The open-source Mobile Verification Toolkit scans local iPhone/iPad backup images for filesystem IoCs (Indicators of Compromise) cataloged in STIX format, https://docs.mvt.re & https://github.com/mvt-project/mvt
> A collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices ... released by the Amnesty International Security Lab in July 2021 in the context of the Pegasus project along with a technical forensic methodology..
STIX IoC format, https://www.oasis-open.org/2021/06/23/stix-v2-1-and-taxii-v2...
> The [threat intelligence] work was based initially on three specifications contributed by the US Department of Homeland Security (DHS) for development and standardization under the OASIS open standards process: STIX (Structured Threat Information Expression), TAXII (Trusted Automated Exchange of Indicator Information), and CybOX (Cyber Observable Expression).
iOS IoC sources, please add to this list:
https://github.com/AmnestyTech/investigations
https://github.com/citizenlab/malware-indicators
https://securelist.com/operation-triangulation/109842/Cautionary note: many entities do not allow running Kaspersky software including this tool.
https://en.wikipedia.org/wiki/Kaspersky_bans_and_allegations...
Given how these 0days were clearly “burned” for this occasion tells me the NSA has no shortage of them.
Context, imessage attachment based iOS exploit: https://news.ycombinator.com/item?id=36151220
Seems pretty noisy IMO. It prevents software updates with visible errors. I wonder if its just the limitations of iOS or its a non-nation state actor. I noticed it modifies some Facetime files, I wonder if it exploits the camera through that.
The NSA has no problem with end to end encryption as long as they can listen in on one end.
> While monitoring the network traffic of our own corporate Wi-Fi network using the Kaspersky Unified Monitoring and Analysis Platform (KUMA), we discovered a previously unknown mobile APT campaign targeting iOS devices.
What is APT in this context?
If you are someone “important”, You need to turn off iMessages as that is a huge risk factor as it’s a system app. There will always be zero click exploits and that should be all you need to know
Now we just need a tool to detect Pegasus and Graphite
Slightly off-topic, but how do I download an iCloud backup so I can scan it with this tool? The googles imply that I can only recover my device from the cloud, not retrieve old backups for other purposes.
iMazing supports same kind of scanning based on open source Mobile Verification Toolkit. Plus overall better backup management for iOS and iPadOS compared to iTunes even on free tier
https://imazing.com/guides/detect-pegasus-and-other-spyware-...
Warming: Kaspersky is a fierce supporter of the Putin's fascist regime. His company is known for working for FSB. Think twice before running any software created by them on your computer.
I would recommend to fork it, thoroughly analyse every line of code and run it on a dedicated computer without internet. Always keep in mind you can't trust them at all.
FSB statement, from the same day Kaspersky reported this exploit:
https://www-fsb-ru.translate.goog/fsb/press/message/single.h...
Local, encrypted backups are a thing - use them.
It's debatable how useful this advice is for field agents, who might not be carrying a computer with them all the time, but for regular people it's entirely feasible.
If I was an intelligence agency, I would have one department whose job is to 'get caught'. Ie. they use dumb methods to spy on obvious targets, like using exploits to install malware that leaves a wake of plenty of discoverable info and loudly sends data back to the mothership.
I would then have another department whose job is to be as subtle as possible - for example, all their exploits are 'in ram' and all data sent back is plausibly deniable. (for example, rather than using a random 256 bit nonce while establishing an HTTPS connection to apple to check for updates, use 256 bits of encrypted data you wish to exfiltrate)