Cyber attacks through zero-click exploits are nothing new. What is a new trend, however, is that even ordinary users are becoming targeted.
A zero-click exploit is the exploitation of a security flaw in software that allows an attacker to remotely attack a device without any user interaction. This technique can be used for purposes such as espionage, device control, malware distribution, and even extortion. Overall, this is a dangerous technique that can have a significant impact on the security and privacy of users. The bad news is that users have very limited defences against such attacks.
“The fact that the number of groups specializing in this kind of attack is growing is very worrying. Attackers have adopted techniques previously used only by high-profile actors, such as state or government organizations and secret services. Cybercriminals are using the Exploit as a Service model (i.e. selling the exploit for a single payment) to also attack the private sector and ordinary users, rather than just high-profile or politically exposed individuals, government organizations, and other targets with valuable information,” says Petr Kocmich, the Global Cyber Security Delivery Manager at Soitron. That is why he believes it is important for businesses and users to follow models of best practice and procedures recommended in cybersecurity and to make sure they properly protect their devices from potential attacks.
One of the most well-known and well-described zero-click exploits was the ENDOFDAYS spyware, which was used to compromise iPhones, specifically iCloud calendar invitations.
“ENDOFDAYS is an exemplary case where an attacker is able to take control of an entire device without any interaction with the user. This includes the exfiltration of call recordings through access to the microphone and controlling access to the GPS location of the device. The attacker also gains access to both the front and back cameras and the ability to search files stored in the device. They can also disguise the spyware to avoid detection. The spyware enters the device in a mundane way – by sending a specifically crafted invitation to the iCloud calendar with older timestamps (an invitation that has already taken place in the past),” says Kocmich.
Such an invitation is automatically added to the user’s calendar without any notification or prompting, allowing the ENDOFDAYS exploit to run with no user interaction and making the attack undetectable to the target. The vulnerability has been patched in new versions of the system, but the flaw affected all versions of iOS from 1.4 to 14.4.2 and, according to research, was exploited primarily in 2021.
Despite this awareness, these exploits still exist, and very advanced applications evading detection in the system are written for specific vulnerabilities. “This clearly shows why it is necessary to update your device regularly. A zero-click exploit can be present on a device for a long period of time without the user being aware of it. That is why it is necessary to respect the principles of cybersecurity and ensure that the software is always up to date and that additional security measures are in place,” warns Kocmich.
For Apple, this is not the first or last zero-click exploit that has been discovered. In 2020, a vulnerability was discovered in the iMessage app that could be exploited by attackers to remotely execute a malicious code on users’ devices without any need to click a link or open an attachment. The Android operating system and individual mobile apps are also far from safe from these flaws.
“Some exploitable vulnerabilities in the current versions of operating systems and applications are not even known yet, even though they may already have been exploited. Until these vulnerabilities are discovered, they can first be exploited for espionage and ‘higher interest’ purposes before being monetized by selling the Exploit as a Service to customers on the dark web,” adds Kocmich. It turns out that even ordinary users may be vulnerable to zero-click exploits.
Zero-click attacks are usually based on vulnerabilities in software, including operating systems, applications, and services. The question is whether these are just unintended bugs, or whether they are deliberate.
“The faster new software is developed, the higher the need will be to manage and secure the code and the entire software development cycle. We automate testing, include additional security tests in the early stages of development (Shift-Left) in the CI-CD pipeline, perform static and dynamic code reviews, use artificial intelligence to find bugs in the code, and subject the final result to both automated and manual penetration testing; however, it would be foolish to assume that all types of vulnerabilities are caused by common errors in the code. The question is whether some vulnerabilities are actually deliberate backdoors, serving specific purposes,” concludes Kocmich.
We are in the process of finalizing. If you want to be redirected to our old version of web site, please click here.