Mobile Threat Blog

  • Mobile
    Security Insights
  • Mobile
    Threat Research
  • Mobile
    Security Tips

The Trident exploit — so named because it uses three zero-day attacks to achieve its objective — has captured the security narrative. Trident is further evidence of lengths to which bad actors will go to capture your mobile data. Well, maybe not *you* in this case, as Trident is a targeted attack which means it’s directed at specific high-value targets such as dissidents, journalists, terrorism suspects or executives in critical infrastructure industries. At a black-market cost of $8 million — compared to most attack kits which are under $50 — Trident is most likely malware for use by nation states. Apple has addressed the vulnerability in iOS release 9.3.5.

What is Trident?

In a blog post, Citizen Lab wrote, “On August 10 and 11, 2016, [Ahmed] Mansoor [a human rights defender based in the United Arab Emirates (UAE)] received SMS text messages on his iPhone promising “new secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. We recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based “cyber war” company that sells Pegasus, a government-exclusive “lawful intercept” spyware product. […] The ensuing investigation […] determined that the links led to a chain of zero-day exploits (“zero-days”) that would have remotely jailbroken Mansoor’s stock iPhone 6 and installed sophisticated spyware.  We are calling this exploit chain Trident.  Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements. We are not aware of any previous instance of an iPhone remote jailbreak used in the wild as part of a targeted attack campaign, making this a rare find.”

Note that the core malware in the Trident exploit is referred to as Pegasus, so popular press reports may reference Pegasus and/or Trident with regard to this exploit. Trident refers to the exploit chain by which the iPhone is surreptitiously jailbroken; Pegasus is the malware, sometimes referred to as spyware, that is installed after the jailbreak, enabling hackers to eavesdrop using the iPhone camera and microphone, record WhatsApp and Viber calls, log chat messages and emails, track location and steal passwords.

The three zero-days that constitute the Trident exploit have been captured in the following CVEs:

  • CVE-2016-4657: Visiting a maliciously crafted website may lead to arbitrary code execution. WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
  • CVE-2016-4655: An application may be able to disclose kernel memory. The kernel in Apple iOS before 9.3.5 allows attackers to obtain sensitive information from memory via a crafted app.
  • CVE-2016-4656: An application may be able to execute arbitrary code with kernel privileges. The kernel in Apple iOS before 9.3.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

This exploit was a very targeted attack against a high profile individual so it is unlikely that the exploit will be widely found (if at all) on enterprise devices. Appthority nonetheless advises all iOS users to upgrade to OS version 9.3.5 in which Apple has addressed the vulnerability. Keeping device OS’s current is always a best practice to benefit from security updates.

Appthority also advises enterprises to inform their employees to exercise care in clicking on SMS or other message links including Twitter and chat messages. Clicking on a malicious link can compromise a mobile device and lead to loss of privacy and loss of credentials. This exploit used a spear phishing-type approach which we commonly see executed via email and which is very effective for malicious actors. Here, the difference was, instead of enabling an infrastructure attack, it enabled the compromise of a mobile device.

For an overview of how the Appthority solution addresses spear phishing risks, you can view this video.