iOS zero-day lets SolarWinds hackers compromise fully updated iPhones

The word DAY ZERO is hidden in the middle of a screen full of ones and zeros.

The Russian state hackers who staged the SolarWinds supply chain attack last year exploited an iOS zero-day as part of a separate malicious email campaign aimed at stealing web authentication credentials from Western European governments, according to Google and Microsoft.

in a mail Google published Wednesday that investigators Maddie Stone and Clement Lecigne said a “actor likely backed by the Russian government” exploited the then-unknown vulnerability by messaging government officials via LinkedIn.

Moscow, Western Europe and USAID

Attacks targeting CVE-2021-1879, as zero-day is tracked, redirected users to domains that installed malicious payloads on fully updated iPhones. The attacks coincided with a campaign by the same hackers who delivered malware to Windows users, the researchers said.

The campaign closely follows one Microsoft revealed in May. In that case, Microsoft said that Nobelium, the name the company uses to identify the hackers behind the attack on the SolarWinds supply chain, first managed to compromise an account belonging to USAID, a US government agency that administers foreign aid. civil and development assistance. With control of the agency account for online marketing company Constant Contact, hackers could send emails that appeared to use addresses known to belong to the US agency.

The federal government has attributed last year’s supply chain attack to hackers working for Russia’s Foreign Intelligence Service (abbreviated SVR). For more than a decade, SVR has conducted malware campaigns targeting governments, political think tanks, and other organizations in countries including Germany, Uzbekistan, South Korea, and the United States. goals has included the US State Department and the White House in 2014. Other names used to identify the group include APT29, Dukes and Cozy Bear.

In an email, Shane Huntley, head of Google’s Threat Analysis Group, confirmed the connection between the attacks involving USAID and iOS zero-day, which resided in the WebKit browser engine.

“These are two different campaigns, but based on our visibility, we consider the actors behind WebKit 0-day and the USAID campaign to be the same group of actors,” wrote Huntley. “It’s important to keep in mind that everyone draws actor boundaries differently. In this particular case, we are aligned with the APT 29 assessment of the US and UK governments. “

Forget about the litter box

Throughout the campaign, Microsoft said, Nobelium experimented with multiple attack variations. In one wave, a Nobelium-controlled web server profiled visiting devices to determine what operating system and hardware the devices were running on. If the target device was an iPhone or iPad, a server used an exploit for CVE-2021-1879, which allowed hackers to perform a universal cross-site scripting attack. Apple patched day zero at the end of March.

In Wednesday’s post, Stone and Lecigne wrote:

After several validation checks to ensure that the device being exploited was a real device, the final payload would be served to exploit CVE-2021-1879. This exploit would shut down Same Origin Policy protections to collect authentication cookies from various popular websites, including Google, Microsoft, LinkedIn, Facebook, and Yahoo, and send them via WebSocket to an attacker-controlled IP. The victim would need to be logged into these websites from Safari for the cookies to be successfully exfiltered. There was no litter box or implant escape delivered via this exploit. The exploit targeted iOS versions 12.4 to 13.7. This type of attack, described by Amy Burnett in Forget sandbox escape: abuse browsers from code execution, is mitigated in browsers with Site isolation enabled, such as Chrome or Firefox.

It’s raining zero days

The iOS attacks are part of a recent explosion in zero-day usage. In the first half of this year, Google’s Project Zero vulnerability research group recorded 33 zero-day exploits used in attacks, 11 more than the total number in 2020. The growth has several causes, including better detection by Defenders and best software defenses that require multiple exploits to break through.

The other big driver is the increased supply of zero days from private companies selling exploits.

“Zero-day capabilities used to be just the tools of selected nation-states that had the technical expertise to find zero-day vulnerabilities, develop them into exploits, and then strategically operationalize their use,” the Google researchers wrote. “In the mid to late 2010s, more private companies joined the market selling these zero-day capabilities. Groups no longer need to have the technical expertise; now they just need resources. “

The iOS vulnerability was one of four in the wild of zero days that Google detailed on Wednesday. The other three were:

The four exploits were used in three different campaigns. Based on their analysis, the researchers assess that three of the exploits were developed by the same commercial surveillance company, which sold them to two different government-backed players. Investigators did not identify the surveillance company, the governments, or the specific three zero days they were referring to.

Apple representatives did not immediately respond to a request for comment.

Leave a Reply

Your email address will not be published. Required fields are marked *