The Russian state hackers who orchestrated the SolarWinds supply chain attack last year took advantage of iOS zero-day as part of a separate malicious email campaign aimed at extracting web authentication data from Western European, according to Google and Microsoft Stealing governments.
In a post published by Google on Wednesday, researchers Maddie Stone and Clement Lecigne said a “likely Russian government-sponsored actor” had exploited the then-unknown vulnerability by sending messages to government officials via LinkedIn.
Moscow, Western Europe and USAID
Attacks on CVE-2021-1879 while tracking zero-day redirected users to domains that were installing malicious payloads on fully updated iPhones. The attacks coincided with a campaign by the same hackers delivering malware to Windows users, the researchers said.
The campaign is closely based on a campaign published by Microsoft in May. In that case, Microsoft said that Nobelium – the name the company uses to identify the hackers behind the attack on SolarWinds’ supply chain – first managed to compromise an account with USAID, a U.S. government agency that used civilian Development aid and development aid managed. With control of the agency’s account for online marketing firm Constant Contact, the hackers were able to send emails that appear to be using addresses owned by the US agency.
The federal government attributed the attack on the supply chain last year to hackers who work for the Russian foreign intelligence service (SVR for short). For more than a decade, the SVR has carried out malware campaigns against governments, political think tanks and other organizations in countries such as Germany, Uzbekistan, South Korea and the USA. The targets in 2014 included the US State Department and the White House. Other names that have been used to identify the group are APT29, The Dukes, and Cozy Bear.
In an email, Shane Huntley, head of Google’s Threat Analysis Group, confirmed the link between the USAID attacks and iOS zero-day residing in the WebKit browser engine.
“These are two different campaigns, but because of our visibility, we consider the actors behind WebKit 0-day and the USAID campaign as the same group of actors,” wrote Huntley. “It is important to note that everyone draws boundaries differently. In this particular case, we agree with the US and UK governments’ assessment of APT 29. “
Forget the sandpit
Throughout the campaign, according to Microsoft, Nobelium experimented with several types of attack. In one wave, a Nobelium-controlled web server profiled devices that visited it to determine what operating system and hardware the devices were running on. If the target device was an iPhone or iPad, a server used an exploit for CVE-2021-1879 that allowed hackers to carry out a universal cross-site scripting attack. Apple patched zero-day at the end of March.
In Wednesday’s post, Stone and Lecigne wrote:
After several validation checks to ensure that the device being exploited is a real device, the final payload for the CVE-2021-1879 exploitation will be provided. This exploit would disable same-origin policy protection to collect authentication cookies from several popular websites including Google, Microsoft, LinkedIn, Facebook and Yahoo and send them to an attacker-controlled IP via WebSocket. The victim would need to have opened a session from Safari on these websites for cookies to be successfully exfiltrated. There was no sandbox escape or implantation delivered via this exploit. The exploit was targeted at iOS versions 12.4 through 13.7. This type of attack, described by Amy Burnett in Forget the Sandbox Escape: Abusing Browsers from Code Execution, is mitigated in browsers with site isolation enabled, such as Chrome or Firefox.
It rains zero days
The iOS attacks are part of a recent explosion in zero-day usage. In the first half of this year, Google’s Project Zero security research group identified 33 zero-day exploits used in attacks – 11 more than the 2020 total. The growth has multiple sources, including better detection by defenders and better Software defenses that require multiple exploits in order to break through.
The other big driver is the increased supply of zero-days from private companies selling exploits.
“In the past, 0-day capabilities were only the tools of selected nation states that had the technical know-how to find 0-day vulnerabilities, develop them into exploits and then strategically operationalize their use,” write the Google researchers . “In the mid to late 2010s, more and more private companies entered the market selling these 0-day features. Groups no longer need to have the technical know-how; now they only need resources. “
The iOS vulnerability was one of four in-the-wild zero-days that Google detailed on Wednesday. The other three were:
The four exploits were used in three different campaigns. Based on their analysis, the researchers believe that three of the exploits were developed by the same commercial surveillance company that sold them to two different government-backed actors. The researchers did not identify the monitoring company, nor the governments, or the specific three zero days they were referring to.
Apple officials did not immediately respond to a request for comment.