Dangerous Zero-Click Attacks

Zero-click attacks, especially when combined with zero-day vulnerabilities, are difficult to detect and becoming more common.

What are Zero-Click Attacks

Zero-click attack definition

Zero-click attacks, unlike most cyberattacks, don’t require any interaction from the users they target, such as clicking on a link, enabling macros, or launching an executable. They are sophisticated, often used in cyberespionage campaigns, and tend to leave very few traces behind — which makes them dangerous.

Zero-click attacks often rely on zero-days , vulnerabilities that are unknown to the software maker. Not knowing they exist, the maker can’t issue patches to fix them, which can put users at risk. These attacks are often used against high-value targets because they are expensive.

Example of Zero-Click Attacks

The target of a zero-click attack can be anything from a smartphone to a desktop computer and even an IoT device.

A sophisticated zero-click attack associated with NSO Group’s Pegasus was based on a vulnerability in Apple’s iMessage. In 2021, Citizen Lab found traces of this exploit being used to target a Saudi activist. This attack relies on an error in the way GIFs are parsed in iMessage and disguises a PDF document containing malicious code as a GIF. In its analysis of the exploit, Google Project Zero stated, “The most striking takeaway is the depth of the attack surface reachable from what would hopefully be a fairly constrained sandbox.” The iMessage vulnerability was fixed on September 13, 2021, in iOS 14.8.

Zero-click attacks don’t only target phones. In 2021, a zero-click vulnerability gave unauthenticated attackers full control over Hikvision security cameras. Later the same year, a flaw in Microsoft Teams was proved to be exploitable through a zero-click attack that gave hackers access to the target device across major operating systems (Windows, MacOS, Linux).

Detecting and Mitigating Zero-Click

Realistically, knowing if a victim is infected is quite tricky, and protecting against a zero-click attack is almost impossible. Still, users can do a few things to minimize the risk of being spied on.

• Keep your operating system, firmware, and apps on all your devices up to date as prompted.
• Only download apps from official stores.
• Delete any apps you no longer use.
• Avoid jailbreaking or rooting your phone since doing so removes protection provided by Apple and Google.
• Use your device password protection.
• Use strong authentication to access accounts, especially critical networks.
• Use strong passwords — i.e., long and unique passwords.
• Regularly backup systems. Systems can be restored in cases of ransomware, and having a current backup of all data speeds the recovery process.
• Enable pop-up blockers or prevent pop-ups from appearing by adjusting your browser settings. Scammers routinely use pop-ups to spread malware.

How can we help?

Following basic security hygine, user awareness and security best practices can provide reasonable protecton from such attacks. Our experienced security consultants can bring the awarness about such attacks to the organization, there by elivating the security maturity level of the organization users.

To know more about our services, please contact info@reflectsecurity.com. Also, subscribe to our newsletter to know more about cyber security and the latest trends.