State sponsored actors targeting journalists. Color me shocked. The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage 'Zero-Click' Exploit - The Citizen Lab
First we cover the technology and the exploits.
NSO Group’s Pegasus spyware is a mobile phone surveillance solution that enables customers to remotely exploit and monitor devices. The company is a prolific seller of surveillance technology to governments around the world, and its products have been regularly linked to surveillance abuses. [SNIP]
NSO Group is shifting towards zero-click exploits and network-based attacks that allow its government clients to break into phones without any interaction from the target, and without leaving any visible traces.
What's App was big in 2019 as a 'vector,' and iMessage was showing up lately because iMessage was not sandboxed like other apps. (It's our app! What could go wrong?) But then I think I read somewhere there are a number of Safari exploits that are similar.
As always the moral of the story is to upgrade to the newest version of the software. In this case that means version 14.something of iOS.
As for the attacks...
The journalists were hacked by four Pegasus operators, including one operator MONARCHY that we attribute to Saudi Arabia, and one operator SNEAKY KESTREL that we attribute to the United Arab Emirates.
So repressive dictatorships are targeting journalists. And others probably, but the journalists are so much interested in those others.
The increased targeting of the media is especially concerning given the fragmented and often ad-hoc security practices and cultures among journalists and media outlets, and the gap between the scale of threats and the security resources made available to reporters and newsrooms.
Translation: Journalists don't know squat about security. And mostly don't want to know. But then you can probably say the same about bankers, FBI agents and a host of others. And the sad thing is that Snowden published a "How to" for journalists (I think) at one point.
And none of this touches on the spying that the likes F*c*book do. Oh, and F*c*book and Twitter and all the rest want you to know that they are not really "spying." They are just collecting a whole bunch of data about you. But it is all good, because you agreed to that when you clicked "accept" on the terms and conditions.