In late 2021, the cyberattack on an unnamed Bahraini human rights activist left cybersecurity activists with a growing concern about zero-day vulnerabilities. The Canadian-based internet watchdog, Citizen Lab, analyzed the phone and found that the activist’s iPhone 12 Pro had been compromised by a zero-click attack – one where social engineering wasn’t necessary, and the user didn’t need to click on any malicious link. This leaves cybersecurity experts with questions – what are zero-click attacks? And what steps can we take to protect ourselves against this type of attack?
What Is a Zero-Click Attack?
Zero-click attacks are a type of malware that requires no action from the intended target. Instead, it exploits zero-day software vulnerabilities. Cybercriminals will take advantage of unknown software bugs, also known as zero-day vulnerabilities, to create a point of entry for malware that requires no interaction. For example, the cybercriminal could send the zero-day attack in the form of a GIF iMessage or a missed call on WhatsApp.
The zero-click attack on the Bahraini activist was not the first reported zero-click attack. In fact, this type of cyberattack has been around for many years. In 2016, the United Arab Emirates contracted the help of former American intelligence operatives to launch a zero-click attack on activists. Project Raven was the UAE’s cyber operations unit that crafted an iMessage that exploited a security flaw and resulted in leaked photos, text messages, and compromising location information.
In 2019, Jeff Bezos, former CEO of Amazon, was the target of a zero-click attack. He was allegedly targeted by the Crown Prince of Saudi Arabia, Mohammad Bin Salman. Investigators found that the Crown Prince sent a video file to Bezos over WhatsApp that had an encryption downloader embedded in the video. After receipt of this video, the amount of data being transmitted from Bezos’ phone increased significantly.
In another infamous zero-click attack, a technology called Pegasus was created by Israeli technology firm NSO Group Technologies to exploit a WhatsApp vulnerability. Pegasus was installed on several notable figures’ devices including Arab royal family members, human rights activists, heads of governments, and more. An exhibit from the trial where Facebook sued NGO in 2019 says, “In order to initiate a new installation, the operator of the Pegasus system should only insert the target phone number. The rest is done automatically by the system, resulting in most cases with an agent [malware] installed on the target device.”
How to Protect Yourself Against Zero-Click Attacks
Zero-click attacks are daunting because there’s not much you can do to prevent them. You may take peace in mind knowing that these are very targeted attacks, and you can do what you can do maximize your security posture. Here are a few tips to keep your data and devices secure.
- Ensure your devices are up to date with the latest security patches. Software vendors keep up with new security vulnerabilities and deploy patches to reduce your risk of cyber threats.
- Use a malware detection tool to scan your environment for potential cyber threats. These tools are designed to detect the presence of malware on your devices.
- Use a firewall to block malicious network traffic. By only allowing necessary network traffic or blocking malicious traffic, you can reduce your vulnerability to zero-click attacks.
- Reduce entry points by consolidating vendors. The more software that you allow access into your environment, the more you are exposed to potential zero-click attacks. By consolidating the number of vendors you have, you reduce the number of entry points for bad actors.
- Educate your users. Zero-click attacks often occur by targeting a specific phone number or email address. Educate your users about sharing their information online to reduce the risk of becoming a target for cybercriminals.
If you are amongst the businesses with growing concerns about zero-click attacks, reach out to the cybersecurity specialists at Microserve. With over 30 years of experience in the industry, we know how to improve your security posture and reduce your vulnerabilities to zero-click attacks.