Update your iOS device to version 9.3.5, or beware.

Apple last week released a patch for three bugs that could allow hackers to remotely jailbreak iPhones and steal messages, call information, emails, logs, and more–a dangerous threat for enterprises with sensitive data.

“If Apple has gone through the trouble of putting out an emergency patch, there are likely active attacks occurring within the system,” said John Pironti, president of IP Architects. The patch was available 10 days after a tip from researchers, an aggressive timeline for the company, he added. “There is a heightened sense of alert on this one.”

Citizen Lab at the University of Toronto discovered the bugs, and alerted Apple. The group released a report last week that detailed how they uncovered the security flaws after an alert from Ahmed Mansoor, an internationally-recognized human rights defender in the United Arab Emirates.

“On August 10 and 11, 2016, Mansoor received SMS text messages on his iPhone promising ‘new secrets’ about detainees tortured in UAE jails if he clicked on an included link,” the report stated. “Instead of clicking, Mansoor sent the messages to Citizen Lab researchers.”

Citizen Lab and Lookout Security determined that the messages were a sophisticated attempt to spy on Mansoor through his iPhone 6. If he clicked on the link, it would have remotely jailbroken his phone and installed spyware called Pegasus, the report said.

Pegasus allows a cybercriminal to target and jailbreak an iOS device and monitor its owner. It can also collect information from different apps, contact lists, calendars, and messaging services. Citizen Lab and Lookout Security called the three iOS vulnerabilities that made phones susceptible to the spyware Trident.

“The implant installed by the Trident exploit chain would have turned Mansoor’s iPhone into a digital spy in his pocket,” the report stated. “The spyware…was capable of employing his iPhone’s camera and microphone to eavesdrop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.”

The Pegasus malware was professionally developed and sold by an Israel-based company called NSO Group, that sells mobile surveillance software to governments worldwide. The company is owned by American venture capital firm Francisco Partners Management. The attack kit costs about $8 million for 300 licenses, leading Lookout researchers to believe that it is likely being actively used against other iPhones globally. Pegasus is only sold to governments, militaries, and intelligence agencies, Citizen lab stated in its report.

The Citizen Lab researchers said it is likely that the UAE government was the attack operator in Mansoor’s case.

“The attack sequence, boiled down, is a classic phishing scheme: Send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information,” a Lookout Security blog post stated. “This, however, happens invisibly and silently, such that victims do not know they’ve been compromised.”

The researchers quickly notified Apple of their findings. The company responded with the three patches–two in the kernel, and one in the WebKit.

Business risk

The cost of the attack software likely means it will be used against high-value targets, such as CEOs and CTOs, Lookout researchers said in a blog post.

Still, “there are many others within your organization who could find themselves in an attackers’ crosshairs,” the post stated. “Rank-and-file employees with credentials to access enterprise networks are clearly perceived as valuable targets by global threat actors. Unprotected employee mobile devices with access to sensitive corporate data are now likely to be the lowest hanging fruit for attackers looking to breach an enterprise.”

You can find out if you’ve been impacted by the attack here.

Bottom line: All iOS users should install the 9.3.5 update immediately. Business leaders must ensure that all iOS work devices are updated as well to avoid an attack. Patching remains our best defense against cybercriminals, Pironti said.

“Patching must be done in an efficient and proactive manner–it’s no longer something that can be done on a standard IT schedule,” said Pironti. “If an emergency patch was issued by a vendor, organizations and individuals have to step up and correct those problems.”

The 3 big takeaways for TechRepublic readers

  1. Last week, Apple released a patch for three security flaws that allowed hackers remotely jailbreak a user’s iOS device and steal information. Researchers named the vulnerabilities Trident, and the spyware that used them to jailbreak phones Pegasus.
  2. The vulnerabilities were discovered by researchers at Citizens Lab and Lookout Security, after they were alerted by a human rights defender in the United Arab Emirates who had been targeted.
  3. Company CEOs and CTOs may be at risk for the attack, as well as other employees with credentials to access enterprise networks. All individual professionals and enterprises should install the update immediately.