So, have you read the latest story about how Jeff Bezos’ iPhone was hacked using a malware implant, and then all his personal data on the phone was stolen? If not, the plot makes for a television drama series or big hit movie that takes the box office by storm. I apologize, but this blog won’t satisfy that storyline, but if you are a techie guy like me, continue on.
First off, my educated guess is that exploit likely used was this one: https://nvd.nist.gov/vuln/detail/CVE-2019-11931
Most sophisticated hackers, particularly those involving groups like the Hacking Team and NSO Group, cover their tracks by deleting logs and volatile memory, and auditing trail information stored on the device. That way, post-breach forensics cannot identify the techniques used by the malware implant to trigger the buffer overflow and perform the remote code execution (RCE) by sending and potentially opening an MP4 video file.
From everything I’ve read, it appears that a common social app, WhatsApp, was legitimately downloaded from the iOS App Store, and the malware implant, Pegasus spyware, was attached to the app surreptitiously as part of the exploit. At the time of the actual hack, the Pegasus spyware may not have been detectable as a zero-day by app reputation solutions. As soon as the exploit evolved, an elevation of privileges (EoP) threat, system tampering and file system changed threat would have been detected by MobileIron Threat Defense (MTD). As the exploit evolved to the device level, MTD and MobileIron UEM would have also detected the jailbreak state after the RCE was completed. A jailbreak of the device was most likely executed in order to access all personal data at the device’s root level and take over the entire device to exfiltrate the personal data.
If a VPN was used to transfer the stolen data, the default gateway changed threat would have been detected at the network level, when the data was being exfiltrated from the device.
If a company’s security policy is to ban leaky or suspicious apps on company-issued phones, we recommend that security teams blacklist the WhatsApp bundle, or specific versions of WhatsApp configured within the MTD management console. If the user installs WhatsApp, all UEM-provisioned settings and configurations are removed as part of a quarantine or retired from UEM, as a compliance action.
From all indications, there wasn’t a unified endpoint management or mobile threat defense solution installed on Mr. Bezos’ phone to potentially stop this attack in its tracks. These tools might be a good investment for the world’s richest man so this storyline doesn’t have a sequel.