The Russian state hackers who orchestrated last year’s attack on the SolarWinds supply chain exploited an iOS zero-day as part of a separate malicious email campaign aimed at stealing web authentication credentials from Western European governments, according to Google and Microsoft .
In a report published by Google on Wednesday, researchers Maddie Stone and Clement Lecigne said a “probably Russian government-backed actor” exploited the then-unknown vulnerability by sending messages to government officials via LinkedIn.
Moscow, Western Europe and USAID
Attacks targeting CVE-2021-1879 while tracking the zero-day redirected users to domains that installed malicious payloads on fully updated iPhones. The attacks coincided with a campaign by the same hackers who delivered malware to Windows users, the researchers said.
The campaign closely follows one Microsoft announced in May. In that case, Microsoft said Nobelium — the name the company uses to identify the hackers behind the attack on SolarWinds’ supply chain — was the first to successfully hack into an account belonging to USAID, a U.S. government agency that manages civilian foreign and development aid. endanger. With control over the agency’s account for online marketing firm Constant Contact, the hackers were able to send emails that appeared to use addresses known to belong to the US agency.
The federal government has blamed last year’s supply chain attack on hackers working for Russia’s Foreign Intelligence Service (SVR for short). For more than a decade, the SVR has been running malware campaigns targeting governments, political think tanks, and other organizations in countries such as Germany, Uzbekistan, South Korea, and the US. Targets included the US State Department and the White House in 2014. Other names used to identify the group include APT29, the Dukes, and Cozy Bear.
In an email, Shane Huntley, the head of Google’s Threat Analysis Group, confirmed the connection between the USAID attacks and the iOS zero-day, which resided in the WebKit browser engine.
“These are two different campaigns, but based on our visibility, we consider the actors behind the WebKit 0-day and the USAID campaign to be the same group of actors,” Huntley wrote. “It is important to note that everyone draws actor boundaries differently. In this particular case, we join the assessment of APT 29 by the US and UK governments.”
Forget the sandbox
During the campaign, Microsoft said, Nobelium experimented with multiple attack variations. In one wave, a Nobelium-powered web server profiled the devices that visited it to determine what operating system and hardware the devices were running. If the target device was an iPhone or iPad, a server used an exploit for CVE-2021-1879, allowing hackers to launch a universal cross-site scripting attack. Apple patched the zero-day at the end of March.
In Wednesday’s post, Stone and Lecigne wrote:
After several validation checks to ensure that the device being exploited was a genuine device, the final payload would be used to exploit CVE-2021-1879. This exploit would disable Same-Origin-Policy protections to collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook, and Yahoo, and send them via WebSocket to an attacker-controlled IP address. The victim would need to have opened a session on these websites from Safari in order to successfully exfiltrate cookies. There was no sandbox escape or implant delivered through this exploit. The exploit targeted iOS versions 12.4 through 13.7. This type of attack, described by Amy Burnett in Forget the Sandbox Escape: Abusing Browsers from Code Execution, is mitigated in browsers with Site Isolation enabled, such as Chrome or Firefox.
It rains zero days
The iOS attacks are part of a recent explosion in the use of zero-days. In the first half of this year, Google’s Project Zero vulnerability research group recorded 33 zero-day exploits used in attacks — 11 more than the 2020 total. need exploits to break through.
The other big driver is the increased supply of zero-days from private companies selling exploits.
“In the past, zero-day capabilities were only the tools of select nation-states that had the technical expertise to find zero-day vulnerabilities, develop them into exploits, and then strategically operationalize their use,” the Google researchers wrote. “From the mid to late 2010s, more private companies entered the market selling these zero-day opportunities. Groups no longer need to have the technical expertise; now they just need resources.
The iOS vulnerability was one of four in-the-wild zero-days reported by Google on Wednesday. The other three were:
The four exploits were used in three different campaigns. Based on their analysis, the researchers judge that three of the exploits were developed by the same commercial surveillance company, which sold them to two different government-backed actors. The researchers did not identify the surveillance company, governments or the specific three zero-days they referred to.
Apple representatives did not immediately respond to a request for comment.