[ad_1]
Russian state hackers who orchestrated the SolarWinds supply chain attack last year once exploited iOS zero as part of a separate malicious email campaign to steal credentials Western European governments web, according to Google and Microsoft.
In an article published by Google on Wednesday, researchers Maddie Stone and Clement Lecigne said that a “likely Russian government-backed actor” exploited the then-unknown vulnerability by messaging government officials through LinkedIn.
Moscow, Western Europe and USAID
Attacks targeting CVE-2021-1879, as day zero has passed, redirected users to domains that installed malicious payloads on fully updated iPhones. The attacks coincided with a campaign by the same hackers who delivered malware to Windows users, the researchers said.
The campaign closely follows a leaked Microsoft in May. In this case, Microsoft said that Nobelium – the name the company uses to identify the hackers behind the SolarWinds supply chain attack – first successfully compromised a USAID-owned account, a US government agency that administers civilian foreign aid and development assistance. With control of the agency’s account for online marketing firm Constant Contact, hackers could send emails that appeared to use addresses known to belong to the US agency.
The federal government attributed last year’s supply chain attack to hackers working for the Russian Foreign Intelligence Service (SVR for short). For more than a decade, the SVR has carried out malware campaigns targeting governments, political think tanks and other organizations in countries such as Germany, Uzbekistan, South Korea and the United States. . Targets included the US State Department and the White House in 2014. Other names used to identify the group include APT29, the Dukes, and Cozy Bear.
In an email, Shane Huntley, head of Google’s threat analysis group, confirmed the link between the attacks involving USAID and zero-day iOS, which resided in the browser engine WebKit.
“These are two different campaigns, but based on our visibility, we consider the actors behind the 0-day WebKit and the USAID campaign to be the same group of actors,” wrote Huntley. “It’s important to note that everyone draws the boundaries of actors differently. In this particular case, we are aligned with the assessment of APT 29 by the US and UK governments.
Forget the sandbox
Throughout the campaign, Microsoft said, Nobelium experimented with several variants of the attack. In a single wave, a Nobelium-controlled web server profiled the devices that visited it to determine what operating system and hardware the devices were running on. If the targeted device was an iPhone or iPad, a server was using an exploit for CVE-2021-1879, which allowed hackers to launch a universal cross-site scripting attack. Apple corrected the zero-day at the end of March.
In Wednesday’s post, Stone and Lecigne wrote:
After several validation checks to ensure that the operated device was an actual device, the final payload would be served to operate CVE-2021-1879. This exploit would disable Same-Origin-Policy protections in order to collect authentication cookies from several popular websites including Google, Microsoft, LinkedIn, Facebook and Yahoo and send them via WebSocket to an IP address controlled by an attacker. The victim would need to be logged on to these websites from Safari for the cookies to be successfully exfiltrated. There was no escape from sandbox or implant delivered via this feat. The exploit targeted iOS versions 12.4 to 13.7. This type of attack, described by Amy Burnett in Forget the Sandbox Escape: Abusing Browsers from Code Execution, is mitigated in browsers with site isolation enabled, such as Chrome or Firefox.
It rains on zero days
IOS attacks are part of a recent explosion in the use of zero days. In the first half of this year, Google’s Project Zero vulnerability research group recorded 33 zero-day exploits used in attacks, 11 more than the total number in 2020. The growth has several causes, including better detection by defenders and better software defenses that require multiple exploits to break through.
The other big driver is the increased supply of zero-days from private companies selling exploits.
“0-day capabilities were previously only the tools of some nation states that had the technical expertise to find 0-day vulnerabilities, develop them into exploits, and then strategically operationalize their use,” Google researchers wrote. . “Between the middle and the end of the 2010s, more and more private companies joined the market by selling these 0-day capacities. Groups no longer need to have technical expertise; now they just need the resources.
The iOS vulnerability was one of four zero-days in the wild detailed by Google on Wednesday. The other three were:
The four feats were used in three different campaigns. Based on their analysis, the researchers believe that three of the exploits were developed by the same trade surveillance company, which sold them to two different government-backed players. The researchers did not identify the watch company, governments, or the specific three zero days they were referring to.
Apple officials did not immediately respond to a request for comment.
[ad_2]
Source link