What Is a Zero-Click Attack and Why is Everyone Talking About It?
After a cyberattack in late 2021 on an unknown Bahraini human rights activist, anxiety over zero-day vulnerabilities among cybersecurity professionals grew. The activist’s iPhone 12 Pro had been infiltrated by a zero-click assault, in which social engineering was not required and the user did not need to click on any malicious links, according to Canadian internet watchdog Citizen Lab, which examined the device. This raises a concern for cybersecurity professionals: what are zero-click attacks? And what actions can we take to defend ourselves from this kind of assault?
What Is a Zero-Click Attack?
Malware that requires no action from the intended target is known as a zero-click attack. Instead, it takes use of recently discovered software flaws. In order to build a port of entry for malware that requires no involvement, cybercriminals will take advantage of undiscovered software faults, sometimes referred to as zero-day vulnerabilities. The cybercriminal might, for instance, distribute the zero-day assault as a GIF over iMessage or as a WhatsApp missed call.
The zero-click attack on the activist from Bahrain was not the only one to be made public. In actuality, this kind of hack has existed for a long time. In order to conduct a zero-click attack on activists in 2016, the United Arab Emirates hired the assistance of former American intelligence agents.
The cyber operations division of the UAE called Project Raven created an iMessage that took advantage of a security hole and exposed photographs, text messages, and sensitive location data.
The former CEO of Amazon, Jeff Bezos, was the victim of a zero-click attack in 2019. Mohammad Bin Salman, the Saudi Arabian Crown Prince, supposedly had him in mind. Investigators discovered that the Crown Prince gave Bezos a video clip on WhatsApp that had a downloader for encryption. The amount of data being transmitted from Bezos’ phone considerably increased after receiving this video.
In another famed zero-click attack, a WhatsApp vulnerability was exploited using a tool called Pegasus developed by the Israeli company NSO Group Technologies. Several prominent people, including members of the Arab royal family, advocates for human rights, leaders of governments, and others, had Pegasus installed on their devices. “In order to launch a fresh installation, the operator of the Pegasus system should merely insert the target phone number,” reads an exhibit from the trial where Facebook sued NGO in 2019. The system takes care of the rest automatically, which in most cases results in the installation of an agent (malware) on the target device.
How to Protect Yourself Against Zero-Click Attacks?Attacks with zero clicks are intimidating because there isn’t much you can do to stop them. Given that these assaults are highly targeted, you may rest easy knowing that you’re doing everything you can to strengthen your security. Here are some guidelines for protecting your data and devices.
- Make sure the most recent security fixes are installed on your devices. Software providers stay on top of new security flaws and release fixes to lessen the risk of cyber assaults.
- Use a malware detection program to check your environment for potential cyber dangers. These instruments are intended to find malware on your devices.
- To stop harmful network traffic, use a firewall. You can lessen your susceptibility to zero-click attacks by limiting network traffic to that which is necessary or by blocking malicious activity.
- By combining vendors, entry points can be decreased. You are more vulnerable to potential zero-click attacks the more software you permit access to in your environment. By consolidating your vendor base, reduce the number of access points for bad actors.
- Inform your users. Attacks with zero clicks frequently target a particular phone number or email address. Informing your consumers about online information sharing will help them avoid being a target for fraudsters.