Russian state hackers who orchestrated Attack on the SolarWinds supply chain used iOS last year zero day as part of a separate malicious email campaign aimed at stealing web authentication credentials from Western European governments, according to Google and Microsoft.
U mail Google announced on Wednesday, the researchers Maddie Stone and Clement Lecigne said that “probably an actor backed by the Russian government” took advantage of a then-unknown vulnerability by sending messages to government officials via LinkedIn.
Moscow, Western Europe and USAID
Attacks targeting CVE-2021-1879, while tracking day zero, redirected users to domains that installed malicious cargo on fully updated iPhones. The attacks coincided with a campaign by the same hackers who delivered malware to Windows users, the researchers said.
The campaign is being closely monitored Microsoft was released in May. In that case, Microsoft said Nobelium – the name Microsoft uses to identify the hackers behind the SolarWinds supply chain attack – first managed to compromise an account belonging to USAID, the U.S. government agency that manages civilian foreign aid and development aid. By controlling the agency’s account with internet marketing company Constant Contact, hackers were able to send emails that appeared to use addresses known to belong to the U.S. agency.
The federal government attributed it to last year attack on the supply chain hackers working for the Russian Foreign Intelligence Service (SVR). For more than a decade, SVR has conducted malware campaigns targeting governments, political think tanks and other organizations in countries including Germany, Uzbekistan, South Korea and the United States. Goals have included U.S. State Department and White House 2014. Other names used to identify the group include APT29, Duke, and Pleasant Bear.
In an email, Google’s Threat Analysis Group chief Shane Huntley confirmed the link between the attacks involving USAID and iOS Zero Day, which was housed in the WebKit browser.
“These are two different campaigns, but based on our visibility, we feel that the actors behind the WebKit 0-day and USAID campaigns are the same group of actors,” Huntley wrote. “It is important to note that all actors draw boundaries differently. In this particular case, we are in line with the US and UK government’s assessment of APT 29. ”
Throughout the campaign, Microsoft said, Nobelium experimented with multiple variations of attacks. In one wave, a Nobel-controlled web server profiled the devices that visited it to determine which OS and hardware the devices were running on. In case the target device is an iPhone or iPad, the server delivered an exploit for CVE-2021-1879, which allowed hackers to carry out a universal attack on multiple locations on the scripts. Apple patched zero day in late March.
In a post Wednesday, Stone and Lecigne wrote:
After several validations to ensure that the device being exploited is the right device, the final load would serve to exploit CVE-2021-1879. This feat would be ruled out Politics of the same origin protection to collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook, and Yahoo, and send them via WebSocket to the IP controlled by the attacker. The victim should have an open session on these sites from Safari in order for the cookies to be successfully thrown out. No exit to the sandbox or implant was performed through this exploit. Exploitation targeted iOS versions 12.4 to 13.7. This type of attack, described by Amy Burnett Forget Sandbox Escape: browser abuse from code execution, are mitigated in browsers with Location isolation enabled such as Chrome or Firefox.
It rains for zero days
The iOS the attacks are part of a recent explosion in zero-day use. In the first half of this year, Google’s vulnerability research group Project Zero recorded 33 zero-day exploits used in attacks – 11 more than the total since 2020. Growth has several causes, including better detection by defenders and better software defense, which in turn require multiple exploits to break through.
Another major driver is the increased zero-day supply from private companies selling exploitation.