as part of the Rapid Security Response program.

Under this initiative, Apple expedites the process of developing a security patch or update to fix the vulnerability. This involves a focused effort from Apple's engineering and security teams to quickly identify the root cause of the problem, develop an effective solution, and thoroughly test the fix to ensure it doesn't introduce new issues. Once the security update is ready, it is released to the public as part of an OS update. Additionally, Apple often provides advance notice of the release to major security researchers and organizations to allow them to prepare for the update and protect their users.

By implementing the Rapid Security Response program, Apple aims to demonstrate its commitment to security and privacy, instill confidence in its user base, and maintain a proactive approach to address security threats efficiently and effectively.

Zero-Click Exploits

A zero-click exploit is a type of cyber attack that takes advantage of security vulnerabilities in software or systems without requiring any interaction or action from the targeted user. Unlike traditional attacks that rely on users clicking malicious links or downloading infected files, zero-click exploits are fully automated, and can occur silently in the background. The attacker can compromise a device or system simply by sending a specially crafted data packet, or message, that triggers the vulnerability. These exploits are particularly dangerous because they can compromise devices or networks without the user's interaction, leading to a lack of reaction to the event.

One well-known example of a zero-click exploit is the Pegasus spyware developed by the NSO Group. Pegasus was notorious for its ability to silently infiltrate iOS devices without any user interaction, allowing attackers to monitor the device's communications, collect sensitive data, and gain access to various features. The zero-click exploit we mentioned in the first part of this post is eerily similar to Pegasus in what parts of the system and software it exploits, and how the attack is delivered and wiped.

To be clear, these are highly sophisticated attacks that are highly coveted by governments, APTs, and software companies alike. These exploits are typically highly specialized and tailored to target specific software vulnerabilities, which makes them far more difficult to develop and execute compared to standard cyber attacks. They are usually the product of extensive research and analysis of the target's systems and applications, and often require significant expertise in both the target software and exploit development.

Zero-click exploits involve multiple layers of exploitation, often chaining together various vulnerabilities or techniques. This complexity makes them much harder to develop, requiring a deep understanding of the target's architecture. These attacks  are highly valuable and are usually developed for very specific targets, such as high-value individuals such as political leaders, corporate leadership, reporters, government agents, and the like. The resources and time invested in creating such an exploit are not cost-effective for mass-scale attacks. Governments, intelligence agencies, or well-funded criminal groups often use zero-click exploits for espionage purposes. These attacks can provide access to sensitive information, proprietary data, or state secrets, which can be incredibly valuable.

Overall, the development and use of zero-click exploits require advanced technical skills, significant resources, and a clear motive for targeting high-profile and valuable assets. As a result, they are not typical attacks seen in the wild and are reserved for specific and high-priority targets.

Have I Been Hacked? First Steps

• If you suspect or know that you’re the victim of zero-click attack, it’s paramount that you first isolate the device from whatever network(s) you’re connected to. You can do this by entering airplane mode to disconnect from Wi-Fi, and remove the SIM card to disconnect from the cellular network.
• If you’re in a situation where you still need your phone to function to some degree, there is another option on the iPhone called Lockdown Mode.  Apple introduced Lockdown Mode in iOS 16 and macOS Ventura to enhance device security against these types of spyware and targeted attacks. Lockdown Mode allows users to temporarily disable certain device features, significantly reducing the attack surface that could be exploited by spyware. When activated, Lockdown Mode limits incoming calls and messages to known contacts only and blocks link previews in text messages to prevent IP address exposure. The mode also modifies Safari's behavior by disabling some features, such as just-in-time compilers and web-based fonts, to thwart malicious code execution. While Lockdown Mode might inconvenience users by limiting certain functionalities, it enhances overall device security and protects against various attack vectors. Lockdown Mode can be enabled by going to Settings  >> Privacy & Security >> Lockdown Mode.
• STOP. A knee-jerk reaction that a lot of us might have is to simply power off the device. While this seems like a good idea, there are a few reasons why you wouldn’t want to do this. The heart of the issue lies in the volatile nature of a computer's memory (RAM). Unlike data stored on a hard drive or other persistent storage devices, the contents of RAM vanish the moment the power is disconnected. Power cycling, which involves shutting down and restarting the device, results in the loss of critical evidence of the malware's presence in memory. This hampers an investigator's ability to capture real-time data, leaving them with a limited window to analyze the malware's behavior. RAM holds a treasure trove of valuable information for DFIR investigators. Analyzing live memory can provide essential clues about active processes, network connections, encryption keys, and even passwords. Power cycling disrupts this live context, making it extremely difficult, and sometimes impossible to retrieve vital artifacts that could shed light on the malware's activities and intent.
• Seek professional help. Immediately reach out to cybersecurity experts or incident response teams who specialize in handling sophisticated attacks. These professionals can provide guidance on how to proceed and investigate the incident further. If you’re a part of an organization who has the types of employees on staff, contact them immediately before doing anything other than step 1.
• Notify Apple. Report the incident to Apple's security team. They can provide valuable insights into the attack and may incorporate measures to protect other users from similar threats.
• Contact law enforcement, such as the FBI. Fair warning: reporting a nation-state level cyber attack to law enforcement can trigger complex investigations that may involve intelligence agencies and international cooperation. Be aware that the investigation process may be lengthy and might not always result in a resolution or recovery of compromised data.
• Update and restore your device. Once you have secured professional assistance and reported the incident, you may need to wipe your device and restore it to a known-good state. Be cautious about restoring from backups, as they could be compromised as well. Updating your device to the latest iOS version can also help patch known vulnerabilities.
• Be vigilant and expect more attacks. It’s highly likely that if you’ve been targeted by a sophisticated attacker, that they will continue to target you for some time. Establishing a relationship with experts and law enforcement will help you to better prepare for another round of attacks. While it may seem cumbersome, we’re all responsible for our own information security to some degree. Do your research and protect yourself to the best of your ability.

Conclusion

Apple's response to the recent zero-day and zero-click exploits serves as a testament to their commitment to security. Through their Rapid Security Response initiative, they have demonstrated a proactive approach to identifying and addressing critical security issues swiftly.

The prevalence of zero-click exploits highlights the evolving sophistication of cyber threats, emphasizing the importance of continuous vigilance and prompt action. These highly specialized attacks, like the notorious Pegasus spyware, are not typical and are usually reserved for targeting high-profile individuals.

If you find yourself suspecting a zero-click attack, taking immediate steps to isolate the compromised device and seeking professional help are crucial. Utilizing Apple's Lockdown Moded and reaching out to cybersecurity experts can provide invaluable support during the investigation and remediation process.

Remember to report any incidents to Apple's security team and, if necessary, law enforcement agencies. Their involvement can aid in protecting others from similar threats and contribute to potential resolutions.

While the threat of advanced cyber attacks persists, staying informed and implementing security best practices can significantly reduce the risk. Regularly updating your devices and maintaining a relationship with cybersecurity experts can help you stay ahead of potential threats.

In this ever-evolving digital landscape, safeguarding your data and privacy is a shared responsibility. By staying proactive and well-prepared, you can better defend against sophisticated attacks and navigate the complexities of modern cybersecurity. Let’s continue to prioritize our information security and work collectively to build a safer digital world for everyone now and in the future.