Posted In: Cybersecurity & Data Privacy
By Jarman J. Smith on September 30, 2021
Do you own an Apple product? If so, you should update its software immediately. Ahead of the anticipated release of its latest product development, the iPhone 13, Apple released emergency software updates for a critical spyware flaw in its products. Cybersecurity researchers at Citizen Lab uncovered a vulnerability in Apple products that allows highly invasive spyware from Israel’s NSO Group to infect any Apple user’s iPhone, iPad, Apple Watch or Mac computer with very little effort.1 If left unpatched, this security vulnerability could be catastrophic for both Apple and its consumers. This instance demonstrates the importance of conducting routine security scans of your organization’s networks and implementing proper cybersecurity measures.
Vulnerability Threat Identified as Pegasus Spyware
Apple’s security team worked continuously to develop a fix after Citizen Lab discovered that a Saudi activist’s iPhone had been infected with an advanced form of spyware from NSO. The spyware, called Pegasus, used a newly developed method to discretely compromise Apple devices without users’ knowledge. The process is known as a “zero-click remote exploit” because it allows cybercriminals to secretly break into someone’s device without alerting the victim. Using the zero-click infection method, Pegasus can remotely turn on a user’s camera and microphone, record messages, texts, emails, and calls, even if those messages were sent via encrypted messaging applications. The extracted information could then be sent back to NSO’s clients to governments around the world. Essentially, the Pegasus spyware can do everything an ordinary iPhone user can do on their device plus more.
Implications of this Incident
The discovery of Pegasus means that more than 1.65 billion Apple products in use worldwide have been vulnerable to NSO’s spyware since as early as March 2021. It signals a serious escalation in the cybersecurity arms race, with cybercriminals seeking to extract valuable information and others seeking to defend against the onslaught of cybersecurity incidents. Prior to the new zero-click method, victims learned their devices were infected by spyware only after receiving a suspicious link texted to their phone or email and sharing the link with cybersecurity experts. However, with the evolution of cybercrime, victims of this latest incident receive no such prompt, and the flaw enables full access to Apple users’ digital lives. Apple has urged its customers to immediately run the latest software updates for the vulnerability fix to take effect by installing iOS 14.8, MacOS 11.6 and WatchOS 7.6.2. Apple intends to introduce new security defenses for its texting application in its next iOS 15 software update that is expected to release later this year.
This year marks a record for the discovery of “zero-day” vulnerabilities, secret security flaws like the one NSO used to install its Pegasus spyware. Earlier this year, Chinese hackers were caught exploiting a zero-day vulnerability in Microsoft Exchange to steal emails and plant ransomware.2 In July, cybercriminals used a zero-day in software sold by the tech company Kaseya to bring down the networks of thousands of companies.3 The spyware industry has remained prevalent due to spyware sales being regularly tied to nondisclosure agreements and oftentimes rolled into classified programs with limited oversight. Due to this lingering spyware threat and the risks associated with untreated zero-day vulnerabilities, it is critical that all organizations, agencies, and bureaucracies conduct regular vulnerability scans of their computer networks and implement the appropriate cybersecurity and data protection practices.
Cybersecurity Vulnerability Testing Measures for Your Organization
There are multiple cybersecurity incidents that can occur within a business or organization at any given time. Many of these incidents can happen without anyone knowing even if there is an IT team in place. However, it is possible to prepare for and avoid many cybersecurity incidents through proactive security testing. Adequate cybersecurity in a company usually requires certain tests with outside employees or consultants that will analyze the company’s website or network to uncover vulnerabilities using various methods. These vulnerability tests are important to fully protect client data and company information that is to remain confidential and safe from cybercriminals. We’ve outlined a few helpful tips regarding cyber-risk evaluations and cybersecurity best practices below.
- Vulnerability Scans. Vulnerability scanners can be used to assess a company’s computers to check for weaknesses. These weak points are exploited by cybercriminals to gain access and steal or copy company data. Vulnerability scanners also compare services and applications that run within the computer system against a database of already known weaknesses.
- Penetration Testing. Penetration testing involves experts who are hired by an organization to intentionally attack the organization’s network to review and assess its cybersecurity. This process is conducted in a controlled manner and allows a company to determine what types of malicious attacks may occur because of the apparent weaknesses.
- Program Update Checks. Maintaining outdated software can allow a cybercriminal to penetrate an organization’s systems more easily. Therefore, businesses should keep all software updated to the latest release to ensure that it receives the latest security patches.
- Consult with Experienced Professionals. An organization should align itself with experienced legal counsel to assist with possible cybersecurity liability issues and to facilitate the organization’s relationships with experts who can conduct security tests on its network.
How Brouse Can Help
To maintain adequate levels of network security, organizations routinely contract with third parties to conduct vulnerability scans, penetration tests and other cybersecurity processes. These contractual engagements should never be established without legal counsel that can review or draft the associated agreements, consider any legal implications, and provide advice to protect the organization’s legal interests. Brouse McDowell’s Cybersecurity and Data Privacy team can provide the guidance and tools you need to establish and maintain relationships with cybersecurity experts and ultimately improve your organization’s network security. We also provide proactive solutions for companies to defend against cyber-attacks. Our cybersecurity team offers a variety of data privacy and cybersecurity services, including pre-breach and cybersecurity planning, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Please contact us for more information and to learn how we can partner with you.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2021 Brouse McDowell. All rights reserved.