Maximize your protection, eliminate business risks.
Optimize and modernize with cloud transformation.
Empower your people to work securely from anywhere.
Let us handle IT so you can focus on growing your business.
Get multichannel 24/7/365 expert end-user support.
Stay ahead of attacks with 24/7 protection and monitoring.
Maximize uptime with with industry-leading DRaaS.
Improve efficiency, productivity and outcomes with cloud.
Ensure all mobile devices, everywhere, are secure.
Gain a competitive edge with strategic IT solutions.
This battle-tested checklist enables your team to swiftly initiate a ransomware response.
IT for businesses of all sizes, in any industry.
Empower institution growth with custom IT solutions.
Ensure your firm is always in compliance.
Improve patient care and staff morale.
Deal with pressing legal matters, not IT.
Keep up with the evolving digital landscape.
Focus on your mission by outsourcing IT.
Accelerate PE client deals and secure data.
Leverage your technology as a strategic asset.
Execute initiatives and develop IT strategies.
Get the latest industry insights and trends.
Join us at events in person and online.
Hear from clients and learn more about strategic IT.
See how Dataprise can make IT your greatest asset.
Get informative technical resources from IT experts.
Stay on stop of emerging cybersecurity threats.
Discover the key areas of DR your organization needs to address to ensure downtime is minimized.
Gain a strategic asset by bringing harmony to IT.
Ensure 24/7 support and security with dedicated teams.
Drive business forward by partnering with Dataprise.
Meet our one-of-a-kind leadership team.
Discover the recognition Dataprise has earned.
Help us help businesses with strategic IT.
Embracing different perspectives and backgrounds.
Find a Dataprise location near you.
Dataprise is committed to empowering more women to consider a career in technology.
Posts
By: Dataprise
Table of content
Executive Summary
Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy, University of Toronto, discovered a zero-day zero-click exploit against Apple’s iMessage. They have named this exploit, FORCEDENTRY, and have attributed the exploit to the Israeli cyber mercenary group, NSO Group, that is responsible for creating the Pegasus spyware used in numerous high profile exploitations of celebrity, politician, and world leader mobile devices.
FORCEDENTRY is a zero-day exploit that targets Apple’s image rendering library, and is effective against Apple iOS, MacOS and WatchOS devices. Citizen’s Lab believes that FORCEDENTRY has been used in the wild since at least February 2021.
Citizen’s Lab responsibly reported the exploit and their findings to Apple who assigned CVE-2021-30860 to the issue and describes the vulnerability as, “processing a maliciously crafted PDF may lead to arbitrary code execution.” On Monday September 13., 2021 Apple released updates for all affected Apple products including Macs, iPads, and Apple Watches to patch the FORCEDENTRY zero-day vulnerability. Dataprise recommends immediately updating your Apple devices to the latest operating system version to close this vulnerability.
Impact
Successful exploitation of this vulnerability can allow an attacker to execute arbitrary code on your device. This vulnerability and exploit have been used thousands of times to install the Pegasus spyware software on the phones of political dissidents and human rights workers.
Detailed Analysis
Citizen Lab forwarded artifacts to Apple on Tuesday, Sept. 7 and on Monday, Sept. 13, Apple confirmed that the files included a zero-day exploit against iOS and MacOS.
The FORCEDENTRY exploit uses PDF data disguised as GIF files to circumvent Apple’s “BlastDoor” sandbox for message content. When FORCEDENTRY is used to exploit a vulnerable device, a specially crafted PDF document disguised as a GIF image is sent to an iMessage user which causes the IMTranscoderAgent, a service the device uses to transcode and preview images in iMessage, to crash. Once IMTranscoderAgent has crashed, the attacker can execute arbitrary code on the device.
Security researchers have observed FORCEDENTRY being used to install NSO Group’s Pegasus spyware which can surrupticiously turn on the device’s camera, microphones, and even capture encrypted messages sent to apps like Signal.
Citizen Lab’s analysis of the FORCEDENTRY payload from the investigation of a Saudi journalist’s phone revealed the following:
PDF Comment ‘%PDF-1.3nn’
obj 1 0
Type: /XRef
Referencing:
Contains stream
<< /Type /XRef /Size 9 /W [1 3 1] /Length … /Filter [/FlateDecode /FlateDecode /JBIG2Decode] /DecodeParms >>
trailer
<< /Size 2 >>
startxref 10
PDF Comment ‘%%EOFn’
Citizen Lab has identified several code signatures that have enabled them to make attribution to the Israeli NSO Group. In 2019 NSO used a zero-day exploit in WhatsApp to target more than 1,400 phones, and in 2020 NSO exploited another zero-click zero-day vulnerability in Apple’s iMessage dubbed KISMET. KISMET’s vulnerability was never publicly released, however it is suspected that the vulnerability was silently patched with the introduction of the BlastDoor capability in iOS 14, necessitating the need for a new zero-click zero-day to bypass the new sandboxing capability ultimately resulting in FORCEDENTRY.
Indicators Of Vulnerability
Exploitation of the FORCEDENTRY vulnerability does not typically result in an indicator that is evident to the end user. Exploited mobile devices can be remotely controlled and monitored with no outward evidence or indicator.
Mitigation Steps
There are currently no mitigations, other than patching these vulnerabilities. Disabling iMessage does not completely mitigate the vulnerability. All Apple devices should be updated to the versions below, released September 13, 2021.
Sources
CONTRIBUTING AUTHORS
Stephen Jones, Senior Director Cybersecurity
INSIGHTS
Subscribe to our blog to learn about the latest IT trends and technology best practices.