Today, Apple confirmed (via TechCrunch) that a zero-day flaw used to deploy mercenary spyware onto journalists’ iPhones was quietly patched earlier this year, with the iOS 18.3.1 update.
The flaw, disclosed today in an updated security advisory, was exploited by Israeli surveillance firm Paragon, to hack into the phones of at least two European journalists.
According to Citizen Lab, which investigated the attacks, Apple fixed the issue in iOS 18.3.1, released back in February, but didn’t mention anything about it until this week.
Originally, Apple’s February advisory only referenced a separate vulnerability, related to iPhone’s security locks. But as revealed by Citizen Lab in a report published today, Apple has updated that same advisory to acknowledge a second, then-undisclosed flaw: an issue in how iOS handled photos and videos sent via iCloud Links.
According to the company, this vulnerability “may have been exploited in an extremely sophisticated attack against specific targeted individuals.”
Who was targeted?
Citizen Lab says the exploit was used to target Italian journalist Ciro Pellegrino and a second, unnamed “prominent” European journalist. Both had previously received Apple’s generic spyware threat notifications, without any details on the entity or method behind the attack.
Paragon first gained attention in January, when WhatsApp notified roughly 90 users (including journalists and human rights defenders) that they had been targeted with Paragon’s Graphite spyware. These alerts were followed by another wave in April, this time from Apple, which told some iPhone users across 100 countries that they may have been targeted by “mercenary spyware.”
At the time, Apple’s alert didn’t mention Paragon by name, which the company said was intentional for security:
We are unable to provide more information about what caused us to send you this notification, as that may help mercenary spyware attackers adapt their behavior to evade detection in the future. Apple threat notifications like this one will never ask you to click any links, install an app or profile, or provide your Apple Account password.
Today’s report from Citizen Lab, however, confirms for the first time that Paragon was indeed behind at least two of the attacks affecting iPhone users who received Apple’s notification.
FTC: We use income earning auto affiliate links. More.
Leave a Reply