Russian state pirates who orchestrated the SolarWinds supply chain attack last year operated an iOS day zero as part of a separate malicious email campaign aimed at stealing web credentials from Western European governments, according to Google and Microsoft.
In one Publish Google released on Wednesday, researchers Maddie stone and Clément Lecigne said that a “player likely supported by the Russian government” exploited the then-unknown vulnerability by messaging government officials via LinkedIn.
Moscow, Western Europe and USAID
Attacks targeting CVE-2021-1879, as day zero has passed, redirected users to domains that installed malicious payloads on a full update iPhone. The attacks coincided with a campaign by the same hackers who delivered malware to Windows users, the researchers said.
The campaign closely follows a Microsoft unveiled in May. In this case, Microsoft said that Nobelium – the name Microsoft uses to identify the hackers behind the SolarWinds supply chain attack – first successfully compromised an account owned by USAID, a government agency. which administers foreign aid and civilian development assistance. With control of the agency’s account with online marketing firm Constant Contact, hackers could send emails that appeared to use addresses known to belong to the US agency.
The federal government awarded last year supply chain attack hackers working for the Russian Foreign Intelligence Service (abbreviated SVR). For more than a decade, SVR has carried out malware campaigns targeting governments, political think tanks and other organizations in countries such as Germany, Uzbekistan, South Korea and the United States. Targets have included the US State Department and the White House in 2014. Other names used to identify the group include APT29, the Dukes, and Cozy Bear.
In an email, the head of Google’s threat analysis group, Shane Huntley, confirmed the link between the attacks involving USAID and zero-day iOS, which resided in the browser engine WebKit.
“These are two different campaigns, but based on our visibility, we consider the actors behind the 0-day WebKit and the USAID campaign to be the same group of actors,” wrote Huntley. “It is important to note that everyone draws the boundaries of the actors differently. In this particular case, we are aligned with the assessment of APT 29 by the US and UK governments.
Forget the sandbox
Throughout the campaign, Microsoft said, Nobelium experimented with several variants of the attack. In a single wave, a Nobelium-controlled web server profiled the devices that visited it to determine what operating system and hardware the devices were running on. In the event that the targeted device was an iPhone or iPad, a server delivered an exploit for CVE-2021-1879, which allowed hackers to launch a universal cross-site scripting attack. Apple patched day zero at the end of March.
In Wednesday’s post, Stone and Lecigne wrote:
After several validation checks to ensure that the operated device was an actual device, the final payload would be served to operate CVE-2021-1879. This exploit would disable Same-Origin-Politics protections to collect authentication cookies from several popular websites including Google, Microsoft, LinkedIn, Facebook and Yahoo and send them via WebSocket to an IP address controlled by an attacker. The victim would need to be logged on to these websites from Safari for the cookies to be successfully exfiltrated. There was no escape from sandbox or implant delivered via this feat. The exploit targeted iOS versions 12.4 to 13.7. This type of attack, described by Amy Burnett in Forget about sandbox escape: abusing browsers with code execution, are mitigated in browsers with Site isolation activated like Chrome or Firefox.
It’s raining zero days
the ios The attacks are part of a recent explosion in the use of zero days. In the first half of this year, Google’s Project Zero vulnerability research group recorded 33 zero-day exploits used in attacks, 11 more than the total number in 2020. The growth has several causes, including better detection by defenders and better software defenses. which, in turn, require multiple feats to break through.
The other big driver is the increased supply of zero-days from private companies selling exploits.