What you need to know about Apple CVE-2021-30860, also known as FORCEDENTRY

March 9, 2022

On September 13, Apple surprised its users with a system update on iPhone, iWatch, iPad and MacOS. Something that does not happen very often and less if it comes with an official Apple publication indicating the importance of installing the update.

All this due to a report by Citizen Lab, where they confirmed that with a malicious PDF document it is possible to exploit the CVE-2021-30858 and CVE-2021-30860 vulnerabilities to execute commands on iOS and macOS. Terrible for the user, but you have to know what it means and where this threat comes from.

It all started in February 2021 when the company Forcedentry analyzed an iPhone that had been taken from a Saudi activist and that was infected with spyware of Israeli origin, called Pegasus, from the company NSO Group. They discovered that there was a 0-day, totally unknown, and 0-click vulnerability that could be effective on any of the Apple-branded devices.

However, initial research thought that iMessage was the way to exploit this weakness until on August 24, Citizen Lab published a report showing that these vulnerabilities could and were being exploited using PDF documents that contain hidden commands that they run on systems and give attackers access to information on these devices.

The most serious thing about this threat is that it is totally invisible and undetectable for the user. At least it has been used by NSO Group, as announced by different media in the week of August 14 to 27, when the investigation was made public that claims that activists from the Bahrain human rights center, between June 2020 and February 2021, had been spied on using this attack in conjunction with software known as Pegasus.

How does it affect you...

Without a doubt, we all handle data and contacts, and also our devices have an Internet connection, so knowing that there is this vulnerability that nobody knew about (0-day) and that allows you to take control and spy on mobile devices and computers of the brand of Apple, it is undoubtedly an opportunity that attackers will not miss.

This set of circumstances makes any iPhone, IPad, iPod, iWatch and MacOS user a potential victim of this threat from now on. Unfortunately for Apple, it is not the first case this year, nor the first caused by the investigation of these cell phones by Saudi activists, from which the following threats have been reported:

  • In January, three 0-days affecting iOS were being actively exploited.
  • In March, a 0-day reported by researchers, but its exploitation is not confirmed.
  • In April, a 0-day for iOS and a 0-day for MacOS, actively exploited by the Shlayer Trojan, leading to a rush of macOS signatures.
  • In May, three more 0-days that allow you to execute commands on mobile devices simply by visiting a website, plus a 0-day for MacOS that bypasses system privacy protections.
  • In June, two 0-days were actively exploited to affect older mobile devices.

To do…

It's time to keep Apple devices very updated, and immediately install the updates that came out between September 13 and 15 in the newsletter https://support.apple.com/en-us/HT201222 and the newsletter https://support.apple.com/en-us/HT212807.

This is where the weaknesses detected by Citizen Lab and some other researchers are corrected, mitigating the possibility that criminals can take advantage of it and access the information of the devices or deploy espionage or hijacking malware.

It is not only on the iPhone, if you have an iPad, iWatch or a Mac, you should also install the updates in the shortest possible time, because once they are public, the chances of them being used by the different criminal groups in cyberspace increase.

Fuente: Apple CVE-2021-30860

For more information on this and other topics
you can send us a message

contact us