How “zero-clicks” work, and how to defend against them

Some people believe that if you don’t click on dangerous links, open suspicious files, or install programs from untrusted sources, you don’t have to worry about malware infections. Unfortunately, this isn’t entirely true. There are so-called zero-click exploits that don’t require any actions of the targeted user.

Creating zero-click exploits requires both serious expertise and significant resources. The vulnerabilities needed for zero-clicks to work are, to say the least, not easily discovered — information about such security issues can cost hundreds of thousands, if not millions of dollars on the black market.

However, this does not mean that attacks using zero-click exploits are rare. Information about vulnerabilities (including those suitable for creating zero-click exploits) is often published by researchers on the Internet, sometimes along with proof-of-concept code. That is, after some time, any cybercriminal who follows infosec news will be able to use this vulnerability in their malware. Yes, software developers try to fix such vulnerabilities ASAP, but as we know, not everyone promptly installs updates.

Also, we should not forget about vulnerabilities in IoT devices, servers, and other connected systems such as network attach storage (NAS). All this equipment operates without constant human control, and therefore exploits designed to attack them do not rely on any user action. Either way, it’s worth at least knowing about zero-click attacks; even better — to take some measures to protect your company against them.

Examples of zero-click attacks

Using real-life examples of zero-click attacks, let’s see how they work in practice, and what methods the creators of these exploits use to achieve their goals.

The Operation Triangulation espionage campaign

Not long ago, employees of our company were attacked by an unknown group using, among other things, a zero-click exploit. After discovering it, we named this espionage campaign Operation Triangulation. Using Apple’s iMessage service, the attackers sent a message to the victim’s iPhone with a special attachment containing an exploit. Thanks to a previously unknown vulnerability in iOS, this exploit, without any user input, triggered the execution of malicious code that connected to a C2 server and gradually loaded additional malicious payload. It first elevated privileges using additional exploits and then launched a full-blown APT platform.

To get around the iPhone’s internal security mechanisms, the platform operated exclusively in the device’s RAM. It allowed the attackers to collect information about the owner and launch additional plugins downloaded from С2 servers. The infection was only detected thanks to our network event monitoring and analyzing system.

Of course, Apple quickly fixed this vulnerability, but it is not the first exploitation of a bug in iMessage that allows attackers to infect an iPhone using an invisible malware. Since attackers are actively researching this service, there is no guarantee that they will not find some alternative method and use it (possibly even for mass attacks).

Intellexa Predator spyware and a zero-click vulnerability in Safari

Another fairly recent example: Apple recently released an important update for iOS, macOS, and some other software products, fixing several serious vulnerabilities. A vulnerability in the WebKit (a browser engine used by Apple Safari browser) was exploited by a zero-click exploit, part of Intellexa Predator spyware.

First, the attackers waited for the moment when the victim accessed a website whose connection didn’t use encryption (that is, HTTP rather than HTTPS). After that, they conducted a man-in-the-middle (MITM) attack by redirecting the victim to an infected site. Then, the aforementioned vulnerability in the Safari browser was exploited — it allowed the attackers to execute arbitrary code on the iPhone without any action from the victim. Subsequently, the criminals used additional vulnerabilities to install spyware on the compromised iPhone.

Researchers also discovered a similar exploit chain that the creators of Predator used to infect Android smartphones. In this case, the zero-click attack was executed in the Chrome browser.

Earlier this year, we reported other vulnerabilities of this kind in both Apple Safari and Google Chrome. All of them enable the creation of malicious web pages that, in turn, infect with malware the smartphones or computers of users who visit them — again without any additional actions on the part of the victims.

How to defend against zero-click attacks

Since the primary danger of zero-clicks lies in the fact that their creators don’t require any active action at all by the victim, the usual principles of online hygiene aren’t very helpful here. However, there are still some things you can do to protect devices:

• Keep software up to date — especially the operating system and all browsers installed on it.
• If you have any reason to be concerned about attacks using high-level commercial spyware (such as NSO Pegasus), see our dedicated post with recommendations on how to defend against them.
• For iPhone users, it’s good to use Lockdown Mode. This mode helps partially protect against serious attacks, but should by no means be considered a panacea.
• Supply all corporate devices with a reliable protective solution that will take care of security during periods when new vulnerabilities are already being exploited, but the corresponding patches haven’t yet been released.
• This also applies to iOS. Yes, due to Apple’s policy, there are no full-fledged antivirus solutions for this operating system. However, Kaspersky Endpoint Security for Business includes an application that does at least block dangerous web pages, thereby reducing the likelihood of vulnerabilities being exploited in the browser.