According to Google and Microsoft, a Russian national hacker who organized a SolarWinds supply chain attack last year was part of another malicious email campaign aimed at stealing web credentials from the Western European government. Exploited a zero-day attack on iOS.
so Position Google announced Wednesday, and researchers Maddy Stone and Clement Lesigne said at the time that “actors who may be backed by the Russian government” sent a message to government officials via LinkedIn. He said he exploited an unknown vulnerability.
Moscow, Western Europe, USAID
An attack targeting CVE-2021-1879 redirected the user to a domain that had a malicious payload installed on a fully updated iPhone due to zero-day tracking. According to researchers, the attack was consistent with a campaign by the same hacker who delivered malware to Windows users.
Campaigns are closely tracked to one Microsoft disclosed in May.. In that case, Microsoft has an account under USAID, the name Nobelium used by the company to identify the hackers behind SolarWinds supply chain attacks, which is the U.S. government agency that manages private foreign and development assistance. He said he had infringed first. By managing the account of the agency of the online marketing company Constant Contact, hackers can send emails that appear to be using an address that is known to belong to a US agency.
The federal government attributed last year’s supply chain attack to hackers working at Russia’s Foreign Intelligence Service (SVR for short).for 10 years or more, SVR has conducted malware campaigns targeting governments, political think tanks, and other organizations in countries such as Germany, Uzbekistan, South Korea, and the United States.target It contains 2014 US State Department and White House. Other names used to identify the group include APT29, Dukes, and Cozy Bear.
In an email, Shane Huntley, head of Google’s threat analysis group, confirmed the link between USAID-related attacks and iOS zero-day attacks on the WebKit browser engine.
“These are two different campaigns, but based on our visibility, we believe that the actors behind WebKit’s zero-day and USAID campaigns are the same group of actors,” writes Huntley. “It’s important to note that the way actors draw boundaries varies from person to person. In this particular case, it is consistent with the APT29 rating by the US and UK governments.”
Forget the sandbox
Throughout the campaign, Microsoft said Nobelium experimented with multiple attack variations. In one wave, a Nobelium-controlled web server profiled the device it accessed to determine which OS and hardware the device was running on. If the target device is an iPhone or iPad, the server used the CVE-2021-1879 exploit to allow hackers to launch a universal cross-site scripting attack.Apple Apply the patch Zero-day in late March.
In a post on Wednesday, Stone and Lecigne wrote:
After some validation checks to ensure that the abused device is a real device, the final payload is provided to exploit CVE-2021-1879.This exploit will be turned off Same-origin policy Protection for collecting authentication cookies from several popular websites such as Google, Microsoft, LinkedIn, Facebook and Yahoo and sending them over WebSockets to attacker-controlled IPs. Victims need to open a session on these websites from Safari in order to successfully steal cookies. There were no sandbox escapes or implants delivered via this exploit. This exploit targeted iOS versions 12.4 to 13.7. This type of attack is described by Amy Burnett as follows: Forget Sandbox Escape: Browser Abuse from Code Execution, Is mitigated in browsers that use Site separation Enable Chrome, Firefox, etc.
Zero-day it’s raining
iOS attacks are part of the recent explosive increase in zero-day attacks. Earlier this year, Google’s Project Zero Vulnerability Research Group recorded 33 zero-day exploits used in the attack. This is 11 more than the total in 2020. There are several reasons for this growth, including better detection by defenders and better software protection. You need multiple exploits to break through.
Another major factor is the increase in zero-day attacks from private companies that sell exploits.
“The zero-day feature was just a nation-state tool of choice with the technical expertise to find zero-day vulnerabilities, develop them into exploits, and strategically operate their use,” Google said. The researcher is writing. “In the mid-to-late 2010s, private companies selling these zero-day features entered the market. The group no longer needs to have technical expertise. Now they just need resources. I will. “
The iOS vulnerability was one of four zero-day Googles detailed on Wednesday. The other three are:
The four exploits were used in three different campaigns. Based on their analysis, researchers rate that three exploits were developed by the same commercial surveillance company and sold to two different government-sponsored actors. Researchers did not identify surveillance companies, governments, or the specific three zero-days they refer to.
Apple representatives did not immediately respond to requests for comment.
Source link A zero-day iOS attack puts SolarWinds hackers at risk for a fully updated iPhone