SolarWinds hackers used iOS zero-day to penetrate iPhones used by government officials
A newly uncovered zero-day exploit impacting older versions of iOS was leveraged by Russia-backed hackers in a campaign that targeted officials of Western European governments.
Outlined by Google's Threat Analysis team in a report on Wednesday, the attack involved messages sent to government officials over LinkedIn.
Victims who visited a provided link on their iOS device would be redirected to a domain that served up an initial malicious payload that subsequently examined device authenticity. After multiple validation checks were satisfied, a final payload containing the CVE-2021-1879 exploit was downloaded and used to bypass certain security protections.
According to Google, the zero-day turned off Same-Origin-Policy safeguards, or protections that prevent malicious scripts from collecting data on the web. By disabling the defense, hackers were able to gather website authentication information from Google, Microsoft, LinkedIn, Facebook, Yahoo and others before sending it on to an attacker-controlled IP, the report said.
"The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated. There was no sandbox escape or implant delivered via this exploit," writes Maddie Stone and Clement Lecigne. "The exploit targeted iOS versions 12.4 through 13.7."
Browsers that support Site Isolation features, like Chrome or Firefox, are not impacted by Same-Origin-Policy attacks.
While Google fails to name the hacking group that conducted the attack, it does say that the operation coincided with a campaign from the same bad actor targeting Windows computers. ArsTechnica, which reported on Google's findings today, identifies the actors as Nobelium, the same team behind 2019's SolarWinds hack. Nobelium also used an attack vector involving CVE-2021-1879 in a hack related to the United States Agency for International Development.
Apple patched the flaw in March.
Keep up with everything Apple in the weekly AppleInsider Podcast -- and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.
Read on AppleInsider
Outlined by Google's Threat Analysis team in a report on Wednesday, the attack involved messages sent to government officials over LinkedIn.
Victims who visited a provided link on their iOS device would be redirected to a domain that served up an initial malicious payload that subsequently examined device authenticity. After multiple validation checks were satisfied, a final payload containing the CVE-2021-1879 exploit was downloaded and used to bypass certain security protections.
According to Google, the zero-day turned off Same-Origin-Policy safeguards, or protections that prevent malicious scripts from collecting data on the web. By disabling the defense, hackers were able to gather website authentication information from Google, Microsoft, LinkedIn, Facebook, Yahoo and others before sending it on to an attacker-controlled IP, the report said.
"The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated. There was no sandbox escape or implant delivered via this exploit," writes Maddie Stone and Clement Lecigne. "The exploit targeted iOS versions 12.4 through 13.7."
Browsers that support Site Isolation features, like Chrome or Firefox, are not impacted by Same-Origin-Policy attacks.
While Google fails to name the hacking group that conducted the attack, it does say that the operation coincided with a campaign from the same bad actor targeting Windows computers. ArsTechnica, which reported on Google's findings today, identifies the actors as Nobelium, the same team behind 2019's SolarWinds hack. Nobelium also used an attack vector involving CVE-2021-1879 in a hack related to the United States Agency for International Development.
Apple patched the flaw in March.
Keep up with everything Apple in the weekly AppleInsider Podcast -- and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.
Read on AppleInsider
Comments
In either event the western democracies seem helpless in the face of these attacks.
And enough of the bullshit of refusing to update your devices because of fear, some goofball app not working, general hesitancy to update. You know, like getting vaccinated.
Not sure if that was the case here, though even if it reads as if it were.
As for Stuxnet, never trust a second party with your code.
True! There's a lot of competition out there:
"July 15 (Reuters) - An Israeli group sold a tool to hack into Microsoft Windows, Microsoft and technology human rights group Citizen Lab said on Thursday, shedding light on the growing business of finding and selling tools to hack widely used software.
The hacking tool vendor, named Candiru, created and sold a software exploit that can penetrate Windows, one of many intelligence products sold by a secretive industry that finds flaws in common software platforms for their clients, said a report by Citizen Lab.
Technical analysis by security researchers details how Candiru's hacking tool spread around the globe to numerous unnamed customers, where it was then used to target various civil society organizations, including a Saudi dissident group and a left-leaning Indonesian news outlet, the reports by Citizen Lab and Microsoft show."
I wonder what we're doing about it to defend ourselves and our companies? Anything? Anything at all?
Sure fine, but how about companies producing devices and software make security their first and top priority? This along with the disincentive of life imprisonment for hacking might be the way forward. Also, prison time for not adequately securing customer data would be helpful - for executives, not the lower level workers.
So, why should others place nice when we don't. Biden just today told Putin to reign in these supposed "Russian hackers". Then, Biden noted, we have the capability to do the same to them. Then, Biden continued with his Cold War rhetoric.
Too much bumper sticker level thinking.
Like the banksters of the 2008 collapse, the CEO's and their corporations are rewarded for making money, rather than protecting the data of their clients. When that is stolen or destroyed they, and their corporations face little or no punishment. In the case of the hacking of consumer facing systems, they typically offer a come-on of "12 months of free ID protection" -- which is simply a lead in to hooking them on month to month contacts after the 12 months.