NEWS – The Washington Post and Amnesty International report claims that Pegasus spyware targeted journalists in India

WHAT IS A ZERO-CLICK EXPLOIT?

• Malicious software that allows spyware to be installed on a device without the device owner’s consent
• Doesn’t require the device owner to perform any actions to initiate or complete the installation.
• The specific exploit allegedly in use on the two devices is called BLASTPAST (previously identified as BLASTPASS)
• It plays out in two phases
  • Attack attempts to establish a link with the Apple HomeKit – which gives users a way to control multiple smart devices – on the target’s device
  • Some malicious content is sent via the iMessage app to the target. According to Amnesty, the purpose of the first phase – the ‘outreach’ – could be to determine how the device can be exploited or to keep it in sight for further exploitation in the future. The second phase is the one that delivers the full spyware “payload”.
• The two-stage attack process seen in this case is similar to the previous PWNYOURHOME Pegasus attack vector described by Citizen Lab and independently observed by the Security Lab